Blog

Tag: cybersecurity

M&A Leaks: Image shows a leaking bucketMergers and acquisition (M&A) activities pose major document protection challenges for all parties involved. Leaked or stolen data has caused bidding wars, broken deals, cost millions of dollars in damages, and ruined reputations. How can M&A teams ensure maximum document security without impeding productivity?

*

Merger and acquisition teams typically range in size from a handful of members in smaller or medium-sized organizations to several hundred internal contributors at enterprise scale. That’s on the buyer’s side as well as on the seller’s teams and includes investment banks or Private Equity (PE) firms. 

This headcount, however, doesn’t yet include external contributors. Think research analysts, M&A advisories, outside legal counsel, data protection and privacy compliance consultants, and IT integration specialists. Most of them are involved at one stage or another of the M&A process.

Since the beginning of the COVID-19 pandemic, many internal and external M&A team members have accessed sensitive documents from their home offices. On tight deadlines, they collect, create, review, edit, and share sensitive data that can make or break a deal – or kill it, if that data falls into the wrong hands.

 

M&A activities at an all-time high – and deal leaks, too

The shift to remote and hybrid work is a powerful driver behind banks and their corporate clients leveraging enterprise-level Digital Rights Management (DRM) to secure M&A-relevant unstructured data. The reasons quickly become clear when we look at a real-life example. 

A global automotive component manufacturer is planning with its investment bank the acquisition of a publicly traded semiconductor design and manufacturing company.

Table Overview: Deal Leaks by Sector

Source: SS&C Intralinks 2020 M&A Leaks Report[PDF]

 

It’s high season for M&As, and the planned deal seems like a match made in heaven. Yet from an M&A security perspective, the timing couldn’t be worse. M&A leaks have been spiking recently, according to the SS&C Intralinks 2020 M&A Leaks Report [PDF]. This development means all new M&As face an unprecedented challenge. 

 

The challenge: Remote work amplifies M&A security risks

We’ve highlighted document security risks for banks and financial firms resulting from remote work before. The threat level is even more elevated for members of the extended M&A team who work from home. Preparation and execution of most mergers and acquisitions involve a wide variety of confidential documents – in some cases, thousands of them. 

Niche vendors of M&A tool platforms tout the cloud-based Virtual Data Room (VDR) as the solution. Such “deal rooms” have become a fixture in the M&A space. At the same time, data protection experts say that VDRs instill a false sense of security – comparable, perhaps, to standard M&A non-disclosure agreements.

These critics point to the weak – often password-based – security of VDRs and specialized M&A document management systems that can too easily be circumvented. Deal administrators and IT lament interoperability issues with other cloud storage services, as well as manageability and scalability problems.

 

The solution: data-centric M&A security

Enterprise DRM enables IT to strengthen M&A security instead. Fasoo Enterprise DRM, for example, enables data owners to protect confidential content through all stages of a merger or acquisition.

Bar chart: M&A cost distribution, by phase (IBM)

Source: IBM Benchmark Insights: Assessing Cyber Risk in M&A

 

In our example, we focus on negotiations, due diligence, transaction execution, and implementation. These are the M&A stages where data breaches and deal leaks can be most damaging and costly. 

Let’s take a closer look at how the acquirer, its bank, and the acquisition target leverage EDRM to maximize document protection. Enterprise DRM’s data-centric security enables IT and deal administrators to protect, control, and track sensitive data on a per-document basis, on any device, at any time.

 

M&A and beyond: document lifecycle protection

Fasoo encrypts confidential files at the point of creation or before they get uploaded to a VDR, for example. This protection applies throughout the entire document lifecycle, regardless of which M&A platform any contributing organization may be using.

 

  • Negotiations: Centralized policy management enables M&A data owners and deal administrators to remain in control. Fasoo Enterprise DRM lets them flexibly adjust who can access, edit, print, or share sensitive content – including remote workers.

    This phase usually involves a high amount of various
    Microsoft Office document formats and Adobe PDF files. Dynamic permission control enables deal administrators to assign and revoke file access permissions for reviewers on a temporary basis, for example, to facilitate more than one bidding round.

 

  • Due diligence: In our example, the due diligence document list includes (among others)  intellectual property (IP) files, tax records, financial planning P&L documents, electronic design automation (EDA) diagrams, facility blueprints, tax filings, HR records, and all sorts of legal PDFs.Throughout the document review process and beyond, data owners and deal administrators centrally manage who has access to sensitive content. Context-aware and hardware-agnostic secure print and pull print capabilities prevent the unauthorized printing of Personal Identifiable Information (PII) at a home office printer or in a shared workspace, for example. Secure screen and watermarking features (“Fasoo Smart Screen”) block or deter screen capture attempts across all applications, including in Virtual Desktop Infrastructure (VDI) environments and browsers.

 

  • Post-transaction / implementation: M&A security professionals warn that the post-merger integration of the acquired company with the buy-side is fraught with data protection and compliance risks that can cost the acquirer millions or even billions of dollars. Data breaches are one main reason for the high M&A failure rate.In our example, the acquirer already has Enterprise DRM in place across its global organization, not unlike this Fasoo customer in the same industry. This means trade secrets, personnel PII, even sensitive records exported from databases are automatically detected, classified, prioritized and encrypted when they enter the buyer company’s environment from the acquired company.

During each M&A stage and long thereafter, Enterprise DRM provides persistent protection and consistent tracking. A document usage audit trail keeps IT, compliance managers, and financial regulators in the loop. 

After all, “digital M&A became the new norm” during the pandemic, according to the consultants at Bain & Company. This year, more dealmakers discovered the power of Enterprise DRM. They use it to prevent M&A leaks and data breaches from becoming a new norm, too.

 

 

Cover of Biden Administration Executive Order Cybersecurity 05-2021 (NIST)

In its Executive Order on Improving the Nation’s Cybersecurity on May 12th, the Biden administration mandated major improvements to how federal agencies protect their networks and data. How does this affect companies that do business with the federal government (or plan to) and their suppliers and contractors? 

*

“Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors.” That’s how the White House explained in a statement the reasoning behind this executive order.

Following the SolarWinds and Microsoft Exchange incidents and the ransomware attack on Colonial Pipeline, the directive laid out “bold changes and significant investments.” Officials position it as merely a first step. Security experts agree that it is already creating some much-needed momentum.

They predict that the executive order will have a substantial impact on the private sector as well. So if you are tasked with IT security and data protection in such an organization, you want to know what that means for you.

In general terms, the directive aims to help move the federal government to secure cloud services and a zero-trust architecture. It also mandates federal agencies to adopt, on a short-term schedule, multi-factor authentication and “encryption for data at rest and in transit.”

That means data protection along the supply chain is now a priority. To wit, contractors, vendors, and suppliers are mentioned 13 times in the executive order. The specific instructions referring to them make clear: the goal is to create an immediate, yet long-lasting ripple effect far beyond federal agencies.

Enterprise DRM – a shortcut to compliance?

Those ripples are felt in the market already, say insiders.

Case in point: a noticeable uptick in demand for platform-agnostic, file-centric document protection that meets the federal requirements. Industry analysts report a resurging interest in Digital Rights Management (DRM) software, such as Fasoo Enterprise DRM.

DRM solutions for the enterprise have been around for more than a decade. They enable organizations to encrypt and centrally manage their sensitive files throughout the document lifecycle, regardless of device, application, or access location.

So what’s causing the buzz now, in the wake of President Biden’s executive order?

In a nutshell, a mature enterprise DRM solution typically comes with key capabilities baked in that check the boxes mandated by the Executive Order.

Could this be your shortcut to meeting these mandates across your organization and its supply chain, with the least amount of pain and friction? 

Image shows President Biden at swearing-in ceremony at the White House

As always, it depends. Does the solution in question check all the boxes, or only a few? An information protection service that was designed as a tack-on for a limited range of popular office file formats, for example, will fall short. It won’t cover many essential document formats used by federal contractors – CAD files come to mind. 

Other solutions suffer from performance issues at scale and are challenging to maintain and manage. How can you ensure that the enterprise DRM suite you’re evaluating fits the bill? 

Here’s what to look for concerning the provisions in the May 2021 Executive Order on Cybersecurity: 

  • Smart and flexible encryption: Can the enterprise DRM solution under consideration automatically identify unknown data and protect and trace it persistently, regardless of its location? Does it provide the encryption strength mandated for organizations that are part of or do business with the U.S. government? Fasoo’s FIPS 140-2 validated cryptographic modules meet the strict demands of the Cryptographic Module Validation Program (CMVP) run by the National Institute of Standards and Technology (NIST). NIST is tasked with developing the guidelines for the administration’s cybersecurity program.

 

  • Access control: Does the information protection service your organization is considering support the broadest possible range of 3rd party, federated, and proprietary authentication systems, including those used by the federal government? Fasoo Enterprise DRM integrates with Active Directory, other LDAP -compatible and SAML-based systems. Its SSO and other authentication APIs support the full hybrid mix of on-premise, cloud, and WFH digital assets and devices deployed by the federal government and its contractors and suppliers.

 

  • Frictionless rights and exception management: Affected organizations inside and outside the federal government are wary of the mandated “encryption of data at rest and in transit.” They fear that complex systems with inflexible file access and usage policy management would make slow federal workflows even slower. How does the solution under evaluation keep tabs on critical data and who gets to access what, while ensuring compliance with federal mandates and regulations? Will it require filing a support ticket each time a team member needs an exception from file restrictions? Fasoo Enterprise DRM secures information across large organizations without compromising performance. Its centralized management capabilities make exception handling by IT or data owners a fast and straightforward process and reduce IT’s workload.

 

The executive order calls for federal entities to “evaluate the types and sensitivity of their respective agency’s […] data […] The evaluation shall prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for those data.”

Several federal agencies are already using Fasoo Enterprise DRM, which enables organizations to automate the identification and tagging of documents for encryption. So do industry leaders in sectors most affected by the changes in the new Executive Order on Cybersecurity. To learn about more factors that drive them to deploy enterprise DRM, check out this conversation between Fasoo CTO Ron Arden and GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie.

Is your organization re-evaluating its document protection options in light of the Biden administration’s cybersecurity plans? Contact our team to find out how federal agencies and their leading contractors leverage Fasoo Enterprise DRM to “adopt the security best practices” as directed by the new executive order.

 

Further reading tips:

 

World IP Day 2021 Image - Technology

Did you know April 26th is World IP Day? It was designated by the member states of WIPO, the IP forum of the United Nations, to increase the general understanding of intellectual property and how it enables technological innovation.

Let’s celebrate with a roundup post. Perhaps you enjoyed the recent discussion on this blog with GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie of the challenges involved with protecting IP in manufacturing? Or the insights shared by Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division, into IP theft and IP protection of CAD files in the automotive industry?

We know we did. For this World IP Day post, we asked more IP protection thought leaders what they think the biggest challenge is for manufacturers battling IP theft. Read their responses below:

“Fair is where you take your kids to eat cotton candy”

G. Mark Hardy, President, National Security Corporation

Photo shows G. Mark HardyFor manufacturing companies, the fight against IP theft is complicated by:

  •  lack of uniform laws throughout the world
  • governments that “borrow” IP and control their own courts
  • the expense of onshore manufacturing in the US

There is no “international patent.” To protect IP, one must file separately in each jurisdiction. Fees, different processes, and delays consume years while market opportunity erodes. Further, few comprehend the expenses and logistics involved in defending a patent overseas. Holding a patent only conveys the right to make a lawyer wealthy. It is no guarantee against unethical behavior.

Allegations of nation-states “borrowing” technology are well-founded. SolarWinds, Hafnium, and next week’s breach-to-be-discovered combine to yield varying estimates in the hundreds of billions of dollars.

Yet few executives invest in defenses against a phalanx of professional uniformed hackers. Contractors to the US Department of Defense (DoD) are getting religion in 2021, as failure to properly implement NIST SP 800-171 will result in sudden revenue loss. DoD realizes that wars are won on battlefields, not courtrooms. Denying unauthorized access to IP is the best form of offense.

Why not just manufacture everything domestically? In a word, cost. Salaries, benefits, regulation, liability, and lawsuits all encourage taking on the risk of overseas manufacturing. This creates a vicious cycle of race-to-the-bottom cost to beat out foreign competitors in a global market, who are enabled to achieve low cost without R&D expense through IP theft. Tariff wars offer temporary sanctuary but ultimately have adverse secondary effects.

Bottom line — don’t expect others to be fair. Fair is where you take your kids to eat cotton candy. The best offense is a powerful defense. Protect leading-edge IP like your life depended on it and relegate the other 95% to cheap manufacture. 

Combine your protected, domestically managed IP at final assembly, and build in anti-tampering / anti-theft to drive up the cost of theft as much as possible. 

You can’t totally prevent IP theft, but you can make the other guy have to work damn hard to earn a paycheck.

 About the author:

G. Mark Hardy (LinkedIn profile) is founder and president of National Security Corporation, providing cyber security expertise to government, military, and commercial clients for over 35 years. A retired U.S. Navy Captain, he was entrusted with nine command tours throughout his career. A co-host of the CISO Tradecraft podcast, Mr. Hardy has presented at hundreds of events worldwide, providing thought leadership over a range of security fields. A graduate of Northwestern University, he holds a BS in computer science, a BA in mathematics, a master’s in business administration, a master’s in strategic studies, and holds the CISSP, CISM, GSLC, and CISA certifications.

*

From trusted employee to thief: When did they flip?

Josh Linder, Principal Value Consultant at OpenText

The photo shows Josh Linder (OpenText)


The “biggest challenge” when battling IP theft? It’s really three things that come together in the end.

The first challenge is knowing where content exists. You can’t protect what you don’t know. With a greater focus on electronic tools and the cloud, information is everywhere, and normally poorly classified and secured. The irony is that employees and trusted parties often struggle to find data, and then are much more haphazard than attackers, who clean up nicely and cover their tracks.

Second, detecting insider threats poses a particular challenge. Organizations struggle to determine who “flipped” from being trusted to thief now (and when did they “flip”?). The reasons for insider theft (of intellectual property) are many. They tend to result from selfish motives (profit, vandalism, or, as a growing vector, disagreement with corporate social justice positions).

The final challenge is the one which people most often jump to first – blocking external threat actors. However, the work of external adversaries is not a single challenge – it is the culmination of inadequate protections against IP theft, rather than the root cause.

Tracing external threat actors to their origin is nearly impossible. Stopping them – taking action – is even harder. China, India, and Russia are cited as the most common origins of illegal IP usage, but talented, well-funded thieves are spread across the globe.

Many foreign countries are ripe for theft, since they give little credit to intellectual property rights and patents, with difficult legal systems favoring local firms over companies from abroad. Stealing and using recipes, plans, and fabrications is profitable and benefits everyone but the rightful owner.

In summary – the three parts of the challenge are: 1) knowing where the IP lives, 2) understanding internal threats, and 3) guarding against external risks.

About the author:

Josh Linder (LinkedIn profile) is a principal value consultant at OpenText, the leader in information discovery. He has over 20 years in cyber security, information management, marketing and business strategy. Josh previously advised security startups in the areas of marketing, business development, sales, and architecture.

*

“IP risks don’t get no respect “

The photo shows Paul Rohmeyer, Stevens Institute of Technology

Paul Rohmeyer, Stevens Institute of Technology School of Business

Large-scale consumer data breaches are regularly chronicled by business media. However, risks to intellectual property don’t seem to get the same attention and scrutiny. Despite IP’s high intangible business value, this may be one of the most significant inhibitors to securing IP.

IP and consumer data are both intangible assets. Without proper monitoring, leakage of either can go unnoticed. In both cases, data owners and custodians are victimized without their knowledge, as neither are deprived of their respective data assets in a breach (exception: ransomware attacks). 

Manufacturing organizations, by nature, are built upon foundations of innovation. They are the product of sustained focus on research and development as well as obtaining new IP via business acquisitions. It is hard to overstate the importance of protecting the IP base accumulated by most manufacturing enterprises, because the impact from IP theft can be substantial. 

Lost business opportunities, disrupted customer relationships, and reputational damage can have catastrophic effects on an enterprise in the long term. The immediate dangers are considerable as well. One example is a reduction in company value. This could influence merger and acquisition discussions, as well as stock valuation.

So why does battling IP theft still present such a challenge? The answer lies in the complexities of our interconnected IT and supply chain environments. This may also be why IP theft doesn’t get the same media attention as, say, major ransomware attacks.

Starting with a data inventory may be fundamental in theory. In practice, it proves uniquely challenging for many manufacturers and often requires specialized technical capabilities. Ideally, the identification of IP assets that need protection stretches across the increasingly complex supply chains to account for third-party risks.

Knowing where IP resides allows organizations to focus their IP protection and IP theft prevention resources more precisely on the most valuable assets. To accomplish this, organizations can rely on fundamental risk management techniques, starting with identification of IP in all forms and locations, both logical and physical.

The clear threats to IP, commonly known cyber risks, and substantial consequences of IP breaches need to guide the creation of an appropriate controls architecture. On the operational level, this will enable more active monitoring for signs of an attempted breach. Deployed strategically, its capabilities provide a critical basis for periodic re-evaluations of specific risks to IP.

About the author:

Paul Rohmeyer (LinkedIn profile) is an Associate Teaching Professor at the Stevens Institute of Technology School of Business in Hoboken, New Jersey.

*

“Growing focus on regulatory compliance”

Dr. Emma Bickerstaffe, Senior Research Analyst, Information Security Forum (ISF)

Photo shows Dr. Emily Bickerstaffe

Manufacturers have long been aware of the need to protect intellectual property, as it is often information of great value to the business that would cause a major impact if compromised.

However, efforts to secure IP have recently come under intense regulatory scrutiny, with a host of legal obligations that manufacturers must now adhere to as their IP traverses a tangled web of suppliers.

Legislative reform has meant that manufacturers are not only subject to stringent data protection laws, but must also comply with legislation that specifically governs the protection of trade secrets – a form of IP.

In the European Union, for instance, member states have all enacted legislation to implement the EU Trade Secret Directive into domestic law. In several jurisdictions, this marked the introduction of the first statutory definition of a trade secret, imposing strict legal requirements for confidential business information to qualify as a trade secret and benefit from legal protection.

This growing focus on regulatory compliance has compelled manufacturers to put in place technical, organizational, and contractual measures to safeguard their IP against cyber theft, corporate espionage, and misappropriation.

While a hefty challenge in itself, the real challenge lies in making sure IP receives the same level of protection when it is shared with third parties, such as business partners, suppliers and customers. Identifying exactly who has access to this sensitive data and how it is handled is a vital first step for manufacturers to protect their IP from adversaries and maintain their competitive advantage.

About the author: 

Emma Bickerstaffe (LinkedIn profile) is a Senior Analyst at the Information Security Forum, leading its research on cyber insurance, information security laws and regulation, data leakage prevention and building successful SOCs. Prior to joining the ISF, Emma worked for the New Zealand Government, providing policy advice on defense and security issues. Emma holds a PhD in international law from the University of Cambridge.

*

For more information on document protection and enterprise digital rights management, and to learn about the steps manufacturing companies take to counter IP theft, check out IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat on this blog.

Would you like to be included in Fasoo’s next IP protection-related roundup post? Drop us an email !

Fasoo Moderates Panel on Cybersecurity and Your CompanyBill Blake, Senior Vice President and CCO (Chief Customer Officer) of Fasoo, moderated a panel discussion on Cybersecurity on September 13, 2017 at Harter Secrest & Emery LLP in Rochester, NY.  The event entitled Cyber Security & Your Company – What You Need to Know Now featured industry leaders and experts from The Bonadio Group, Fasoo, Lawley, and Harter Secrest & Emery LLP discuss how, when, and why to plan for a cyber attack.

The event was part of a continuing dialog with organizations on the needs for stricter cybersecurity controls in the wake of the ever growing threat of data breaches and threats to business operations.  Recent data breaches at Equifax, Verizon and others show that any organization is vulnerable to external attacks or insider threats.  Regulations and legislation, such as the New York NYDFS 23 NYCRR 500 cybersecurity regulations and GDPR in Europe, are causing businesses to improve their security posture to protect business and customer information.

Paul Greene, an attorney with Harter Secrest & Emery LLP, started the event with some opening remarks and Bill Blake got right into the discussion questions which hit on a number of cybersecurity topics, including how to prepare for a cyber attack, the role of insurance in your incident response plan and how the newest cybersecurity regulations and laws affect your business.

High on the list was a discussion of the recent Equifax data breach and how it affects businesses and consumers.  This lead to a discussion and questions about risk assessments and how they are critical to improving your cyber security posture.

Carl Cadregari, an Executive Vice President at The Bonadio Group, talked about the frequency of doing a risk assessment.  This is not something you can do once.  The threat landscape is constantly changing and the needs of your business are evolving, so you need to continually assess your risk and the best ways to mitigate it.  Carl said that finding your most sensitive data and encrypting it is one of the best ways to ensure you are protected.  If a hacker gets encrypted files, they won’t be able to use them.  In many cases this may not be considered a data breach, so you don’t need to report it.

While most of us think about technical solutions, legal ones are as important as well, since a cybersecurity event is not a breach until your attorney says it is.  Paul Greene mentioned “It’s important to involve counsel in your Risk Assessment process because it allows you to have a full and frank discussion about any shortcomings you may find, without worrying that those discussions can be used against you.  That’s the protection of the attorney-client privilege, it allows for that “oh [expletive]” moment when you discover something that may be really bad, without the worry that those communications will be used against you.”

Reggie Dejean, a Specialty Insurance Director from Lawley Insurance, talked about the crucial role of insurance in any cyber compliance program.  He said, “Cybersecurity insurance can help mitigate the financial loss that occurs when, not if, a data breach happens to a company. These policies can help cover some of the costs which include forensics, credit monitoring, notifying those affected, public relations and more. In today’s world, any size company is susceptible to a cyber breach, so cyber intrusion insurance can help reduce your risk and costs.”

Bill Blake brought up printing as a risk that many organizations don’t think about.  There tends to be a focus on digital assets, but if someone prints sensitive information, there is still the same liability when it comes to regulation and the law.  Numerous audience members asked if protection of sensitive data extends to paper files and the general consensus is that it does.  Preventing printing to minimize risk is clearly a good strategy when applicable, but masking sensitive data and applying visible watermarks are also good strategies to help eliminate sensitive data on paper and allow you to trace the information back to the person that printed it.

Another big discussion was around risk in the supply chain.  An audience member from a bank said they share a lot of information with Equifax and was wondering if the bank is liable because of the Equifax data breach.  Under the NYDFS 23 NYCRR 500 cybersecurity regulations an organization is responsible for the security of data it shares with its supply chain.  Whether the bank needs to inform authorities of a breach in its supply chain is unclear, but it is ultimately responsible for its data.  Third and fourth party protection will come from both technical and legal remedies.  You need air tight legal agreements to mitigate your risk, but encrypting and controlling your shared information is the best solution to supply chain risk.

The event finished with questions from attendees on the most challenging areas in their companies for compliance.  One bit of advice from the panel was to remember that companies should focus on protecting their sensitive information.  While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business.

Rochester NYDFS Pathways to Compliance Event a Big SuccessThe first of the NYDFS 23 NYCRR 500 roadshow events in Rochester, NY on May 16, 2017 was a great success as numerous people from local financial services companies participated in a great forum to help organizations understand how to meet the new cybersecurity regulations that went into effect on March 1, 2017.

The event was held at Harter Secrest & Emery LLP in Rochester and started what will be a continuing series of forums to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with a strict and wide-ranging group of regulations.

The event started with an “Overview of 23 N.Y.C.R.R. Part 500 and Key Legal Challenges” by F. Paul Greene of Harter Secrest & Emery LLP.  Paul focused on many of the legal issues around compliance, including what is a covered entity.  Any organization regulated under the Banking, Insurance or Financial Services law is subject to this regulation.  This includes foreign and out of state businesses that operate in New York and most likely applies to the whole organization, unless the organization has a segregated IT infrastructure.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey helped understand the current posture of readiness to comply with the new regulations.  Some of the more interesting results are that most organizations do not believe they can meet the timelines for compliance, over 70 percent think a lack of knowledgeable personnel will hamper their efforts and most are very concerned about how to implement effective security policies for third party service providers.

Dr. Ponemon’s keynote was followed by a Panel Discussion – Pathway to Compliance – that was moderated by Kevin Cox from Brite Computers.  Panel members included Dr. Ponemon, Paul Greene, Reg Harnish from GreyCastle Security, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo.  There was a lot of discussion around doing a risk assessment and understanding what nonpublic information assets you have and where they are.  This lead to insurance questions and how best to mitigate risk related to business continuity following a data breach.  While insurance is critical to recovery from loss, it is not a substitute for a good cybersecurity program.

The event finished with questions from attendees on the most challenging areas in their companies for compliance.  One bit of advice from the panel was to remember that the regulation is intended to protect companies and their customers by protecting sensitive information.  While many can get caught up in the minutiae of plans and reporting, it is imperative to focus on protecting the data which drives the business.  That is the focus needed to improve the cybersecurity posture at each covered entity.

Fasoo wants to thank all the Rochester NYDFS 23 NYCRR 500 roadshow sponsors for all their support in making it an outstanding event.

Ponemon Institute
Harter Secrest & Emery, LLP
Brite Computers
GreyCastle Security
Lawley Insurance

Fasoo Sponsors NYDFS 23 NYCRR 500 RoadshowOn March 1, 2017 new sweeping cybersecurity regulations from the New York State Department of Financial Services (NYDFS) took effect.  The NYDFS 23 NYCRR 500 regulations affect thousands of regulated financial institutions that do business in New York as well as thousands of Third Party Service Providers that support those financial institutions, world-wide.  The regulations add to the complexity that financial institutions already face in developing and implementing their comprehensive information security programs.  They also bring with them challenges and uncertainty as organizations implement new tools and practices designed to protect customer and company information.

In response to this sea-change, Fasoo is sponsoring a roadshow across three major markets in New York (Rochester, Buffalo and NY city) to help affected organizations comply with the new regulations.  The highlight of the roadshow will be a keynote by Dr. Larry Ponemon of the Ponemon Institute reviewing a study sponsored by Fasoo to gauge industry readiness and reaction to the new regulations.

The roadshow brings together experts in cybersecurity, insurance, law, corporate governance, risk management and compliance to help audience members prepare for implementing and managing these new regulations that will surely expand to other states and industries.

If you are in one of these cities during the week of May 15, 2017, please join Fasoo and its partners (see below) for one of these exclusive events.

Rochester, NY – May 16, 2017  8:00 AM – 10:00 AM
Harter Secrest & Emery LLP, 13th Floor
1600 Bausch & Lomb Place
Rochester, New York 14604
To learn more and register, please click here.

Buffalo, NY – May 17, 2017  8:00 AM – 10:00 AM
Phillips Lytle LLP
One Canalside
125 Main Street
Buffalo, NY, 14203
To learn more and register, please click here.

New York, NY – May 19, 2017 8:00 AM – 2:00 pM
PwC
300 Madison Avenue
New York, NY 10017
To learn more and register, please click here.

NYDFS 23 NYCRR 500 roadshow sponsors
Ponemon Institute
Harter Secrest & Emery, LLP
Brite Computers
GreyCastle Security
Lawley Insurance
Phillips Lytle LLP
Freed Maxick
PwC
ForgeRock
Securonix

Fasoo sponsors Cybersecurity event at the Stevens Institute in Hobeken, NJFasoo, in partnership with the National Cyber Security Alliance, New Jersey Technology Council and Stevens Institute of Technology is hosting “Closing the Threat Gap: Executive Perspectives on the Cybersecurity Landscape” featuring Dr. Larry Ponemon, Chairman of the Ponemon Institute, and Mark Lobel, US and Global TICE Cybersecurity Leader at PwC.  The event is at the Babbio Center, Stevens Institute of Technology in Hoboken, New Jersey on October 26, 2016 from 3:30 – 6:00 p.m.

The two keynotes will focus on the most pressing security issues facing organizations today. Dr. Larry Ponemon will review three of 2016’s highest rated studies focusing on cyber security and how organizations can best position themselves to protect sensitive information.  Mark Lobel will present the finding of PwC’s “Global State of Information Security Survey 2017,” that was released on October 5th. The keynotes will be followed by a panel discussion monitored by Dr. Paul Rohmeyer, Associate Professor Information Security Management, and Risk Assessment at Stevens Institute of Technology.

While the event is open to the public, seating is limited and requires registration. For more information on the event and to register:https://www.stevens.edu/school-business/cyberevent#registration

Categories
Book a meeting