AWS-Cloud-Security-Consulting.jpg

CYBER SECURITY CONSULTING SERVICE AWARDS AND RECOGNITIONS

CyberSecOp's comprehensive managed security services, cyber security consulting, professional services, and data protection technology are recognized as industry-leading threat detection and response solutions by major analyst firms, key media outlets, and others.

Information Security CyberSecOp Cybersecurity & Breach News Information Security CyberSecOp Cybersecurity & Breach News

FBI, DHS, DFS, & NFA Information Security Alert

There is a current heightened risk of cyber attacks from the Iranian Government, which has vowed to retaliate against the United States for the death of Qassem Soleimani. Given Iranian capabilities and history, U.S. entities should prepare for the increased possibility of cyber-attacks.

What is most concerning about Iran's cyber-attack history, is that it particularly targets the U.S. financial services industry. In June 2019, the U.S. government advised that it observed a “recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” Iranian attackers are increasingly using highly destructive attacks that delete or encrypt data.

Dept. of Financial Services (DFS), Dept. Of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) strongly recommend that all U.S. entities heighten their vigilance against cyber attacks. All entities should be prepared to respond quickly to any suspected cyber incidents. Historically, Iranian-sponsored hackers have primarily relied on common hacking tactics such as email phishing, credential stuffing, password spraying, and the targeting of unpatched devices.

DFS, DHS, and the FBI recommend that all entities ensure all vulnerabilities are patched/remediated (especially publicly disclosed vulnerabilities). It is also important to ensure that employees are adequately trained to deal with phishing attacks; implementation of multi-factor authentication; disaster recovery plans are reviewed and updated, and prompt response to further alerts from the government or other reliable sources is provided. It is particularly important to ensure that any alerts or incidents are given a prompt response (even outside of regular business hours). Iranian hackers are known to prefer attacking over the weekends and at night - precisely because they know that weekday staff may not be available to respond immediately.

Cyber Security Bulletin

1) FBI, DHS issue bulletin warning of potential Iranian cyberattacks.                   

The FBI and Department of Homeland Security (DHS) issued a bulletin to law enforcement groups last week Wednesday warning of the potential for Iran to target the U.S. with cyberattacks in the wake of raised tensions following the death of Iranian General Qassem Soleimani.

2) 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.     

According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.    

3) Traditional perimeter-based security is not enough for cyberattacks.
According to Verizon’s Data Breach Investigations Report, over half — and trending toward 100% — of recent data breaches were due to compromised credentials.

4. There is a cyber attack every 39 seconds.
 By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.

For more information or if you have any concerns over heightening cybersecurity at your firm, please contact us at Support@cybersecop.com

Read More
Information Security, Security Compliance, Cyber Insurance CyberSecOp Cybersecurity & Breach News Information Security, Security Compliance, Cyber Insurance CyberSecOp Cybersecurity & Breach News

Connecticut Insurance Data and Information Security

Connecticut ACT Concerning Insurance Data and Information Security

Section 230 of the Connecticut budget bill is called the “Insurance Data Security Law”; Connecticut now requires registered entities to have Information security and Cyber security program similar to New York’s Department of Financial Services (NYDFS). Section 230 became effective as of October 1, 2019, and the information security program must be implemented by no later than October 1, 2020. The purpose of this section 230 is to establish standards for data and information security for persons licensed and required to be licensed by the Insurance Commissioner, require licensees to notify the commissioner following cybersecurity events,d require the commissioner to investigate such possibilities.

Information Security Program

The requirements include the implementation and maintenance of a Written Information Security Program (WISP) based upon a risk assessment as well as administrative, technical and physical safeguards to protect non-public information: Board of Directors oversight, policies, procedures, and precautions, risk management program included risk assessment, risk evaluation, risk mitigation of internal and external systems, and third parties vendor/suppliers, cybersecurity awareness training, encryption of data in transit and at rest, multifactor authentication, and continuous monitoring to identify unauthorized access to, or unauthorized alteration, destruction, disclosure, misuse or transmission of, nonpublic information. Speak with an expert.

Section 230 affects Insurance Companies, and third parties Auto Insurance

·         Life Insurance

·         Business Insurance

·         Recreational Insurance

·         Umbrella Insurance

·         Financial Insurance

·         Health & Long Term Care Insurance

·         Flood Insurance

·         Health Insurance

·         Homeowners Insurance

·         Insurance company’s suppliers

Breach & Cyber Event Notification

Cybersecurity event, the notification must be made to the Commissioner within three business days. Suppose an insurance licensee notifies an individual under the Connecticut breach notification law. In that case, the insurer must inform not only the individuals but also the Connecticut Attorney General and the Insurance Commissioner and has a “continuing obligation to update and supplement such information.”

Enforcement of Section 230

The enforcement provisions allow the Commissioner permission to “suspend revoke or refuse to reissue or renew any license, certificate of registration or authorization to operate” … and state that the Commissioner can impose a civil penalty of not more than fifty thousand dollars for each violation of the provision of this section.

The bill also requires insurance licensees to offer 24 months of credit monitoring to affected individuals in a data breach, which is consistent with the Connecticut data breach notification law.

Read More