|
Cyber Daily: Financial Firms Suggest Security Vetting Process Must Change
|
|
|
|
|
|
Good day. Hefty questionnaires have long been a favored method for banks to perform due diligence on service providers, but financial companies are suggesting to regulators that these are increasingly inadequate, WSJ Pro’s James Rundle reports. Risk management in the financial supply chain is of keen interest to regulators, some of which are looking into how banks vet cloud and other technology firms.
We also have an update about three Alabama hospitals battling ransomware, in a report from WSJ Pro’s Adam Janofsky, below.
Elsewhere: Twitter and WhatsApp could see GDPR case decisions soon.
Have you visited our new website? Check it out: https://www.wsj.com/pro/cybersecurity Let me know what you think by email.
When asked to log in, your username is the email address where you receive this newsletter. You may be prompted to create a password.
|
|
|
|
Financial System Security
|
|
|
|
At a recent CFTC meeting, participants voiced concerns about relying too much on vendor questionnaires to assess cyber defenses. PHOTO: STEPHEN VOSS FOR THE WALL STREET JOURNAL
|
|
|
Cyber risks force banks to rethink vendor relationships. The usual means of assessing vendor risk—lengthy questionnaires—are no longer appropriate, companies tell regulators.
Surveys that financial firms typically send to business partners often end up being a check-box exercise full of yes or no questions. The method doesn't uncover all cybersecurity risks.
Banks worry that weak controls at technology providers could allow hackers into their own systems. Regulators are also concerned that a cyberattack that takes down a major financial company could destabilize markets. The problem is, no one has any good alternatives to questionnaires, WSJ Pro’s James Rundle reports.
Read the full story at the WSJ Pro Cybersecurity website.
|
|
|
|
Update: Ransomware at Alabama Hospitals
|
|
|
|
PHOTO: GETTY IMAGES/iSTOCKPHOTO
|
|
|
The Alabama hospital system battling a ransomware attack since last week decided to pay a ransom.
“We work with law enforcement and IT security experts to assess all options...in the best interest of our patients,” a spokesman for the group told WSJ Pro Cybersecurity Monday. “This included purchasing a decryption key from the attacker to expedite system recovery and help ensure patient safety.”
Operations at the hospitals—DCH Regional, Northport and Fayette—had been disrupted since Oct. 1. Non-emergency patients were asked to find alternate providers and medical staff resorted to written notes.
The spokesman declined to say how much the group paid and had no time frame for full recovery, adding that restoration work continues.
—Adam Janofsky
|
|
|
Would you pay attackers? The Federal Bureau of Investigation advises against paying hackers, saying it only encourages more attacks, and the U.S. Conference of Mayors in July adopted a resolution opposing ransom payments.
But some security professionals say there may be times when municipalities have few options other than to pay, especially if the systems taken hostage are critical to public health and safety and can’t be restored quickly. Read how experts weigh both sides of the argument and let us know how you come down.
|
|
|
|
|
Helen Dixon, Ireland's Data Protection Commissioner, pictured in June, could issue draft decisions and possible fine recommendations in Twitter and WhatsApp cases by the end of the year. PHOTO: SIMON DAWSON/BLOOMBERG NEWS
|
|
|
Ireland’s privacy regulator moves closer to decisions on WhatsApp, Twitter. Ireland’s Data Protection Commission said Monday that it has completed investigations in two of the first cases involving big tech companies, The Wall Street Journal reports. The results are now on the desk of Helen Dixon, the body’s commissioner, for her draft decisions and possible fine recommendations, which could come by the end of the year. Representatives for WhatsApp, Facebook and Twitter declined to comment.
WhatsApp: The case looks at whether the Facebook-owned chat app gives sufficient information to users and nonusers about how it shares data, in particular with other Facebook units.
Twitter: The case examines whether the company complied with notification obligations for a personal data breach the company disclosed to the regulator in January.
All eyes: The Irish cases have been closely watched. How EU regulators eventually decide the cases under the GDPR, and the size of any fines they might impose, will help determine the role the EU will play in regulating the tech sector world-wide.
|
|
|
|
|