First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Network, Systems and Data Security

What can employers do to prevent security breaches from the inside?

Until employers start to prioritise information security, then the culture won’t change and employers will continue to make mistakes. But if those mistakes do happen and data is breached, then employers need to be smart and act quickly to ensure the best possible defence is available.

 

, , , , , ,

Learn from British Airways’ security breach reporting and notification

British Airways’ experience described in this article underscores that cybersecurity is important, and Canadian entities preparing for mandatory security breach reporting and notification coming into force soon can take lessons from British Airways’ response to a security breach.

 

, , , , , , , , , , ,

Draft amending regulations issued under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, including in respect of virtual currencies and prepaid cards

New regulations issued June 9, 2018, follow the recent 2016 Financial Action Task Force (FATF) Mutual Evaluation Report for Canada (the “FATF Report”) which concluded that Canada largely has a strong legal framework and competent authorities dealing with money laundering and terrorist financing risks, but noted certain deficiencies that needed to be addressed.

 

, , ,

Canadian developments in digital identity

search-warrant

Digital identity is increasingly becoming a hot topic globally and Canada is no exception. For example, amendments to the Bank Act (and equivalent legislation in respect of federal insurance companies and federal loan and trust companies) have recently been introduced permitting federally regulated financial institutions to provide “identification, authentication or verification services”.

 

, , , , , ,

New information about cyber risk is alarming

According to the 2018 Sentinel One Global Ransomware Report, it appears that the frequency of attacks are surprisingly high, but the extent of damage is surprisingly low.

 

, ,

Is there an ROI for investing in cyber or information security?

IS ROI on cyber really as high as it may seem at first glance? At some point, it may be better to consider cyber risk as a “cost of doing business”. If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

 

, , , , , ,

Recent SEC settlement is cautionary tale for Canadian public issuers on disclosure of cyberincidents and related risks

The Securities and Exchange Commission’s (SEC) first enforcement action against a public issuer for failure to make timely disclosure of cyberincidents may be a wake-up call for Canadian public issuers and their directors and officers.

 

, , ,

So what if the risk is high?

Most organizations cannot afford to reduce every single risk to what some practitioners would deem acceptable. Providing actionable information about all the things that might happen, not by using terms like High, Medium, or Low, but in specific business terms will help evaluate which risks to take.

 

, , , , ,

Are you managing risk or are you managing the organization?

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

 

, , , , ,

My cyber confession

Should we give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open. We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.

 

, , , , , , , , , ,

Talking sense about technology risk and cyber

You have to have sponsorship from the CEO and throughout the company to really understand and diagnose IT risks, data security risks and business risks, and then prioritize them.

 

, , , ,

An idea to help drive effective risk management

We want all decision-makers to consider all the potential consequences of their decision (in fact, all the potential consequences for each option on the table) before making an informed and intelligent judgment. What if the quality of decision-making was a significant factor in assessing performance? Thus affecting compensation and career progression. This idea could help drive effective risk management.

 

, , , , , , , ,

Guidance on recording of customer telephone calls updated

The Office of the Privacy Commissioner of Canada recently updated its information and guidance on recording of customer telephone calls to bring it up to date, make it web-friendly and responsive for user feedback.

 

, , , , , , , , ,

The SEC is changing the rules for SOX s302 certifications to include cyber risks

You may know that the SEC just published new guidance on the disclosures they are required to make related to cybersecurity. But did you realize that the SOX s302 certification now has to address whether disclosure controls are adequate in ensuring that the proper disclosures are made?

 

, , ,

It’s official: Mandatory data breach notification coming on November 1, 2018

The coming into force of mandatory breach notification and record-keeping requirements on November 1, 2018 should be viewed by organizations as an effort to align Canadian legal and regulatory requirements with those in the United States and Europe (especially with the General Data Protection Regulations – or GDPR – coming into force in May 2018).

 

, , , , , ,

Previous Posts