Thoughts on Corporate Risk and How Companies are Handling the Challenge

How Conduct Risk and Cyber Risk are Related

How Conduct Risk and Cyber Risk are Related

Conduct risk management began gaining traction in the financial services industry as a way to minimize the probability of another financial meltdown. The Equifax cyber meltdown exposed the close connection between managing conduct risk and cyber risk.

read more
Cyber Risk Governance is a Unique Discipline

Cyber Risk Governance is a Unique Discipline

The term “Cyber Risk Governance” is being used frequently. What is a good definition, and how does it differ from GRC? Two years ago when we began building Cybernance, our strategy was based upon three views not widely held at the time: Cybersecurity is not just a...

read more
Achieving National Cyber Resilience

Achieving National Cyber Resilience

How do we as a nation enhance our cybersecurity posture to increase our resilience against cyberattacks targeting the homeland? As the new administration forms, cybersecurity is one of its top national policy issues. Several days ago, Rudy Giuliani was tasked with (1)...

read more
Warner-McCaul Cyber Act Becomes Law

Warner-McCaul Cyber Act Becomes Law

Cybersecurity legislation is coming sooner than you think. WASHINGTON – The Senate and the House of Representatives approved the Warner-McCaul Cyber Act of 2017 Tuesday, with overwhelming bipartisan majorities in both houses. The bill creates the first coordinated...

read more
Nowhere to Run, No Place to Hide

Nowhere to Run, No Place to Hide

The psychological need to be perceived as competent and avoid embarrassment is universal, but when it blocks achievement of higher cyber resilience, it can’t be allowed to drive organizational behavior.

read more
Cyber Risk Market Heading Toward Adolescence

Cyber Risk Market Heading Toward Adolescence

The quality of the recipients of this past week’s 2016 Advisen Cyber Risk awards highlights that, while the cyber risk market is not fully mature, it is moving toward adolescence. On June 15, Advisen announced the winners of the 2016 Cyber Risk Awards. Lockton’s Ben...

read more
Are We Heading for a Cyber Sarbanes-Oxley?

Are We Heading for a Cyber Sarbanes-Oxley?

“We are facing a crisis of confidence that is eroding the public's trust in our markets, and poses a real threat to our economic health... The strain on the economy is deep and spreading.” If you regularly track emerging stories about the effect that cybersecurity...

read more
Secure? Says Who?

Secure? Says Who?

If you’re a board member concerned about cyber risk, you regularly ask “how secure are we from a cyber breach?” Is the answer delivered in technology metrics or a measurement of business risk?

read more
Cybergovernance: Are More Experts the Answer?

Cybergovernance: Are More Experts the Answer?

A recent Los Angeles Times story described how one company chose to enhance corporate governance of cyber risk (cybergovernance) by adding a cybersecurity expert to their board. Is this a path that other companies should emulate? Parsons Corporation is a...

read more
Needed: A Shared Cybergovernance Model

Needed: A Shared Cybergovernance Model

My own theory is that we are in the middle of a dramatic and broad technological and economic shift in which software companies are poised to take over large swathes of the economy. More and more major businesses and industries are being run on software and delivered...

read more
Dual Axis of Threat Awareness

Dual Axis of Threat Awareness

Introduction Keeping up with today’s torrent of cybersecurity breach information is a daunting task. The topic – and the alarms it rings – is deeply complex and moves at a blistering pace. If security doesn’t show up in their job description, an employee is likely to...

read more
The Big Assumption

The Big Assumption

I’d like to conduct a quick thought experiment. Before you continue reading, pause for a moment and conjure up an image of the person you think is most likely to be in charge of cybersecurity in any given modern-day company. What is the person’s title? What is the...

read more

Be notified of new Journal entries in your email box or Follow us on Twitter.


Cybergovernance Journal – 11/11/19

October was the 16th annual National Cybersecurity Awareness Month (NCSAM). Read about the results of the first statewide cyber benchmark conducted for the banking industry.

Cybergovernance Journal – 6/2/18

As we mentioned last month, managing conduct risk can improve attitudes about safe handling of customer data from the executive team down, and it encourages responsible initiatives that increase cyber resilience.

Cybergovernance Journal Update – 3/31/17

How transparent should your cybersecurity strategy be? Should cyber risk reduction be left in the hands of a few security experts or should it be an organization-wide effort to protect the company?

Cybergovernance Journal Update – 3/24/17

With the NIST framework used to measure federal agencies’ and department’s cybersecurity resilience, is it time for private institutions to gauge their own cyber defenses by the same or similar standards?

Cybergovernance Journal Update – 3/17/17

Not all cybersecurity frameworks are equal. While some companies recognize they need to utilize the most comprehensive plans, others will only implement the bare minimum putting other institutions at risk.

Cybergovernance Journal Update – 3/10/17

On March 16, we will speak and lead a panel at a Skytop Strategies conference on Cyber Risk Governance. Friends of Cybergovernance Journal who want to attend can get a 30% discount. We hope to see you there!

Cybergovernance Journal Update – 3/3/17

With the U.S. Government aiming to require agency compliance with the NIST Cyber Security framework, is making it part of a national cybersecurity regulatory plan that far off?

Cybergovernance Journal Update – 2/24/17

With the average cost of a cyber breach being $4 million (in addition to loss of future revenue and customers), what more motivation do board members need to take cyber risk seriously?

Cybergovernance Journal Update – 2/10/17

The monthly Cybergovernance Digest – check it out and sign up! Human hacking is one of the easiest ways for agents to create a breach, especially if company culture is not improved alongside technological cyber risk measures. LinkedIn Pulse, Feb. 8The psychological...

Cybergovernance Journal Update – 1/27/17

The monthly Cybergovernance Digest – check it out and sign up! The worst way to deal with cybersecurity is to ignore the cyber risk your organization exposes itself to and then cover up evidence of the inevitable breach(es). Cybergovernance Journal, Jan. 23 The term...

Cybergovernance Journal Update – 1/20/17

The monthly Cybergovernance Digest – check it out and sign up! Spooked by data breaches and the bad press that accompanies them? It's never too late to obtain a cybersecurity audit and cultivate cyber risk mitigation habits. Cybergovernance Journal, Jan. 16How do we...

Cybergovernance Journal Update – 1/13/17

The monthly Cybergovernance Digest – check it out and sign up! Cybersecurity vulnerabilities don't just happen at the institutional level, but across interconnected and interdependent systems. A commonly adopted and widely accepted framework could lessen those shared...

Cybergovernance Journal Update – 1/6/17

The monthly Cybergovernance Digest – check it out and sign up! Government action on cybersecurity will be a hot topic this year as many nations focus on systems vulnerable to cyber attack with little in the way of defined policy to counteract it. Cybergovernance...

Cybergovernance Journal Update – 12/30/16

The monthly Cybergovernance Digest – check it out and sign up! While some strides in cybersecurity mitigation have been made in the past year, organizations as a whole still have much to do to keep threat actors at bay. Cyberscoop, Dec. 28It’s that familiar season...

Cybergovernance Journal Update – 12/2/16

As comprehensive cybersecurity practices become better defined we find that the scope has moved beyond organizations to encompass an internet of things; from refrigerators to pacemakers.

Cybergovernance Journal Update – 10/14/16

Government bodies are working to ensure organizations build solid cybersecurity plans, which requires a board of directors who are committed to implementing them, which requires a cyber risk team that can provide actionable intelligence.

Cybergovernance Journal Update – 8/26/16

Lax cybersecurity practices are increasingly becoming more of a liability for companies. Rather than being forced to by law or threat of legal action by stockholders and customers, a proactive company can get ahead of the coming regulatory curve. Cybergovernance...

Cybergovernance Journal Update – 8/19/16

>Keeping up with every external threat to your organization can be a Sisyphean task. Ensuring your company’s cyber resilience by focusing on internal practices in addition to physical infrastructure is achievable.

Cybergovernance Journal Update – 7/29/16

One of the problems of cybersecurity is that an assessment is a snapshot within a rapidly changing environment. This makes choosing a solid, reputable method of assessment for your organization all the more important.

Cybergovernance Journal Update – 7/22/16

Many companies still view cybersecurity as an IT-only problem. However, those who implement it with a holistic, institution-wide plan also reap the benefits of increased operational excellence.

Cybergovernance Journal Update – 7/15/2016

It’s not recommended, when you are hit by hackers, that you cover it up to avoid liability. It’s better to have a comprehensive, holistic cybersecurity plan that is more than software plus the IT department.

Cybergovernance Journal Update – 7/8/2016

At the federal and state levels, the U.S. government is making several moves to assist cybersecurity best practices; by establishing a federal CISO, ongoing cyber dialogs with China and increasing use of private, secure cloud networks for state business. Cybernance...

Cybergovernance Journal Update – 6/10/16

One of the more common cyber attacks, phishing, is on the rise and many times it is coupled with ransomware. This is one of many reasons that, by 2020, most digital businesses will be affected by major service failures.

Cybergovernance Journal Update – 6/3/2016

The $18M bank heist in Bangladesh is a case study in the result of not having a comprehensive cybersecurity plan in place. But which plan is best? NIST? The developing European approach? LinkedIn Pulse, May 31, 2016The NIST Cybersecurity Framework has won universal...

Cybergovernance Journal Update – 5/27/2016

The vast majority of companies continue to be unprepared for cyber breaches, but will the passage of a “Sarbanes-Oxley” bill for cybersecurity provide the guidance and motivation to get them secure?

Cybersecurity Governance News – 5/6/2016

Being prepared and following best cybersecurity practices is the first step in preventing your data being stolen and sold on the dark web. SC Magazine, May 4Hold Security said the batch came from a “Russian kid” that one of its analysts found who had gathered 1.17...

Cybergovernance Journal Update – 4/29/2016

Unprepared executives, losing sleep from cybersecurity issues, some not being able to read a cybersecurity report, are a cyber risk, not only to their careers but to their organizations.

Cybergovernance Journal Update – 4/22/2016

One of the best markers that cybersecurity is rising in importance is looking at how the insurance industry is reacting to cyber risk. Another is to observe how national governments are reacting, or failing to act.

Cybergovernance Journal Update – 4/15/2016

The price of reducing cyber risk is constant vigilance. It is not a duty reserved for the IT department or a few executives, but an organization-wide effort of compliance and training.

Cybersecurity Governance News – 4/8/2016

Cybergovernance is slowly maturing with the refinement of the NIST framework, strategies to fill security positions and increasing awareness that the entire organization is responsible for cybersecurity.

Cybersecurity Governance News – 4/1/2016

Cybersecurity awareness continues to rise; and with it the realization that the business world is far behind. Shortages in security talent has driven salaries up and boardroom governance is still below where it needs to be.

Cybersecurity Governance News – 3/18/16

While a new crop of MBAs specializing in cyber security analytics are being trained, current executives still need to protect themselves and their companies. Basic cybersecurity practices are easy to implement, but comprehensive implementation requires a challenging amount of organizational discipline.

Cybersecurity Governance News – 3/4/16

The technological elements of cybersecurity remain the easiest to regulate and build. The human elements, on the other hand, require changes that many companies are too slow in adopting.

Cybersecurity Governance News – 2/19/16

Turning cybersecurity theory into practice is a challenge in the government and business spheres. The real world consequences of overconfidence in partially implemented plans can lead to ransomware demands and data breaches, putting CEO and Boards at risk of litigation.

Cybergovernance Journal Update – 2/11/2016

NIST Framework is gaining traction in government circles, but companies are still falling short of comprehensives solutions; instead relying on periodic risk assessments or throwing more experts at the problem. Financial Times, Feb. 11 Mr. Weil says companies need to...

Cybergovernance Journal Update – 2/5/2016

Regulations, periodic assessments and theoretical models can only lead the way to a partial, but not comprehensive, cybersecurity solution. This is especially true when it comes to making cybergovernance accessible to executives — until now.

Cybergovernance Journal Update – 1/22/2016

While state actors plot further government and corporate breaches, strategies are being further refined to deal with them. Cybersecurity responses are moving from ineffective single-point plans to comprehensive structural risk responses.

Cybergovernance Journal Update – 12/11/2015

More companies around the world are coming to realize how vulnerable they are to cyber attack. Recent articles discussed legislation aimed at ensuring cybersecurity standards are met, vulnerabilities to national infrastructure and to businesses, and how cyber affairs...

Cybergovernance Journal Update – 12/4/2015

Cybergovernance is a hot boardroom topic – globally! The consensus is that success in mitigating cyber risk must involve an increased level of understanding by executives and board members, and increased education and awareness throughout the organization.

Cybergovernance Journal Update – 11/27/2015

As more breaches happen and shareholder lawsuits follow, discovering how your organization as a whole, not just the technology team, deals with cybersecurity grows in importance. Directors must also understand how data must be handled in order to combat global espionage that is growing with the rise of global workforces.

Cybergovernance Journal Update – 11/20/2015

The visibility of cybersecurity breaches as a source of corporate risk continues to grow. Recent articles discussed adding cybergovernance experts to boards, regulation in the financial services and healthcare industries, and worldwide concern for better security and...

Cybergovernance Journal Update – 11/13/2015

Members of the U.S. futures market will soon be measured against heightened cybersecurity standards geared towards enhancing incident preparation, prevention, and response among industry participants regulated by the National Futures Association (NFA) Read Article...