First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Network, Systems and Data Security

SEC investigates cyber-related frauds

On October 16th, the US Securities and Exchange Commission published Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements.

 

, , , , ,

Bitcoin and cryptocurrency litigation

Bitcoin and other cryptocurrencies are gaining more attention as days pass. Aside from the advantages that cryptocurrencies have like anonymity and easy international transactions, people are enticed by the fact that it can become a good investment.

 

, , , ,

Treating cyber as a business problem

Cyber risk can only be communicated to leadership in a way that is meaningful and actionable, enabling them to make informed and intelligent decisions, if it is done using business language.

 

, , , ,

Deloitte Internal Audit 3.0 has major flaws

Earlier this year, Deloitte published Internal Audit 3.0, The future of Internal Audit is now. It’s great that they are encouraging internal audit departments to change so they can meet modern demands, but their presentation that they are offering something novel and disruptive is way off the mark.

 

, , ,

First review of the GDPR: Four findings after four months

With four months of life behind the GDPR, now is an opportune time to review those developments. Indeed, after assessing those four months we can make the following four findings.

 

, , ,

What can employers do to prevent security breaches from the inside?

Until employers start to prioritise information security, then the culture won’t change and employers will continue to make mistakes. But if those mistakes do happen and data is breached, then employers need to be smart and act quickly to ensure the best possible defence is available.

 

, , , , , ,

Learn from British Airways’ security breach reporting and notification

British Airways’ experience described in this article underscores that cybersecurity is important, and Canadian entities preparing for mandatory security breach reporting and notification coming into force soon can take lessons from British Airways’ response to a security breach.

 

, , , , , , , , , , ,

Draft amending regulations issued under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, including in respect of virtual currencies and prepaid cards

New regulations issued June 9, 2018, follow the recent 2016 Financial Action Task Force (FATF) Mutual Evaluation Report for Canada (the “FATF Report”) which concluded that Canada largely has a strong legal framework and competent authorities dealing with money laundering and terrorist financing risks, but noted certain deficiencies that needed to be addressed.

 

, , ,

Canadian developments in digital identity

search-warrant

Digital identity is increasingly becoming a hot topic globally and Canada is no exception. For example, amendments to the Bank Act (and equivalent legislation in respect of federal insurance companies and federal loan and trust companies) have recently been introduced permitting federally regulated financial institutions to provide “identification, authentication or verification services”.

 

, , , , , ,

New information about cyber risk is alarming

According to the 2018 Sentinel One Global Ransomware Report, it appears that the frequency of attacks are surprisingly high, but the extent of damage is surprisingly low.

 

, ,

Is there an ROI for investing in cyber or information security?

IS ROI on cyber really as high as it may seem at first glance? At some point, it may be better to consider cyber risk as a “cost of doing business”. If you can’t actually reduce the likelihood of a breach, can you at least increase the likelihood of prompt detection and response?

 

, , , , , ,

Recent SEC settlement is cautionary tale for Canadian public issuers on disclosure of cyberincidents and related risks

The Securities and Exchange Commission’s (SEC) first enforcement action against a public issuer for failure to make timely disclosure of cyberincidents may be a wake-up call for Canadian public issuers and their directors and officers.

 

, , ,

So what if the risk is high?

Most organizations cannot afford to reduce every single risk to what some practitioners would deem acceptable. Providing actionable information about all the things that might happen, not by using terms like High, Medium, or Low, but in specific business terms will help evaluate which risks to take.

 

, , , , ,

Are you managing risk or are you managing the organization?

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

 

, , , , ,

My cyber confession

Should we give up auditing information security and the management of cyber risk? Not at all. But we should do so with eyes wide open. We should recognize the limitations of our knowledge, tools and techniques and the likelihood that hackers have new techniques that are unknown both to auditors and management.

 

, , , , , , , , , ,

Previous Posts Next posts