Revised DFS Cyber Regulation is Out

Revised DFS Cyber Regulation is Out

New York State’s Department of Financial Services (DFS) has just released its revised first-in-nation proposed cybersecurity regulation.  In formulating the revised proposal, DFS took into account the more than 150 comments it received with regard to its original proposal, which was released in September 2016.  Although the new proposal maintains many of the requirements of the initial proposal, such as the requirements for a Cybersecurity Program, a written Cybersecurity Policy, and the designation of an individual responsible for the program’s implementation and oversight, the new proposal differs in a number of very significant ways, highlighted below:


DFS has retreated from the prescriptive approach it took in its original proposal. Under the new proposal, an entity’s Cybersecurity Program “shall be based on the Covered Entity’s Risk Assessment.�
DFS has deleted the requirements to identify the Covered Nonpublic Information stored by the Covered Entity and to identify its sensitivity.
There is a new requirement to address “asset inventory and device management� in the Cybersecurity Policy, while the requirement to address “capacity and performance planning� has been eliminated.
The Cybersecurity Policy must be approved by a Senior Officer or by the Board of Directors, but the requirement for annual review by the board or a senior officer ...


Read More on Datafloq
Urgent Need on ‘Silent’ Cyber Risks

Urgent Need on ‘Silent’ Cyber Risks

This is an unprecedented time for insurers. As margins associated with conventional lines of coverage continue to tighten, pressure is increasing to offer new forms of coverage to respond to the emerging cyber threats facing insureds in today’s digital economy. At the same time, insurers are compelled to make certain that those risks are effectively excluded from coverage under many other “traditional� policy forms.

Unfortunately for underwriters of both traditional and newer policy forms, emerging cyber threats can be difficult, if not impossible, to predict and factor into underwriting and policy drafting processes. But as we’ve already seen in the context of cyber incidents, today’s unknown cyber threat can become tomorrow’s front-page news and unanticipated limits payout. And if that threat is spread across multiple insureds in an insurer’s coverage portfolio, the bottom-line effect of the aggregated losses could be devastating. Making matters worse — as recently recognized by the Bank of England’s Prudential Regulation Authority (PRA) — these “silent� cyber exposures can simultaneously affect multiple lines of coverage, (including casualty, marine, aviation and transport), affecting both direct and facultative coverages.

Imagine this scenario:

Company A manufactures components used in the Wi-Fi systems of commercial airliners. Mr. X, a disgruntled employee of Company ...


Read More on Datafloq
A Starter Kit for Solving the Cyber Security Problem

A Starter Kit for Solving the Cyber Security Problem

Ownership of a company’s cybersecurity is akin to an issue like climate change or eco-preservation: It’s a concern that touches everyone. For cybersecurity, however, universal ownership may not be the best approach to ensure accountability.

Technology is an integral part of the corporate environment, but the responsibility of protecting that interconnectivity doesn’t always fit into neatly defined departments. It’s everyone’s—and no one’s—job until accountability is established. To do so, a company should select a leader with cybersecurity as her mission.

It’s a question that was raised in a recent webinar, “From Ashley Madison to the eBay Hack: Cybersecurity Best Practices”—when it comes to leading the charge on cybersecurity, who’s the right person for the job?

A Fearless Leader

The answer, not surprisingly, isn’t simple. It depends on the company’s size and structure. In a larger company, the role is often filled by a c-suite executive, such as chief privacy officer or chief information security officer (CISO), a board member, or general counsel.

It doesn’t necessarily matter which leader claims ownership—only that someone does, and that the individual responsible seeks appropriate expertise to understand the technical complexities and operational issues at a sufficient level to make sound decisions. What’s most important is that she has the ...


Read More on Datafloq
How Much is that Big Data Worth? — Big Data Decisions Impact Business Valuations

How Much is that Big Data Worth? — Big Data Decisions Impact Business Valuations

As both digital and more traditional companies become more and more dependent on data to compete in today’s information economy, data is starting to have an irrefutable impact on companies’ valuation and reputation. The decisions companies make about how to use data can have an enormous impact on the success of modern enterprises, as well as on their image, their public perception, their competitors, and regulators.

According to recent research, companies must recognize this new reality in which corporate reputations may be negatively impacted by decisions they make concerning data within their control. As companies are incurring significant costs to capitalize on the enormous amounts of data – so-called Big Data – constantly generated by the Internet of Things (IoT), social media platforms, websites, and other sources, they must appreciate that their use, misuse and governance of data can have a direct impact on their goodwill and ultimate valuation.

I.  How Modern Corporate Enterprises are Valued

The calculation of a modern company’s valuation extends beyond the sum of its tangible assets. Goodwill, an important component of any company’s valuation, has no physical component and qualifies as an intangible asset rather than tangible brick and mortar assets. Valuing goodwill is the difference between the purchase ...


Read More on Datafloq
Data Valuation: Is Your Big Data Worth Zero or Trillions?

Data Valuation: Is Your Big Data Worth Zero or Trillions?

Almost every entity is, or is becoming, a digital enterprise. Today’s information economy mandates nothing less. Entities are making tremendous investments in order to exploit the vast amounts of data – Big Data – that are constantly being generated by the Internet of Things (IoT), social media platforms, websites, and other sources.

As confirmed by a recent Capgemini EMC Big Data report, most business leaders fear that their companies will actually become irrelevant if they fail to maximize the power of information. As companies grow more and more data-driven and data-dependent, new issues arise concerning how information in today’s economy is, or should be, valued.

Information as an Asset

According to Generally Accepted Accounting Principles (GAAP), data has no value. According to Wall Street, however, data is worth trillions. In fact, Alphabet, the parent company of Google, is the most highly valued company in the world. This, without doubt, is not based on its real estate holdings.

Putting a dollar figure on data is challenging under traditional accounting methods for a number of reasons. Accountants classify data as an intangible asset, which implicates various considerations under GAAP. In addition, unlike some other forms of property, the value of information may largely depend on who has ...


Read More on Datafloq
How Does Your Cyber Security Measure Up?

How Does Your Cyber Security Measure Up?

The country recently was rocked when three major enterprises encountered cyber “glitches” that were serious enough to take them off line, leading to speculation that perhaps there was something more sinister at play. While contemplating the situation in real time, many enterprises undoubtedly engaged in a quick self-assessment of their own cyber security defenses and readiness and heaved a sigh of relief when the disruptions were reported to be resolved, unrelated, and not caused by malicious outsiders.

But what if it had been different? How well would your company fare in the face of an attempted or successful cyber attack?

Yesterday’s events should serve as a wake up call for all enterprises to shore up their defenses and formulate their game plan in the event of a cyber security incident.

Here are four of the key factors to consider:

1.  Have you conducted a risk-based security assessment?  The assessment, among other things, should determine if you’ve already been hacked, test your perimeter, and scan for internal and external vulnerabilities.

2.  Have you established and implemented effective employee training and awareness policies and programs?  Studies repeatedly show that employees are at the heart of most security incidents. Employees should be educated about the crucial role they play in ...


Read More on Datafloq
Cyberinsurance is a Key Part of a Strong Data Defense Plan

Cyberinsurance is a Key Part of a Strong Data Defense Plan

In his article in last month’s issue of MCC, “Learning to Live with Imperfect Security,” my partner Ted Kobus, co-leader of BakerHostetler’s Privacy and Data Protection team, noted that when it comes to data security, being “compromise ready” may be a company’s best defense.

Becoming compromise ready in the context of cybersecurity requires focusing on a variety of issues, including network security, employee training and mobile device management, among other things.

Unfortunately, many companies overlook cyberinsurance when they are developing their cybersecurity plan. Although it is no substitute for appropriate security policies and practices, cyberinsurance that is appropriately tailored to a company’s unique risk profile can be a key component of a cybersecurity defense plan.

What is Cyberinsurance?

Cyberinsurance can provide much-needed tactical and financial support for companies confronted with a security incident. Generally speaking, the cyberpolicy’s first-party coverage applies to costs incurred by the insured when responding to a covered cyber event, while third-party coverage is triggered by claims and demands against the insured arising from a covered incident.

First-party coverage usually can be triggered by a variety of events, including the malicious destruction of data, accidental damage to data, power surges, IT system failure, cyberextortion, viruses and malware. Generally available first-party coverages include ...


Read More on Datafloq
6 Issues to Consider if You Want to Monetize Big Data

6 Issues to Consider if You Want to Monetize Big Data

When discussing how companies can capitalize on Big Data, we often hear about successful use cases that have helped companies achieve various business goals, such as improving sales and efficiencies, strengthening customer relationships, and providing better products and services.  Another way companies can capitalize on Big Data is by monetizing it.

Data Monetization Defined

The Center for Information Systems Research (CISR) at MIT Sloan defines data monetization as “the act of exchanging information-based products or services for legal tender or something of perceived equivalent value.”  In practice, companies generally monetize data by selling it, bartering for something of value, or by building it into other products or services.

Data can be sold as raw data, research data, and predictions. It also can be aggregated in networks or consortiums with other data providers, which can enhance the value of the data for everyone involved.

Some have advised against monetizing data, see, e.g., Never Sell Data, in part because of the associated reputational risks, especially if protected information is not safeguarded.  But because of the immense value that is contained in and can be derived from information, many companies will consider monetization.  When they do, they should keep governance issues in mind.

Considerations Before Monetizing Data

Commercializing data is not ...


Read More on Datafloq
Why Information Governance is Like Diet and Exercise

Why Information Governance is Like Diet and Exercise

Whenever I’m asked to speak about Information Governance, I tell the audience that InfoGov is a lot like diet and exercise. Everyone talks about how they should do it, but many don’t actually begin, until something bad happens, and they have no choice but to get started.

But like diet and exercise, InfoGov can be implemented more effectively and efficiently if it’s done proactively, as opposed to in response to a problem like a breach, investigation, or discovery mishap. And like a successful diet or exercise regime, InfoGov is more likely to be successful if the company starts small and builds off its successes.

Start Small

Let’s be frank. The idea of implementing InfoGov policies can be overwhelming. If companies don’t know where to begin, they can default into not beginning at all.

But if the most critical areas are addressed in a piecemeal way, they become much less overwhelming and the project is more salable to decision makers who might otherwise be afraid to get started.

Here are 5 small and manageable steps companies can take to get started on the road to good InfoGov:

1. Control Access to Information

Access to corporate information should be on a need-to-know basis. Make sure that each employee’s access ...


Read More on Datafloq
ESI, eDiscovery, InfoGov? What, Exactly, Are You Talking About?

ESI, eDiscovery, InfoGov? What, Exactly, Are You Talking About?

Volumes of data continue to explode from more and more sources. Workforces are becoming increasingly mobile and connected. Companies are in a constant struggle to comply with regulations and litigation demands, while also maximizing the value of their data and minimizing costs and risks.

These present day realities have led to the adoption of confusing buzzwords — Electronically Stored Information (ESI), Electronic Discovery, Information Governance — that are thrown around regularly but may not be fully understood. Let’s take a look at what these terms mean, both individually and in relation to each other, and how companies can best approach the management of their data.

ESI

Generally speaking, ESI is information that is created and stored in digital form. Examples of ESI are emails and attachments, documents stored on a computer, text and voicemail messages, digital photographs, and videos. The sources of ESI are rapidly multiplying, thanks in part of the advent of the Internet of Things (IoT), including wearables (such as fitness tracker, smart watches, smart clothing), telematics in automobiles, and sensors on all sorts of things, including railroad tracks, industrial equipment, and household appliances.

Electronic Discovery

Electronic or ediscovery is the electronic aspect of identifying, collecting and producing ESI in response to a ...


Read More on Datafloq
How Startups Can Preempt Big Data Problems By Addressing These 3 Issues Upfront

How Startups Can Preempt Big Data Problems By Addressing These 3 Issues Upfront

Success!  You are about to embark on a Big Data project for your startup company.

You’ve identified your business objective, made your business case, and developed a solid strategy.  You’ve even managed to get the right people in place, including highly coveted and skilled data scientists.  But have you thought of everything?  Great technical and business results might not mean very much if your project lands you in court. Confronting these issues before you get started can help to keep you out of hot water and keep your Big Data initiatives on track.

1. Capture and Collection

Depending on where you’re operating, capturing or collecting certain types of data may be subject to various laws and regulations. Methods of collection also may trigger legal issues and disclosure obligations.

2. Storage

Various laws control how long certain types of data can be stored. Simply hanging on to data indefinitely may not be an option. In addition, certain categories of data fall within the purview of various laws and regulations governing storage and security obligations.

3. Disclosure

Disclosures about your intended use of data need to be accurate. Does your disclosure accurately reflect what you’re actually doing today? And how should changes in your Big Data strategy be addressed?

Taking a ...


Read More on Datafloq
The Impact of Big Data Decisions on Business Valuations

The Impact of Big Data Decisions on Business Valuations

Companies need to face the new normal whereby corporate reputations suffer after mishaps with data under their control.

Big Data’s undeniable impact on companies’ goodwill and reputation has permeated the landscape of corporate valuation. Recent research confirms that companies need to face the new normal whereby corporate reputations suffer after mishaps with data under their control. Today’s companies must appreciate that their use, misuse and governance of Big Data can have an impactful effect on their goodwill and resulting valuation.

Valuation of Modern Corporate Enterprises

In today’s data-driven economy, many organizations’ value is derived from much more than the sum of their tangible assets. Goodwill—which has no physical component—qualifies as an intangible asset, as opposed to tangible assets of the brick and mortar variety. The value of goodwill is the difference between a company’s purchase price and the fair market value of the tangible assets involved in the acquisition.

Reputation, the value of a company’s brand name, customer lists, and positive customer interactions qualify as certain subjective elements of goodwill. There is no time limit to goodwill since it is inextricably linked to a business itself, and it cannot be sold or transferred separate and apart from the entire business.

In the modern corporate environment, ...


Read More on Datafloq
The Impact of Big Data Decisions on Business Valuations

The Impact of Big Data Decisions on Business Valuations

Companies need to face the new normal whereby corporate reputations suffer after mishaps with data under their control.

Big Data’s undeniable impact on companies’ goodwill and reputation has permeated the landscape of corporate valuation. Recent research confirms that companies need to face the new normal whereby corporate reputations suffer after mishaps with data under their control. Today’s companies must appreciate that their use, misuse and governance of Big Data can have an impactful effect on their goodwill and resulting valuation.

Valuation of Modern Corporate Enterprises

In today’s data-driven economy, many organizations’ value is derived from much more than the sum of their tangible assets. Goodwill—which has no physical component—qualifies as an intangible asset, as opposed to tangible assets of the brick and mortar variety. The value of goodwill is the difference between a company’s purchase price and the fair market value of the tangible assets involved in the acquisition.

Reputation, the value of a company’s brand name, customer lists, and positive customer interactions qualify as certain subjective elements of goodwill. There is no time limit to goodwill since it is inextricably linked to a business itself, and it cannot be sold or transferred separate and apart from the entire business.

In the modern corporate environment, ...


Read More on Datafloq
The Importance of Governing Big Data within Your Organization

The Importance of Governing Big Data within Your Organization

Sources and volumes of data are growing exponentially. Website clicks, social media, sensors, and card swipers are generating massive amounts of data every second. More and more enterprises are beginning to collect and utilize this Big Data for all kinds of purposes, including improved business intelligence, targeted marketing and fraud detection. With so much attention being focused on the adoption of Big Data and analytics, one important question must be asked — Is this data being properly governed, or governed at all?

What is Information Governance?

Gartner defines Information Governance (IG) as “the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” IG is a program, not a project. Effective IG programs have C-suite support and incorporate input from across the enterprise, including business units, legal, IT, information security, and human resources. IG will reduce costs and risks, improve efficiencies, and protect the enterprise’s most valuable assets — its information and its reputation.

Information Governance for Big Data

All data within an enterprise’s possession or ...


Read More on Datafloq
Legal Issues to Consider Before Starting Big Data Projects

Legal Issues to Consider Before Starting Big Data Projects

We read every day about the myriad of purposes for which enterprises are embarking on Big Data projects. Securing C-suite buy in and funding may be a significant endeavor, as is implementing an analytic approach to yield results that will achieve the project’s overall goals. In the face of those challenges, the legal and regulatory issues associated with the collection, storage, and use of Big Data may not be top of mind.

They should be.

Unexpected legal problems manifesting down the road can derail any Big Data project. Focus on those issues at the outset is infinitely easier and less expensive than managing them later in a crisis situation arising from a breach or legal violation.

Big Data Collection

The collection of certain types of data raises issues under various laws and regulations. It is critical, therefore, to understand what data is going to be collected and all associated legal obligations.

An obvious example of data that raises special concerns is Protected Health Information (PHI) governed by HIPAA, HITECH and/or various state laws. Personally Identifiable Information (PII) is subject to regulation that may depend on the place of residence of the individuals whose information is at issue. Collection of PII relating to children may implicate ...


Read More on Datafloq
“Like It” or Not, Big Data Decisions Affect Business Valuations

“Like It” or Not, Big Data Decisions Affect Business Valuations

Big Data has infiltrated the corporate valuation scene by making its indelible mark on companies’ goodwill and reputation. Recent research confirms that corporate reputations suffer following mishaps involving data within the corporation’s control. Today’s companies must appreciate that their use, misuse and governance of Big Data can have an impactful effect on their goodwill and resulting valuation.

How Modern Enterprises Are Valued

In today’s data-driven economy, many organizations’ value is derived from much more than the sum of their tangible assets. As opposed to tangible assets of the brick and mortar variety, goodwill — which has no physical component — qualifies as an intangible asset. The value of goodwill is the difference between a company’s purchase price and the fair market value of the tangible assets involved in the acquisition.

Certain subjective elements of goodwill include reputation, the value of a company’s brand name, customer lists, and positive customer interactions. Goodwill has no expiration date, as it is inextricably linked to a business itself, and it cannot be sold or transferred separate and apart from the entire business.

In its 2010 study on “Intangible Assets and Goodwill,” KPMG identified that most industries typically allocate more than 50% of the purchase price of a business ...


Read More on Datafloq

Privacy Policy

Copyright © 2017 BBBT - All Rights Reserved
Powered by WordPress & Atahualpa
X