Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Risk Management. Show all posts
Risk Management
Business Continuity Cyber Security Cybersecurity IT disruptions Ransomware Risk Management

Cyber Risks Dominate Global Business Concerns for Fourth Consecutive Year

 

Cybersecurity threats, including ransomware, data breaches, and IT disruptions, have remained the leading concern for businesses globally and in the U.S. over the past year, as revealed by the Allianz Risk Barometer.

For the fourth year in a row, cyber incidents have ranked as the top global business risk, cited by more than one-third of respondents in the survey. The gap between cyber risks and the next major concern—business interruption—was the largest ever recorded, with a 7% margin.

The findings are based on responses from nearly 4,000 risk management professionals across 106 countries and territories, including risk managers, brokers, CEOs, and insurance experts. Among these, 60% identified data breaches as their primary cyber-related worry, while 57% expressed concerns over attacks on critical infrastructure and physical assets.

Operational resilience has emerged as a priority for business leaders, focusing on maintaining business continuity during cyberattacks and other disruptive events. Business interruption was ranked as the second-biggest global concern, with supply chains facing significant challenges over the past year.

A notable example underscoring the critical nature of IT security was the widespread disruption in July 2024, when a faulty CrowdStrike software update affected millions of Microsoft computer systems worldwide.

“While many organizations strive to implement comprehensive strategies for disaster recovery and business continuity, there remains a concern that contingency plans themselves may be overly dependent on technology, highlighting the need for diverse and adaptable solutions,” said Michael Bruch, global head of risk advisory services at Allianz Commercial, in the report.

Ransomware continues to be a dominant issue, representing the largest cause of cyber insurance losses. During the first half of 2024, ransomware accounted for 58% of the value of significant cyber insurance claims, the report revealed.

For U.S. companies, cyber risks replaced business interruption as the top concern in 2024, reflecting the growing challenges organizations face in safeguarding their operations against evolving threats.
Read more »
Risk Management
AI Attacks AI Policy AI Risks Company Security Cyber Safety Cyber Security Cybersecurity Crisis Risk Management

Addressing AI Risks: Best Practices for Proactive Crisis Management

 

An essential element of effective crisis management is preparing for both visible and hidden risks. A recent report by Riskonnect, a risk management software provider, warns that companies often overlook the potential threats associated with AI. Although AI offers tremendous benefits, it also carries significant risks, especially in cybersecurity, which many organizations are not yet prepared to address. The survey conducted by Riskonnect shows that nearly 80% of companies lack specific plans to mitigate AI risks, despite a high awareness of threats like fraud and data misuse. 

Out of 218 surveyed compliance professionals, 24% identified AI-driven cybersecurity threats—like ransomware, phishing, and deepfakes — as significant risks. An alarming 72% of respondents noted that cybersecurity threats now severely impact their companies, up from 47% the previous year. Despite this, 65% of organizations have no guidelines on AI use for third-party partners, often an entry point for hackers, which increases vulnerability to data breaches. Riskonnect’s report highlights growing concerns about AI ethics, privacy, and security. Hackers are exploiting AI’s rapid evolution, posing ever-greater challenges to companies that are unprepared. 

Although awareness has improved, many companies still lag in adapting their risk management strategies, leaving critical gaps that could lead to unmitigated crises. Internal risks can also impact companies, especially when they use generative AI for content creation. Anthony Miyazaki, a marketing professor, emphasizes that while AI-generated content can be useful, it needs oversight to prevent unintended consequences. For example, companies relying on AI alone for SEO-based content could risk penalties if search engines detect attempts to manipulate rankings. 

Recognizing these risks, some companies are implementing strict internal standards. Dell Technologies, for instance, has established AI governance principles prioritizing transparency and accountability. Dell’s governance model includes appointing a chief AI officer and creating an AI review board that evaluates projects for compliance with its principles. This approach is intended to minimize risk while maximizing the benefits of AI. Empathy First Media, a digital marketing agency, has also taken precautions. It prohibits the use of sensitive client data in generative AI tools and requires all AI-generated content to be reviewed by human editors. Such measures help ensure accuracy and alignment with client expectations, building trust and credibility. 

As AI’s influence grows, companies can no longer afford to overlook the risks associated with its adoption. Riskonnect’s report underscores an urgent need for corporate policies that address AI security, privacy, and ethical considerations. In today’s rapidly changing technological landscape, robust preparations are necessary for protecting companies and stakeholders. Developing proactive, comprehensive AI safeguards is not just a best practice but a critical step in avoiding crises that could damage reputations and financial stability.
Read more »
Risk Management
ATM Cyber Security Cyber Threats Digital Banking IT risks RBI Risk Management

RBI Issues Advisory to Support Cybersecurity in Banks


 

Amid escalating cyber threats, the Reserve Bank of India (RBI) has released a comprehensive advisory to all scheduled commercial banks. This advisory, disseminated by the Department of Banking Supervision in Mumbai, stresses upon the paramount importance of robust cybersecurity measures in the modern digital banking infrastructure.

The advisory highlights the crucial role of Corporate Governance in maintaining accountability within banks, emphasising that IT Governance is a key component of this framework. The RBI stresses that effective IT Governance necessitates strong leadership, a clear organisational structure, and efficient processes. Responsibility for IT Governance, the advisory states, lies with both the Board of Directors and Executive Management.

With technology becoming integral to banking operations, nearly every commercial bank branch has adopted some form of digital solution, such as core banking systems (CBS) and alternate delivery channels like internet banking, mobile banking, phone banking, and ATMs. In light of this, the RBI provides specific guidelines to banks for enhancing their IT Governance.

The RBI recommends that banks clearly define the roles and responsibilities of their Board and Senior Management to ensure effective project control and accountability. Additionally, it advises the establishment of an IT Strategy Committee at the Board level, comprising members with substantial IT expertise. This committee is tasked with advising on strategic IT directions, reviewing IT investments, and ensuring alignment with business goals.

The advisory also suggests structuring IT functions based on the bank’s size and business activities, with dedicated divisions such as technology and development, IT operations, IT assurance, and supplier management. Each division should be headed by experienced senior officials to manage IT systems effectively.

Implementing IT Governance PractiPracticehe RBI stresses the importance of implementing robust IT Governance practices aligned with international standards like COBIT (Control Objectives for Information and Related Technologies). These practices focus on value delivery, IT risk management, strategic alignment, resource management, and performance measurement.

Information Security Governance

Recognizing the critical nature of information security, the RBI advises banks to develop comprehensive security governance frameworks. This includes creating security policies, defining roles and responsibilities, conducting regular risk assessments, and ensuring compliance with regulatory requirements. The advisory also recommends that the information security function be separated from IT operations to enhance oversight and mitigate risks.

Risk Management and Compliance

The RBI underscores the necessity of integrating IT risks into banks’ overall risk management frameworks. This involves identifying threats, assessing vulnerabilities, and implementing appropriate controls to mitigate risks. Regular monitoring and oversight through steering committees are essential to ensure compliance with policies and regulatory standards.

The RBI’s advisory serves as a crucial reminder for banks to strengthen their cybersecurity defences amidst growing digital threats. By adopting robust IT Governance and information security frameworks, banks can enhance operational resilience, protect customer data, and safeguard financial stability. Adhering to these guidelines not only ensures regulatory compliance but also bolsters trust and confidence in the banking sector.

As technology continues to play an increasingly pivotal role in banking, the RBI urges banks to remain vigilant against emerging threats. Proactive measures taken today will help secure the future of banking operations against cybersecurity challenges. For detailed guidelines, banks are encouraged to refer to the official communication from the Reserve Bank of India.


Read more »
UnitedHealth
Clorox Cyber Security Data Compromise Prudential Financial cyberattack Risk Management SEC UnitedHealth

SEC Tightens Cybersecurity Regulations for Public Companies

 



In 2023, the Securities and Exchange Commission (SEC) significantly tightened its cybersecurity regulations for publicly traded companies. This move, aimed at enhancing investor protection and ensuring market transparency, responds to the increasing prevalence of cyber threats and their potential to disrupt business operations and financial stability.

New Rules for Incident Disclosure

The SEC's updated regulations require companies to disclose cybersecurity incidents within four days of determining their material impact. Companies must swiftly evaluate the scope and severity of any cyberattack, including the nature and amount of data compromised and the potential business, legal, or regulatory impacts. The goal is to provide timely and accurate information about incidents that could affect a company's financial health or market performance.

Case Studies: Clorox, Prudential Financial, and UnitedHealth

Recent cyber incidents involving Clorox, Prudential Financial, and UnitedHealth offer insights into how companies handle these new requirements.

Clorox: In August 2023, Clorox faced a major cyberattack that disrupted its automated order processing system, leading to significant delays and product shortages. This disruption is expected to cost the company between $57 million and $65 million in fiscal year 2024, largely for IT recovery and professional services. Additionally, Clorox’s Chief Information Security Officer (CISO) left the company following the attack, which revealed long-standing security issues that had previously been flagged in audits.

Prudential Financial: In February 2024, Prudential Financial reported a cyber breach involving unauthorised access to its infrastructure, affecting administrative and user data. The breach, linked to the ALPHV ransomware group, compromised the personal information of 36,545 individuals. Prudential took a proactive approach by disclosing the incident to the SEC before determining its material impact, indicating a possible new trend toward early transparency.

UnitedHealth: UnitedHealth’s subsidiary, Change Healthcare, experienced a significant cyberattack that compromised millions of patient records and disrupted prescription and claims processing. Initially attributing the attack to a nation-state, UnitedHealth focused on restoring operations without immediately assessing its materiality. The incident has led to substantial financial repercussions, including at least 24 lawsuits and potential costs up to $1.6 billion. Following the disclosure, UnitedHealth’s stock price dropped by nearly 15%.

Key Takeaways for Risk Management

These examples highlight several important lessons for companies under the new SEC regulations:

1. Visibility and Accountability: Companies must continuously oversee their digital assets and promptly address security vulnerabilities. Ignorance is no longer a viable defence, and businesses must be able to explain the details of any breaches.

2. Transparency and Proactive Measures: Transparency is crucial. Companies should adopt conservative and proactive cybersecurity policies and be prepared to update disclosures with more detailed information as it becomes available.

3. Information Sharing: Sharing information about cyber breaches and effective security strategies benefits all sectors. This collaborative approach enhances overall security practices and accelerates the adoption of best practices across the industry.

The SEC’s new cybersecurity regulations shift towards more stringent oversight, pushing the growing need for robust cybersecurity measures to protect market stability and investor interests. As companies adjust to these requirements, the experiences of Clorox, Prudential Financial, and UnitedHealth provide valuable lessons in effective risk management and transparency.


Read more »
World Economic Forum
Cyber Security Cyberattacks 2023 Digital Infrastructure Network Security Risk Management safeguard WEF World Economic Forum

Critical Infrastructure and the Importance of Safeguarding it in the Digital Age

 

In today's digital age, our society relies heavily on critical infrastructure to function smoothly. These infrastructures, including power grids, water systems, and communication networks, form the backbone of our daily lives, facilitating everything from electricity distribution to internet connectivity. 

However, with the increasing interconnectedness brought about by technology, these vital systems have become prime targets for cyberattacks. Cyberattacks on critical infrastructure have surged by 35% globally in the past year alone, according to a 2023 report by the World Economic Forum. These attacks pose significant risks, potentially resulting in city-wide blackouts, disruptions in healthcare services, and compromised communication networks. 

The consequences of such breaches can be devastating, not only impacting economic stability but also endangering public safety. Despite these challenges, there is hope on the horizon as governments, businesses, and security experts recognize the urgent need to address cybersecurity vulnerabilities in critical infrastructure. Traditional approaches to cybersecurity, characterized by perimeter defenses and technological fortifications, are proving inadequate in the face of evolving threats. 

Instead, a paradigm shift is underway towards viewing critical infrastructure as a living ecosystem, where every individual plays a vital role in safeguarding the whole. This holistic approach emphasizes the importance of human vigilance alongside technological solutions. While advanced technologies like artificial intelligence and threat intelligence platforms are valuable tools in detecting and mitigating cyber threats, they must be complemented by robust employee training and a culture of security awareness. 

Every employee, from top executives to frontline staff, must be equipped with the knowledge and skills to identify and respond to potential threats effectively. Furthermore, securing critical infrastructure requires a commitment to continuous improvement. Organizations must regularly conduct risk assessments, update protocols, and actively test their defenses to stay ahead of evolving threats. 

This agility and flexibility are essential in adapting security strategies to address emerging vulnerabilities and technological advancements. Malicious actors often exploit human error and social engineering tactics to bypass technological defenses. Therefore, educating and empowering employees to recognize and report suspicious activity is paramount in strengthening overall cybersecurity posture. 

Moreover, collaboration between public and private sectors, as well as international cooperation, is essential in building a comprehensive and resilient defense network. By sharing intelligence, best practices, and resources, stakeholders can effectively combat cyber threats and mitigate their impact on critical infrastructure. 

Securing critical infrastructure in the digital age is not merely a technical challenge but a multifaceted endeavor that requires a united and concerted effort. By embracing a human-centric approach, leveraging advanced technologies, and fostering collaboration, we can create a future where our essential systems operate securely, safeguarding the well-being and prosperity of society.
Read more »
Technology
Generative AI increased productivity Indian fintech investment online trading personalized strategies portfolio optimization predictive analytics Risk Management Technology

Generative AI Revolutionizing Indian Fintech

 

Over the past decade, the fintech industry in India has seen remarkable growth, becoming a leading force in driving significant changes. This sector has brought about a revolution in financial transactions, investments, and accessibility to products by integrating advanced technologies like artificial intelligence (AI), blockchain, and data analytics.

The swift adoption of these cutting-edge technologies has propelled the industry's growth trajectory, with forecasts suggesting a potential trillion-dollar valuation by 2030. As fintech continues to evolve, it's clear that automation and AI, particularly Generative AI, are reshaping the landscape of online trading and investment, promising heightened productivity and efficiency.

Recent market studies indicate substantial growth potential for Generative AI in India's financial market, particularly in investing and trading segments. By 2032, the market size for Generative AI in investing is expected to reach around INR 9101 Cr, a significant rise from INR 705.6 Cr in 2022. Similarly, the market size for Generative AI in trading is projected to reach about INR 11.76K Cr by 2032, compared to INR 1294.1 Cr in 2022. These projections underscore the transformative impact and growing importance of Generative AI in shaping the future of online trading and investment in India.

Generative AI, a subset of AI, is emerging as a game-changer in online trading by using algorithms to generate data and make predictive forecasts. This technology enables traders to simulate various market conditions, predict outcomes, and develop robust trading strategies. By leveraging historical and synthetic data, Generative AI-powered tools not only analyze past market trends but also generate synthetic data to explore hypothetical scenarios and test strategies in a risk-free environment. Additionally, Generative AI helps identify patterns within large datasets, providing traders with valuable insights for making informed investment decisions in dynamic market environments.

Predictive Analytics and Market Insights

Generative AI algorithms excel in predictive analytics, offering precise forecasts of future market trends by analyzing historical data and identifying patterns. This empowers traders to stay ahead of the curve and make informed decisions in a dynamic market environment. Generative AI plays a crucial role in effective risk management by analyzing various factors to mitigate risks and maximize returns. Through dynamic adjustment of portfolio allocations and hedging strategies, Generative AI ensures traders can navigate volatile market conditions confidently.
 
Generative AI allows customization of trading strategies based on individual preferences and risk tolerance, tailoring investment strategies to specific goals and objectives Generative AI significantly enhances productivity in online trading and investment by swiftly analyzing vast amounts of financial data, automating routine tasks, and continuously refining strategies over time.

Overall, Generative AI represents a paradigm shift in online trading and investment, unlocking unparalleled efficiency and innovation. By harnessing AI-driven algorithms, traders can gain a competitive edge, accelerate development cycles, and achieve their financial goals with confidence in an ever-evolving market landscape.
Read more »
Upgrade CVSS
CVSS 4.0 FIRST New Technology Risk Management Technology Upgrade CVSS

FIRST Launched CVSS 4.0, Revolutionizing Cybersecurity Assessment and Risk Management

In a recent development, the Forum of Incident Response and Security Teams (FIRST) has made headlines by unveiling version 4.0 of the Common Vulnerability Scoring System (CVSS). This latest release, following four years since CVSS v3.1, represents a noteworthy advancement in the standard employed for evaluating the severity of cybersecurity vulnerabilities. 

Before Understanding CVSS 4.0, Let’s Delve Into CVSS 

Before we get into CVSS 4.0, it is crucial to grasp the roots of the Common Vulnerability Scoring System. This framework had its beginnings back in 2005 when the National Infrastructure Advisory Council (NIAC) first introduced it. 

It plays a crucial role by providing essential information about vulnerabilities for security teams. Nowadays, the Forum of Incident Response and Security Teams (FIRST), a non-profit organization with over 500 global member organizations, manages CVSS as an open platform. 

CVSS essentially acts as a tool, offering a standardized way to measure the severity of computer system problems. It takes into account factors like the likelihood of exploitation, potential impact, and complexity. These considerations come together to form a score, aiding organizations in deciding which issues to prioritize and how to address them effectively. 

Criticism of CVSS 3.0 which led to CVSS 4.0 

In the realm of cybersecurity assessments, Version 3.0 of the Common Vulnerability Scoring System (CVSS) and the CVSS standard overall have been widely regarded for their effectiveness in gauging the "impact" of vulnerabilities. 

However, a notable shortcoming has been identified in their ability to accurately score the "exploitability" of a vulnerability. Exploitability, encompassing the likelihood of a vulnerability being exploited, takes into account various factors such as user interactions, the proficiency and capabilities of potential threat actors, and the configuration of the system in question. 

Following this, FIRST has come up with CVSS v4.0 to make things simpler and better. This new version is a big change, making scoring easier, more flexible, and accurate. The idea is to fix the problems with the old version, showing risks more realistically. This will help organizations decide which problems to fix first and use their resources better to fix them. 

 CVSS 4.0 - What's New? 

 1. Attack Vector: 

• Considers how close an attacker needs to be to exploit a vulnerability. 
• Determines if the attack can happen over the internet, in the same network, or requires physical access. • Network-based vulnerabilities are seen as more severe. 

 2. Attack Complexity: 

• Describes the conditions beyond the attacker's control needed to exploit a vulnerability. 
• Addresses factors that enhance security or complicate exploit development. 
• Considers whether specific information about the target is necessary for exploitation. 

3. Privileges Required: 

• Outlines the level of access rights an attacker needs before exploiting a vulnerability. 
• Does not focus on how the attacker gains these permissions. 
• Considers the extent of permissions needed for a successful exploit. 

4. User Interaction: 

• Gauges if successful exploitation requires human interaction. 
• Examples include phishing emails needing user clicks or network-based exploits without user involvement. 
• Directly impacts the CVSS score, with non-user interactive vulnerabilities generally considered more severe. 

5. Scope

• Captures if a vulnerability in one component affects resources beyond its security scope. 
• Removed as a base metric in CVSS version 4.0. 

6. Impact Metrics (Confidentiality, Integrity, Availability): 

• Measures consequences if a vulnerability is exploited successfully. 
• Introduced new "Subsequent System" impact metrics to capture effects on systems beyond the vulnerable one. 

7. Exploit Code Maturity: 

• Evaluates the probability of an attacker utilizing the vulnerability. 
• Considers existing exploit strategies, accessibility of exploit code, and real-time exploitation reports. 
• Categories include "Attacked," "PoC" (Proof-of-Concept), and "Unreported." 

Additionally, the optional Supplemental Metrics in CVSS 4.0 provide essential insights beyond standard vulnerability assessment. Safety evaluates human safety risks, Automatable gauges exploit automation potential, Recovery assesses system resilience, Value Density explores resource control, Vulnerability Response Effort aids in response planning, and Provider Urgency standardizes severity assessments from suppliers. Together, these metrics enhance the depth and context of vulnerability analysis for more informed decision-making.
Read more »
virtual CISO
Compliance Cyber Risk Cyber Security Cybersafety outsourced security Risk Management strategic planning Technology virtual CISO

Embracing the Virtual: The Rise and Role of vCISOs in Modern Businesses

 

In recent years, the task of safeguarding businesses against cyber threats and ensuring compliance with security standards has become increasingly challenging. Unlike larger corporations that typically employ Chief Information Security Officers (CISOs) for handling such issues, smaller businesses often lack this dedicated role due to either a perceived lack of necessity or budget constraints.

The growing difficulty in justifying the absence of a CISO has led many businesses without one to adopt a virtual CISO (vCISO) model. Also known as fractional CISO or CISO-as-a-service, a vCISO is typically an outsourced security expert working part-time to assist businesses in securing their infrastructure, data, personnel, and customers. Depending on the company's requirements, vCISOs can operate on-site or remotely, providing both short-term and long-term solutions.

Various factors contribute to the increasing adoption of vCISOs. It may be prompted by internal crises such as the unexpected resignation of a CISO, the need to comply with new regulations, or adherence to cybersecurity frameworks like NIST's Cybersecurity Framework 2.0 expected in 2024. Additionally, board members accustomed to CISO briefings may request the engagement of a vCISO.

Russell Eubanks, a vCISO and faculty member at IANS Research, emphasizes the importance of flexibility in vCISO engagements, tailoring the delivery model to match the specific needs of a company, whether for a few days or 40 hours a week.

The vCISO model is not limited to smaller businesses; it also finds applicability in industries such as software-as-a-service (SaaS), manufacturing, industrial, and healthcare. However, opinions differ regarding its suitability in the heavily regulated financial sector, where some argue in favor of full-time CISOs.

Key responsibilities of vCISOs include governance, risk, and compliance (GRC), strategic planning, and enhancing security maturity. These experts possess a comprehensive understanding of cyber risk, technology, and business operations, enabling them to orchestrate effective security strategies.

Experienced vCISOs often play advisory roles, assisting CEOs, CFOs, CIOs, CTOs, and CISOs in understanding priorities, assessing technology configurations, and addressing potential cybersecurity vulnerabilities. Some vCISOs even assist in defining the CISO role within a company, preparing the groundwork for a permanent CISO to take over.

When seeking a vCISO, companies have various options, including industry experts, large consulting firms, boutique firms specializing in vCISO services, and managed services providers. The critical factor in selecting a vCISO is ensuring that the candidate has prior experience as a CISO, preferably within the same industry as the hiring company.

The process of finding the right vCISO involves understanding the company's needs, defining the scope and outcome expectations clearly, and vetting candidates based on their industry familiarity and experience. While compatibility with the company's size and vertical is essential, the right vCISO can outweigh some of these considerations. Rushing the selection process is discouraged, with experts emphasizing the importance of taking the time to find the right fit to avoid potential mismatches.
Read more »
Subscribe to: Posts (Atom)