First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Network, Systems and Data Security

Security breach notification and reporting requirements are now in force under Canada’s PIPEDA

Canada’s long-awaited federal private-sector data breach notification and reporting requirements came into force on November 1, 2018.

 

, , , , ,

UK government guidance on risk and cyber: the very good and the very bad

The National Cyber Security Center (NCSC) is a part of the UK’s Government Communications Headquarters (GCHQ). If you are like me, you may have only heard about GCHQ in an unflattering context, that of working with US intelligence agencies to spy on foreign heads of state and hack foreign agencies.

 

, ,

Ten considerations for a cybersecurity incident response plan

If you ask a group of cybersecurity experts what should be included in a Cybersecurity Incident Response Plan (“CIRP”), you will get a wide variety of answers. Happily, many of those answers contain similar themes including these ten important considerations your organization should be aware of when creating and managing a CIRP.

 

, , , , ,

SEC investigates cyber-related frauds

On October 16th, the US Securities and Exchange Commission published Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.

 

, , , , ,

Bitcoin and cryptocurrency litigation

Bitcoin and other cryptocurrencies are gaining more attention as days pass. Aside from the advantages that cryptocurrencies have like anonymity and easy international transactions, people are enticed by the fact that it can become a good investment.

 

, , , ,

Treating cyber as a business problem

Cyber risk can only be communicated to leadership in a way that is meaningful and actionable, enabling them to make informed and intelligent decisions, if it is done using business language.

 

, , , ,

Deloitte Internal Audit 3.0 has major flaws

Earlier this year, Deloitte published Internal Audit 3.0, The future of Internal Audit is now. It’s great that they are encouraging internal audit departments to change so they can meet modern demands, but their presentation that they are offering something novel and disruptive is way off the mark.

 

, , ,

First review of the GDPR: Four findings after four months

With four months of life behind the GDPR, now is an opportune time to review those developments. Indeed, after assessing those four months we can make the following four findings.

 

, , ,

What can employers do to prevent security breaches from the inside?

Until employers start to prioritise information security, then the culture won’t change and employers will continue to make mistakes. But if those mistakes do happen and data is breached, then employers need to be smart and act quickly to ensure the best possible defence is available.

 

, , , , , ,

Learn from British Airways’ security breach reporting and notification

British Airways’ experience described in this article underscores that cybersecurity is important, and Canadian entities preparing for mandatory security breach reporting and notification coming into force soon can take lessons from British Airways’ response to a security breach.

 

, , , , , , , , , , ,

Draft amending regulations issued under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, including in respect of virtual currencies and prepaid cards

New regulations issued June 9, 2018, follow the recent 2016 Financial Action Task Force (FATF) Mutual Evaluation Report for Canada (the “FATF Report”) which concluded that Canada largely has a strong legal framework and competent authorities dealing with money laundering and terrorist financing risks, but noted certain deficiencies that needed to be addressed.

 

, , ,

Canadian developments in digital identity

search-warrant

Digital identity is increasingly becoming a hot topic globally and Canada is no exception. For example, amendments to the Bank Act (and equivalent legislation in respect of federal insurance companies and federal loan and trust companies) have recently been introduced permitting federally regulated financial institutions to provide “identification, authentication or verification services”.

 

, , , , , ,

New information about cyber risk is alarming

According to the 2018 Sentinel One Global Ransomware Report, it appears that the frequency of attacks are surprisingly high, but the extent of damage is surprisingly low.

 

, ,

Is there an ROI for investing in cyber or information security?

IS ROI on cyber really as high as it may seem at first glance? At some point, it may be better to consider cyber risk as a “cost of doing business”. If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

 

, , , , , ,

Recent SEC settlement is cautionary tale for Canadian public issuers on disclosure of cyberincidents and related risks

The Securities and Exchange Commission’s (SEC) first enforcement action against a public issuer for failure to make timely disclosure of cyberincidents may be a wake-up call for Canadian public issuers and their directors and officers.

 

, , ,

Previous Posts