Category Archives: Technology Risk

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

Are You Prepared for GDPR?

Posted on by

If your work involves personal data, you probably already know the European Union’s (EU) General Data Protection Regulation (GDPR) enforcement date is May 25.

buy vidalista online pelmeds.com/wp-content/uploads/2023/10/jpg/vidalista.html no prescription pharmacy

While penalties for noncompliance can be stiff, the sky may not be falling just yet.

GDPR focuses on personal data originating from the EU, which reaches well beyond the EU’s borders into organizations around the world that collect, process, use and store that data. As a regulation focused on data protection and privacy, GDPR’s impact may extend far outside the EU. For example, there are signs that Latin American countries may be considering a regulation that mirrors GDPR. With the recent Facebook/Cambridge Analytica data privacy fallout, several pieces of privacy-related legislation in the U.S. are currently being considered by federal lawmakers.

Privacy is a risk-based problem. Organizations should assess which risks exist and determine their risk tolerance. With data privacy, these risks are typically financial (such as fines and lawsuits) and reputation (bad press and negative perceptions).

buy tobradex online pelmeds.com/wp-content/uploads/2023/10/jpg/tobradex.html no prescription pharmacy

GDPR also introduces a newer risk into the risk landscape – one related to activist groups potentially using GDPR as a springboard to flood a target organization with data subject requests.

Why GDPR matters and to whom it applies
GDPR applies to personal data originating from the EU. GDPR gives individuals (aka “data subjects”) control and ownership over their personal data. This includes personally identifiable information (PII), IP addresses, biometric data, social identity, along with health, economic, cultural and genetic data. There are two reasons this has gotten so much attention:

  • The GDPR represents the EU’s most sweeping changes to privacy regulations in decades. It requires organizations to be transparent about which data is collected and how it will be used. All data collected must have a purpose and be kept accurate and up to date. Individuals (aka data subjects) now have the power to access their data, fix errors, restrict usage, move data and demand that their data be deleted.
  • The penalties for noncompliance are unprecedented. The law sets out penalties of up to four percent of global revenue or €20 million, whichever is greater. It is not clear at this point how and when these fines will be applied or if they are even enforceable outside the EU. However, the significant size of the potential fines and potential risk of noncompliance captured the attention of organizations around the world.

Large data-driven organizations have been working toward GDPR compliance since the regulation was passed in 2016. A significant number of organizations may not be ready, however. In fact, a flash poll conducted by Baker Tilly during a recent GDPR webinar revealed that 90% of attendees do not have the necessary controls in place to be GDPR-compliant.

What to do today
Preparing for GDPR compliance is a matter of preparing for privacy in general. Whoever you are and wherever you are in the world, consider these steps in your compliance journey:

  1. Identify potential data and systems affected by GDPR: Put a process in place to understand what data you collect and why. Know where it is coming from and where it is stored. You will want to know where you have “data pools” with GDPR relevance and you’ll want to know the scope. Is it one record or one million? Where are the gaps in compliance?
  2. Understand existing data privacy controls: Review your existing data protection controls and assess GDPR compliance. Do you have written security protocols in place? What is your risk exposure? Depending on the type of organization you represent, you may actually be closer to compliance than you think. For example, organizations compliant with NIST, ISO, HIPAA, PCI DSS, Privacy Shield or other frameworks, may be well on the way to GDPR compliance.
  3. Lead from the top and educate: The news cycle is now dominated by the questionable use of personal information and it appears the shift to a data subject-centered environment may very well be here to stay. This issue goes beyond risk management and IT. Marketing, legal, government affairs, HR and communications are just a few of the functional areas touched by privacy issues. They all need to be as committed to data protection as the chief privacy officer.
  4. Be clear about how you will deal with data-subject requests: Once you have a clear picture of the data you possess, it is essential to design, implement and document your processes to correct, transfer and delete that data if required or being able to provide a valid, legal reason for retaining the data.
  5. Determine whether you need a data privacy officer: The GDPR requires that a data privacy officer (DPO) be appointed in most situations. Proactive organizations should consider the organization’s position and strategy. Is privacy an essential piece of the business model (as it is for a bank) or the brand (as it is for Apple)?
    buy imodium online pelmeds.com/wp-content/uploads/2023/10/jpg/imodium.html no prescription pharmacy

    The answer may well influence whether or not you define a new area of leadership and accountability.

Looking ahead
There is a shift taking place. People used to accept (or not know) that their online data and personal information were being tracked and used by others. Many people seemed to think this was simply the price of being online. Now, people are questioning how their data is being used and governments are starting to listen. GDPR is the likely first step toward far more widespread change.

This is not about solving every single detail today. Most experts believe that a well-documented plan and clear effort to comply with the GDPR will make conversations with supervisory authorities significantly easier. Do the homework ahead of time, know your landscape, get your systems in place, be transparent and be ready to pivot when necessary. Do that, and you will be miles (or kilometers) ahead of everyone else next time a new law or regulation goes into effect.

LIRR Misses Critical Juncture for Positive Train Control

Posted on by

Last week, the Long Island Rail Road (LIRR) confirmed interruptions in its ability to fully install positive train control (PTC) across its system by the end of the year. Newsday reported that the LIRR system, which is a unit of the Metropolitan Transportation Authority’s (MTA) network, failed 16 out of 52 factory tests performed in early March using a computerized simulation of the new technology.

Although its PTC contractor continues to investigate the cause of the failures, MTA officials said they believe it stems from the complexity and density of the LIRR, which is the busiest commuter railroad in the country averaging more than 311,000 daily riders.

PTC is designed to eliminate human error by using four components: GPS satellite data, onboard locomotive equipment, the dispatching office and wayside interface units. The system communicates with the train’s onboard computer, allowing it to audibly warn the engineer and display its safe braking distance based on its speed, length, width and weight, as well as the grade and curvature of the track, according to railroad operator Metrolink.

buy xifaxan online rxbio.com/images/milestones/jpg/xifaxan.html no prescription pharmacy

If the engineer does not respond to the warning, the onboard computer will activate the brakes and safely stop the train.

An approved PTC System must protect against:

  • Passing a stop signal.
  • Train-to-train collision.
  • Overspeed on curves and other civil restrictions.
  • Unauthorized incursions by a train into a work zone.

The installation began in January as part of a $1 billion safety upgrade, although it had been on the LIRR’s strategic plans for years. So far, substandard testing results are not instilling much confidence that PTC will be complete by the federal deadline of Dec. 31, 2018. If that deadline is missed agencies without properly-installed PTC may face fines of up to $25,000 per day, as enforced by the U.S. Rail Safety Improvement Act of 2008.

MTA Board member Neal Zuckerman told Newsday he is less concerned about meeting a federal deadline than he is about “having a system that works for riders.”

“It is better to have this right than fast,” Zuckerman said. “A nonfunctioning system is not worthwhile. It’s a waste of money and time and ultimately will not serve the needs of the riders.”

The LIRR is not the only major transit system to be missing the mark. Risk Management Monitor reported on Amtrak’s struggle to meet the deadline in February and that by the end of 2017, only 8% of NJ Transit’s locomotives and none of its tracks were updated with PTC.

Efforts to upgrade train technology has been a nationwide priority. There have been a number of accidents in recent years. The most recent was a major derailment occurring on Dec. 18, 2017 when an Amtrak train derailed near Tacoma, Washington, killing three passengers and injuring about 100. That crash was the result of excessive speed in a steep curve, which experts suggested could have been prevented with PTC’s automatic braking technology. Amtrak Train No. 501, on its inaugural run, was traveling 80 miles per hour in an area limited to 30 miles per hour when it derailed on an overpass, sending the train’s 12 coaches and one of its two engines careening onto the highway below.

As previously reported in Risk Managementa similar derailment in Philadelphia in May 2015 that killed eight, was also blamed on excessive speed and could have been avoided if PTC had been in place.

After Congress passed the PTC Enforcement and Implementation Act of 2015 it also authorized the FAST Act, which allocated $199 million in PTC grant funding and specifically prioritized PTC installation projects for Railroad Rehabilitation and Improvement Financing funding. The Association of American Railroads estimates that freight railroads will spend $10.6 billion implementing PTC, with additional hundreds of millions each year to maintain.

buy nizoral online rxbio.com/images/milestones/jpg/nizoral.html no prescription pharmacy

 The American Public Transportation Association has estimated that the commuter and passenger railroads will need to spend nearly $3.6 billion on PTC.

Risk Management of Technology Risks Lagging, Survey Finds

Posted on by

SAN ANTONIO—Technology is becoming more and more necessary for the growth of companies, enhancing their abilities to get products to their destination faster and automate core processes. In fact, it’s predicted that revenues from AI-related technologies will reach $127 billion by 2025.Technology has also led to safer work conditions for employees with the use of wearable technology and drones.

According to the 15th Annual Excellence in Risk Management report by Marsh and RIMS, which examines risk professionals’ knowledge of and role in managing technology innovation such as artificial intelligence (AI), blockchain, and the Internet of Things (IoT), 59% of respondents said their organizations are currently using or exploring the use of IoT systems; 47% are using or exploring the use of AI; and 24% are using or exploring the use of blockchain.

Despite this growth, however, only 14% said they strongly believe they have a clear process in place for addressing disruptive technology risks. Almost half could not say if there was a clear process.

The report found that most risk professionals would benefit from balancing their view of digital technology. When asked what it means for their organization to be “digital,” a majority cited operational improvements, such as automating core processes, over growth initiatives such as new ways of doing business and interacting with customers.

By ignoring how digitization is changing the way companies interact with their customers, risk professionals cannot fully understand the changing risk profiles of their organizations, the report notes.

“Emerging technologies like artificial intelligence and blockchain are fast becoming the new normal, yet risk management is not keeping up,” observed Brian Elowe, U.S. client executive leader at Marsh. “Only by asking questions and understanding the underlying technologies and their uses throughout the organization can risk professionals truly appreciate their organizations’ risks and respond accordingly.”

Fear and lack of understanding about these new technologies could be the basis of this lag. As the report indicates, however, it is not necessary for risk professionals to understand the detailed intricacies of every new technology. Instead, they should be able to discuss them with technologists.

“Risk management professionals can add tremendous value and insight, supporting organizations’ ability to make strategic decisions regarding disruptive technology,” said Carol Fox, RIMS vice president of strategic initiatives. “Engaging in innovation that impacts our companies, customers, industries, and even the practice of risk management itself is a giant first step. While risk professionals do not need to be ‘experts’ in the intricacies of these technologies, they can certainly advance the performance benefits that each new technology brings.”

The good news for many risk professionals – and their organizations – is that managing emerging risks and working across the organization are not new challenges. In recent years, risk professionals have had a number of risks to contend with, including terrorism, climate change and cyberattacks. “Risk management executives are well placed to be part of the leadership team around technology adoption; their position naturally connects them to others across their organizations,” according to the report.

Highlights from the report:

  • The majority of respondents said they are most interested in technology that enables them to identify emerging risks (57%) and enhance data security (57%).
  • Of the respondents whose organizations have cross-functional risk committees, 31% said disruptive technologies are discussed at every meeting.
  • 40% of respondents said they would consider switching insurers and other advisors based on their ability to provide innovations in the claims area.

Companies Continue to Grapple with Cyberrisk, Study Finds

Posted on by

As technology becomes more critical to company success, the number of cyberattacks has climbed.

As a result, cyberrisk has become one of the top risks for companies around the world, according to the Marsh-Microsoft Global Cyber Risk Perception Survey. Almost two-thirds of survey respondents identified cyberrisk as one of their organization’s top-five risk management priorities—almost double the percentage who rated cyber as a top risk in a 2016 study, Marsh said, adding that respondents whose organizations had been successfully attacked were slightly more likely to prioritize cyberrisk than those who had not.

Despite these concerns, however, the study notes that just one in five respondents said they are “highly confident in their organization’s ability to manage and mitigate cyberrisk or respond and recover from an attack.” This was especially the case among corporate directors, who play an important role in protecting their organization from cyber threats. While about 70% of respondents who identified as board members said they ranked cyberrisk as a top-five concern, only 14% said they were “highly confident” in their organization’s ability to respond to an attack.

Board Disconnect
While organizations have traditionally relied on IT staff to manage cyberrisks, the structure of oversight is evolving in many companies as risks accelerate. Stakeholders from across the enterprise are looking beyond prevention to include risk assessment, mitigation and cyber resilience.

Asked about cybersecurity structure, however, 70% of respondents named their IT department as a primary owner and decision-maker of the risk.

This was more often true for smaller companies, as larger organizations tended to spread the responsibility for cyberrisk—from a low of 13% in the smallest organizations (many of which may not have a separate risk management function) to 58% in the largest organizations with more than $5 billion in revenue, the study found.

Ideally, boards should view cyberrisk management as part of their overall perspective on enterprise risk management. In organizations where the board is involved, however, the study found a disconnect:

Corporate directors often appear to either not understand the information on cyberrisk they receive, or to not be receiving it all. For example, 53% of chief information security officers, 47% of chief risk officers, and 38% of chief technology/information officers said they provide reports to board members on cyber investment initiatives. Yet only 18% of board members said they receive such information.

This information gap illustrates a need to develop cyberrisk economic/business models that facilitate shared dialogue including common language among IT, the board, and other corporate departments.

This disconnect also reinforces the need for a cross-functional approach to cyber risk governance, according to the study.