720-891-1663
Home
Services, Products & Capabilities
Managed Security Services
Assessment Services
Technical Testing
Mitigation Services
Incident Response
Consulting Services
Technical Products
Policies and Procedures
Partner Program
About
About Us
Testimonials
Client Confidentiality
Position Papers, Reports, Blogs, Training Content & More
Position Papers, Reports & Blogs
Fireside Chats
Executive Training Videos
Training/Informational Videos
Other Training/Webinars
Press Releases
TCPS Youtube Channel
D1QB
Contact
Vulnerability Scanning & Pentesting Explained for Executives
-By
Raymond Hutchins and Mitch Tanenbaum
<div class="table-content-wp"> <h4>Table of Contents</h4> <ol class="toc-list" role="list"> <li> <a href="#globalcybersociety"> <span class="title toc-list-font-weight">1. The Global Cyberwar and the Society’s Costs to Society<span class="leaders" aria-hidden="true"></span></span> </a> <ol role="list"> <li> <a href="#whatlosses"> <span class="title">What are the losses?<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#dfs500"> <span class="title">DFS 500 or 23 NYCRR 500<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#usdepartment"> <span class="title">U.S Department of Defense<span class="leaders" aria-hidden="true"></span></span> </a> </li> </ol> </li> <li> <a href="#overviewprivacy"> <span class="title toc-list-font-weight">2. Overview of Privacy Laws and Regulations<span class="leaders" aria-hidden="true"></span></span> </a> <ol role="list"> <li> <a href="#americandataprivacy"> <span class="title">American Data Privacy and Protection Act (ADPPA)<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#firstgeneration"> <span class="title">First Generation and Second-Generation Privacy Laws<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#elementsecondgeneration"> <span class="title">Elements of Second-Generation State Privacy Laws<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#csvseuropean"> <span class="title">U.S. vs. the European Union<span class="leaders" aria-hidden="true"></span></span> </a> </li> </ol> </li> <li> <a href="#industrystandard"> <span class="title toc-list-font-weight">3. Industry Standards<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#technologyindustry"> <span class="title toc-list-font-weight">4. The Technology Industry<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#caremarkstandar"> <span class="title toc-list-font-weight">5. Caremark Standard and Corporate Governance<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#regulatingai"> <span class="title toc-list-font-weight">6. Regulating AI, Quantum Computing, IoT, and Crypto Currencies<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#breachlaw"> <span class="title toc-list-font-weight">7. Breach Laws<span class="leaders" aria-hidden="true"></span></span> </a> <ol role="list"> <li> <a href="#breachComplying"> <span class="title">Complying with Cybersecurity, Cyber-Breach Notification and Privacy Laws<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#breachreporting"> <span class="title">Breach Reporting Requirements<span class="leaders" aria-hidden="true"></span></span> </a> </li> </ol> </li> <li> <a href="#insurancepressure"> <span class="title toc-list-font-weight">8. Insurance Industry Pressure<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#dataprotection"> <span class="title toc-list-font-weight">9. Data Protection and Company Valuations<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#creditrating"> <span class="title toc-list-font-weight">10. Credit Rating Agencies<span class="leaders" aria-hidden="true"></span></span> </a> </li> <li> <a href="#committedgoverence"> <span class="title toc-list-font-weight" >11. Committed Governance: The Missing Piece<span class="leaders" aria-hidden="true"></span></span> </a> </li> </ol> </div> <div class="para-container" id="globalcybersociety"> <h3> 1.The Global Cyberwar and the Society’s Costs (thus far) of Doing Nothing:</h3> <div class="box-para-container" > <p> <strong>NOTE:</strong> What follows is a front line report on the global “cyber war” as seen by cybersecurity professionals engaged in protecting the U.S. financial system and Department of Defense (DoD) assets. This report is intended to serve as a reference document for you. Please retain and share with others who might benefit from understanding this strategic, non-technical analysis. </p> </div> <h4 >What cyberwar?</h4> <p>Our country, financial systems, defense capabilities, money, and our citizens are under active assault from a bewildering array of adversaries and criminals, both foreign and domestic. It is reasonable to describe what is going on as “war” with multiple, independent combatants duking it out daily. </p> <p>Business leaders may intuitively grasp this, but very few act like they are in a war-like environment even though their businesses and systems are directly threatened. Based on our front-line observations, this “head-in-the-sand” behavior is because they don’t understand the war or the risks–it’s like nothing they have ever seen before. This is even though they hear about a new breach almost every day. And until they discover they have been breached; they don't quantify the risk. </p> <p>Today’s reality is that all digital societies are fearfully dependent upon their IT infrastructures and the software and electrical energy that powers them. These global IT infrastructures are rapidly expanding via the Internet of Things (IoT). Anything connected to the Internet can be hacked. Everything is being connected to the Internet. As a result, everything is becoming vulnerable in this cyberwar. </p> <p>There’s more. </p> <p>Quantum computing has arrived. Anyone with access to a quantum computer has capabilities those without access do not. This includes the capability of surmounting current cyber defenses. Now throw artificial intelligence into the mix. What happens when an authoritarian government has a quantum computer and wants to employ it against us in the cyberwar? China has made it a national goal to be the leader in quantum computing and AI. One of the reasons that adversaries like China are stealing our data now (even data that is encrypted) is that once they have sufficient quantum compute power, they will be able to decrypt data they stole years before. </p> <p>There are great and growing concerns about the reliability and security of our governmentregulated, legacy financial systems and currencies, essentially the lifeblood of our civilization. Our financial systems and currencies are only as good as the governments backing them and the security of the IT infrastructures making them function. In very short order we have digitized the entire financial system. Everyone’s money is in digits and those digits are being stolen to fund the adversaries attacking us. Just one crypto currency platform, Tornado Cash, was used to launder $7B in virtual currencies1 including $455 million for the North Koreans alone. </p> <p>There is great hope (and speculation) that blockchains and the new crypto currencies can evolve our financial systems beyond the control and corruption of humans. The goal is that no matter what happens to the rest of the IT infrastructure, the money will be safe…and that its core value cannot be corrupted by humans or artificial intelligences. However, cryptocurrency is, fundamentally, just software–and software has bugs. Complicated software has a lot of bugs. That is why, for example, crooks have already stolen close to $2 billion in cryptocurrency just from one part of the cryptocurrency ecosystem.</p> <p>Many nations and even criminal syndicates are now capable of destroying part (or even all) of the IT and power infrastructures of other countries. These capabilities are threats to our very social order. </p> <p>And beyond countries and criminal organizations, criminal and desperate individuals with smarts and an internet access can wreak havoc. While we typically look abroad for our adversaries, when it comes to cybercrime, the U.S. is a virtual hotbed of criminals and insiders engaged in corporate espionage, theft, and fraud. They are the enemy within, and they have nothing to fear. This is the golden age of cybercrime. The odds of being caught are nil. </p> <p>Sadly, cyberwar is real and unlike other weapons of mass destruction (nuclear, biological, and chemical) …no treaties govern it. It’s the Wild West all over again–and the criminals are free to roam. Unlike nuclear weapons, cyber weapons do not require billions in infrastructure to deliver their payload. Just one person who clicks on the wrong thing.</p> <p>One last point. It can be said that a war is when everyone puts up a fight. As front-line soldiers in this war, we are reporting that in this war, our side is not putting up the fight it should</p> <ul style="list-style-type:none;"> <li>“The range of criminal, cyber and counterintelligence threats we face as a nation has never been greater or more diverse.” --FBI Director Christopher Wray, testifying before a Senate Appropriations subcommittee, May 25, 2022 </li> </ul> <h4 id="whatlosses">What are the losses?</h4> <!--<a id="whatlosses"></a>--> <p>Historically, costs and losses associated with global cybercrime and the cyberwar have been notoriously underestimated. When you consider the fact that multiple nations have organized cyber armies for military and economic warfare against their adversaries, and that most crimes still go unreported, it is understandable why it is so difficult to calculate losses. </p> <p>While global theft, fraud, and other direct financial losses are huge in their own right, it is even harder to assess and calculate the loss of business, scientific, academic, engineering, and military intellectual property. </p> <p>In 2019, then-Defense Secretary Mark Esper warned that China was perpetrating the "greatest intellectual property theft in human history," just days after retired Navy Adm. William McRaven said China's growing technological capabilities should be a "holy s--- moment" for the US.2 Since then, China’s 300,000 strong cyber army has not backed off its efforts. </p> <p>A recent <i>Boardroom Cybersecurity 2022 Report<sup>3</sup></i> calculated global 2022 losses at $7 trillion USD.</p> <p>And what’s the value of having a country’s entire population’s personal data stolen by adversaries?</p> <p>Questions that business and political leaders must ask now are:</p> <ul> <li>How much money is being fraudulently removed from our economy? </li> <li>Where is that money going?</li> <li>Into which banks in which countries?</li> <li> And how complicit are global governments and banks in this illegal transfer of wealth?</li> <li>How can the integrity and credibility of financial systems and markets be maintained with such systemic criminality, corruption, and huge losses? </li> <li>At what point does the system break?</li> </ul> <h4>Why Governments Are Being Forced to Act</h4> <p>Thus far in the history of the global cybersecurity crisis, government, scientific, military, and business leadership has been slow to act. There are many reasons for this, but some higher-level reasons include: </p> <ul> <li>The rapidity of the digital revolution and the huge movement of data into IT infrastructures that were never designed for security.</li> <li>By and large, people know what they have experienced, and our legislators have not truly experienced our budding digital age. Their lack of understanding and experience with technology makes for very slow progress. </li> <li>The newness, complexity, and speed of cybersecurity and privacy threats.</li> <li>The mind-blowingly fast arrival of IoT, quantum computing, artificial intelligence, and crypto currencies. </li> <li>Resistance to new regulations and laws by businesses and non-governmental organizations caused by a lack of trust. </li> <li>The shortage of trained, experienced business and governmental leaders with IT, cybersecurity, and privacy issues</li> <li>The upfront expense and loss of productivity associated with protecting data.</li> </ul> <p>While legislatures may be still catching up, various U.S. federal agencies4 have been in the battle for some time. These agencies include:</p> <ul> <li>Cybersecurity and Infrastructure Security Agency (CISA)</li> <li> U.S. Department of Homeland Security (DHS)</li> <li>National Cybersecurity and Communications Integration Center (NCCIC)</li> <li>Office of Cybersecurity and Communications (CS&C) </li> <li>United States Secret Service (USSS)</li> <li>FBI Internet Cyber Crimes Center (iC3)</li> <li>U.S. Department of Justice (DOJ)</li> <li>Federal Bureau of Investigation (FBI)</li> <li>National Cyber Investigative Joint Task Force (NCIJTF)</li> <li>National Security Cyber Specialist (NSCS) network</li> <li>National Security Division (NSD)</li> <li>NSA-National Security Cyber Assistance Program (NSCAP)</li> <li>DoD-US Cyber Command</li> <li>SEC Crypto Assets and Cyber Unit</li> </ul> <p>While this array of agencies has still not come close to solving the problem, their front-line work has allowed them to better see what’s going on and has clearly established the threat to our country. And these agencies have been communicating the urgency of the issue to federal and state leaders. This (and huge losses across society) explain why governments are starting to move with more urgency. </p> <p>According to Harvard Business Review<sup>5</sup> cybersecurity has reached a tipping point. After decades of all governments basically taking a hands-off approach to cybersecurity, national, state and even local governments are starting to move. Some have implemented and many more are considering new laws governing cybersecurity and privacy.</p> <p> But even though lawmakers feel a need to do something, they often struggle to regulate technology for the reasons described above. </p> <p> Laws and regulations are being made at the federal and state level and by the legislatures and the agencies. Some are industry specific while others affect everyone. Some have exemptions for different classes of people and organizations while others don’t. </p> <p> It is important for businesses–specifically their executives and board members (the folks responsible for controlling risk)–to understand this changing landscape. They must now do what they have not yet done…accept their responsibilities and duties to protect data, reduce risk, and enhance valuations. </p> <p> But sometimes executives are acting in a different way. Recently, an executive of Uber was convicted in federal court for his role in a recent cyberattack against the company. As of this writing he is awaiting sentencing and unless he agrees to squeal on other executives at the company, and I rate the probability of this happening as high, he faces up to 8 years in federal prison6 . A defense contractor just agreed to settle another False Claims Act (FCA) lawsuit for $9 million in the middle of the trial<sup>7</sup> . FCA lawsuits are particularly scary because the whistleblower can receive up to 30% of whatever fines the government gets paid. This makes being a whistleblower potentially very lucrative. </p> <h4>How Cybersecurity and Privacy Are Now Connected</h4> <p> Cybersecurity and privacy laws are both about protecting data within various IT infrastructures. Privacy focuses on personal data of citizens, and cybersecurity focuses on all other valuable data assets. In the short period of time that such security has become an issue, cybersecurity and privacy efforts were driven by different constituencies. But since we are talking about protecting data, the conversations are merging. </p> <h4>Overview of Cybersecurity Laws and Regulations</h4> <p> There exists a bewildering array of cybersecurity laws internationally and in the U.S. For U.S. companies doing business nationally or internationally, this complicates compliance. Until the United Nations can implement an international law or treaty regulating cyberspace8 , the various countries of the world are left to their own devices. </p> <p> While enforcement of many of these laws is currently spotty and is complicated by the fact that enforcement agencies are under-resourced, if you fail to perform your responsibilities with respect to cybersecurity, the legal justification to drop the hammer on you exists–and enforcement agencies are looking to make examples. We are seeing this at both the national and local levels. </p> <p> Wikipedia offers a reasonable summary of current and proposed U.S. and international cybersecurity regulations and laws<sup>9</sup> </p> <p> You’ll note that the European Union has made serious progress implementing national (<i>in their case…continental</i>) cybersecurity and privacy legislation–something the rest of the world has not been able to do. </p> <p> In a perfect world, the U.S. would have a single, national law addressing privacy and security, but the U.S. legal system is not perfect. As a result, the individual states have begun addressing this issue and as of the time this paper was written, all fifty states have some form of cybersecurity law. Most states have a first-generation privacy law (see below for more info), and five states have a second-generation privacy law. </p> <h4 id="dfs500"> DFS 500 or 23 NYCRR 500 </h4> <p> Among the U.S. states, New York clearly stands out as the most aggressive cybersecurity legislator and enforcer and deserves special mention. Since 2017, financial institutions and other regulated entities have been required to follow the cybersecurity rules known as DFS 500 or 23 NYCRR 500<sup>10</sup>. This regulation is very specific and proscriptive about what is required, and DFS audits regulated entities against these rules. </p> <p> This state law is considered “the standard” by other states, which are copying it to one degree or another. </p> <h4 id="usdepartment"> U.S Department of Defense </h4> <p> Also worthy of special mention is the U.S. Department of Defense. </p> <p> The U.S Department of Defense (DoD) has an annual budget of almost $800B. It’s by far the largest defense budget of any country in the world. Over 300,000 companies (100,000 contractors and their subcontractors) work to supply the DoD with what it needs in order to protect the country. These companies are referred to as the Defense Industrial Base (DIB). </p> <p> This amount of money and the number of companies it flows to represents a large part of our economy. It also represents a huge threat to our national security. In order for these companies to do DoD work, they must have access to sensitive DoD information–and historically, that information has not been protected very well. </p> <p> It has become apparent that our adversaries have stolen hundreds of billions of dollars’ worth of investments in weapon systems and other aspects of our defense efforts. Among other consequences, this theft puts the lives of our military men and women at risk. </p> <p> The GAO has been investigating and evaluating these losses, but it is an enormous task.11 No one is really denying that it has happened, but the question remains–what has been stolen and how do we stop it? And (just like in the civilian sector) it is a tough problem. </p> <p> The DoD has been working to protect CLASSIFIED information stored in DoD’s IT infrastructure from cyber-attack for some time. It also has worked to protect CLASSIFIED data stored in the systems of the large DoD “Prime Contractors,” such as Lockheed, Raytheon, Boeing, General Dynamics, etc. that play a crucial role in our defense structure. Even with such a focused effort, we read about breaches at organizations like the NSA and CIA on a regular basis. We are hopeful that we have not lost all this information. </p> <p> But what about those 300,000 companies in the DIB that have access to information which is not classified but which is still very sensitive. This type of DoD data is called Controlled Unclassified Information (CUI)<sup>12</sup>. And because it has not been protected, naturally our adversaries have been having a field day with this. </p> <p> In 2013, the DoD took the first steps to protect such information. In 2015 the DoD started including in the contracts of these companies’ language that required such companies to build effective cybersecurity programs (much more info about this below<sup>13</sup>). But until very recently, the DoD did not actively enforce the contract clauses related to cybersecurity. Please see the timeline below. </p> <div class="box-image"> <img src="https://www.cybercecurity.com/whitepaper_images/global-cyberway-1.png"> </div> <p> But regardless of enforcement, the reality (since 2017) is that if a contractor or subcontractor signs a DoD contract and then does not comply with the part that says they must protect the CUI, then that contractor is committing fraud. </p> <p> Late in 2021, the Department of Justice (DoJ) stood up an enforcement team specifically to pursue DIB companies who lie about their cybersecurity compliance. The team has settled a few cases so far–all with fines in the millions. DoJ plays these things close to the vest, but it is likely they are working on more such enforcement actions. The law they are using allows them to pay whistleblowers up to 30 percent of whatever amount the offender is fined. Recently, one whistleblower was paid $2.61 million<sup>14</sup> . </p> <p> As cybersecurity professionals with decades of DoD experience, we have been challenging the DoD regarding the weakness of their cyber strategy for years (please see our press release and white paper below<sup>15</sup>). We can report that this new enforcement activity is starting to make a difference. </p> <p> This DoD enforcement effort has the potential to radically change the cybersecurity posture and capabilities of over 300,000 U.S. companies. It might not solve the problem, but as these companies come into compliance, a great deal of our nation’s IT infrastructure will be better protected, and it will be more difficult and expensive for our adversaries to threaten us. </p> <p> The DoD enforcement efforts are spreading to other federal agencies. The General Services Administration is already copying the DoD and starting to require cybersecurity compliance in some of its contracts. In addition, several foreign governments are following suit and beginning to implement similar regulations<sup>16</sup>. We anticipate that similar cybersecurity contract requirements will soon be in all major federal contracts, and this will impact more U.S. companies. </p> <p> And lastly, the DoD actions described above are already having a positive impact on our military allies and those who want to do business with DoD. There is much sharing of cybersecurity information, standards, and processes currently under way between the DoD, the Five Eyes Alliance<sup>17</sup>, NATO, and others. </p> </div> <div class="para-container" id="overviewprivacy"> <h3>2. Overview of Privacy Laws and Regulations</h3> <h4>New Rights for Some People on Earth</h4> <p>Led by the European Union, liberal democracies are attempting to grant new data and privacy rights to their citizens. Authoritarian governments, led by China, are going in the exact opposite direction and are taking away all data and privacy rights of their citizens. </p> <p> It is an open question as to whether the U.S. Constitution gives people a right to privacy. The Fourth Amendment protects against unreasonable searches, but that was written before the age of the computer and the Internet. U.S. courts (including the Supreme Court) are not quite sure if there is a fundamental right to privacy and personal data ownership. </p> <p> Possible rights include the right to obtain a copy of data that a company has collected about you or the right to correct incorrect data that a company has collected or the right to demand that a company delete your data from its IT infrastructure. As we will see later, those rights are separate, and a law might grant one of them without the other. </p> <p> The bottom line is that until around 2016, no laws anywhere in the world addressed these issues and since they address fundamental (and new) human rights, we will go into a bit of detail. </p> <h4>International Privacy Laws</h4> <p> According to the United Nations, 137 out of 194 countries have put in place legislation to secure the protection of data and privacy for its citizens.<sup>18</sup> While there may be some formal attempt to put legislation in place, even in developed countries, the state of enforcement is such that no such protections actually exist. And as mentioned earlier, in countries with authoritarian regimes, there is no sign the citizens will have these rights. </p> <p> The European Union’s General Data Protection Regulation (GDPR) was adopted in 2016 and went into effect on May 25, 2018. This piece of legislation is the model for legislation occurring in the U.S. and around the world. </p> <h4>U.S Federal Privacy Legislation. </h4> <p> While some large tech companies and others have supported a U.S. federal privacy law<sup>19</sup> that supersedes those implemented by individual states, thus far there is no serious movement towards such a law. State legislators and their citizens seem disinclined to forgo the new data privacy rights they have been granted </p> <h4 id="americandataprivacy">American Data Privacy and Protection Act (ADPPA)</h4> <p> The ADPPA is the most recent attempt at nuking state privacy laws via federal legislation. There are many people who do not like California’s law (see below), which includes a private right of action to sue in case of a breach. While some people said this new right would cause an avalanche of lawsuits, the reality is quite different. This appears to be because contingency privacy lawsuits are extremely difficult to pursue, and most are thrown out. Thus far, there is little economic incentive for lawyers to pursue such cases. </p> <p> Given the politics of Washington, we rate the likelihood of the ADPPA passing as low – for now </p> <h4> U.S. State Privacy Legislation-California Leading the Charge </h4> <p> California led the nation in creating the first cybersecurity law, CA SB 1386 (notice the immediate connection between cybersecurity and privacy–see more below). Passed in 2002, it was considered radical at the time. It said that businesses had a duty to protect consumers’ information. It also made an attempt to define what information needed to be protected. It did not give consumers any rights in their data, and it made the Attorney General responsible for enforcement. </p> <p> Since the AG has a lot of laws to be responsible for and since the law did not give the AG any more money or people to enforce it, only the most egregious violations were ever prosecuted. In the next almost 20 years, every state implemented a law, mostly based on CA SB 1386. The details changed. What data needed to be protected changed. What you had to do in case of a breach changed. But the basis for all these laws was CA SB 1386. </p> <h4 id="firstgeneration"> First Generation and Second-Generation Privacy Laws </h4> <p> Most states have had “first generation” privacy laws on the books for some time. Those laws (loosely) don’t offer consumers many protections. Second generation privacy laws originated in Europe with GDPR and were followed, after several years, by the California Consumer Privacy Act (CCPA). That act is in effect now. CCPA was a bit of a shotgun wedding to avoid a stronger ballot initiative but has gotten watered down by the legislature a bit since it was enacted in 2018. As a result, the California Privacy Rights Act (CPRA) ballot measure was passed in 2020 by California residents. CPRA says, in the law, that the legislature may only strengthen the law by modifying it. </p> <p> Now California is leading the nation again, for better or worse. They implemented the first second generation privacy law and other states are modeling their second-generation laws on California’s laws. We say laws because there are actually two laws that are relevant - CCPA and CPRA. </p> <p> The benefit of states creating their own privacy laws is that hopefully they are more agile than the feds and they can modify their laws more quickly in case mistakes are made. </p> <h4 id="elementsecondgeneration"> Elements of Second-Generation State Privacy Laws </h4> <p> Like GDPR in Europe, second generation (U.S.) privacy laws create privacy “rights”. This is because there is no agreed-to right-to-privacy in the U.S. Constitution, unlike in the E.U. Constitution. Given that document was created long before the Internet, the founders didn’t consider privacy to be a problem. While the rights vary from state to state a bit (hence why businesses would prefer a federal law with state law preemption), here are the rights offered by state privacy laws: </p> <ul> <li> The consumer’s right to obtain a copy of his/her data (free of charge with some restrictions).</li> <li> The right to correct the data that was collected.</li> <li> The right to have that data deleted (again with some restrictions).</li> <li> The right to stop anyone from sharing that data (loosely, selling it) with others (again with some restrictions).</li> <li> And other rights.</li> </ul> <div class="box-para-container" style="color: black;background: #fbeddb;"> <p> <i> Are you ready to engage your adversaries in this cyberwar? Will you become a cybersecurity/risk leader in your company? You cannot do it by yourself. Let us be your partner. Contact info below. </i> </p> </div> <h4> Businesses have some specific responsibilities: </h4> <ul> <li>A simple language publicly posted privacy policy.</li> <li> They must disclose for what purpose(s) they will be using the data collected.</li> <li>They must disclose the classes of (and in some cases) the names of the people with whom they are sharing that data.</li> <li> They must provide one or more methods for people to take advantage of these rights.</li> <li> In some cases, this includes data that is collected in brick-and-mortar locations.</li> <li> They must respond quickly to a consumer request (typically no more than 30 days).</li> <li> In many cases, these consumer rights trickle down to third parties with whom the consumer’s data is shared.</li> </ul> <p> Currently, there are five states that have second-generation state privacy laws on the books, and four more that are still actively considering one this year. The graphic below, outlines the current state law situation. </p> <div class="box-image"> <img src="https://www.cybercecurity.com/whitepaper_images/global-cyberway-2.png"> </div> <p> Other than California, none of the other second-generation laws are in effect at the time of the writing of this white paper, but all of them will become effective during 2023. Note that California has two new second-generation laws, one of which is in effect now and one of which becomes effective in 2023. Here is a high level chart of when each state’s law becomes effective and whom it applies to. </p> <div class="box-image"> <img src="https://www.cybercecurity.com/whitepaper_images/global-cyberway-3.png"> </div> <p> The details of each state’s law is beyond the scope of this paper, but you can find those details at this web site: <a href="https://www.kramerlevin.com/images/content/7/4/v2/74995/CTPrivacyLaws.pdf">https://www.kramerlevin.com/images/content/7/4/v2/74995/CTPrivacyLaws.pdf</a> </p> <p> Most of the state PRIVACY laws have some minimum business sales volume for compliance, but many of the state CYBERSECURITY laws apply to everyone without exception. </p> <p> Each state defines which data elements (like a name or driver’s license number) are in scope, the definition of sale or sharing of data, what types of organizations are covered, who is exempted (such as health care providers covered by HIPAA), precisely what rights a person has, the responsibilities of covered businesses AND THEIR VENDORS, what notices must be provided when, what terms must be written into contracts with service providers and other items. See the link above to get an idea of these specifics. </p> <p> In addition, each state will be issuing regulations regarding how businesses must comply. Each state does this differently. California, for example, set up a separate department, the California Privacy Protection Agency, while Colorado, as another example, has charged the Attorney General with creating the regs. What you can count on is many pages of regulations, all different and some conflicting between states. </p> <h4 id="Extraterritoriality">Extraterritoriality</h4> <p> Extraterritoriality is a big word that means my law applies in your jurisdiction. A well-known example of this is Europe’s privacy law, GDPR, which applies to U.S. companies, even to ones that don’t have any operations in Europe, but who might possibly have European customers or visitors to their web sites. </p> <p> In the U.S., states have practiced extraterritoriality since the beginning. State security, breach notification and privacy laws apply to you, whether you have a location in that state or not, if you collect data on a resident of their state. For example, a company located in Texas has to comply with Kansas’ cybersecurity and privacy laws, if they collect data on Kansas residents, sell products or services to them, or target them in advertising. Sometimes the nexus is very slight. </p> <h4 id="csvseuropean"> U.S. vs. the European Union </h4> <p> The U.S. and the E.U. have been fighting over adequate privacy for years. The E.U. has an interesting view of the universe wherein the rules the U.S. must play by do not apply to the E.U. As a result, there has been a bit of conflict across the pond. The most recent version of a cross border privacy agreement was struck down by the CJEU, the E.U.’s highest court. European law may allow California to strike a deal with the E.U. regarding adequacy. If they do, then companies based in California, with data stored in California, may be able to transfer data back and forth across the pond freely, while companies elsewhere in the U.S. can’t do that. Assuming that happens–and that is a big “if”–then there will be major pressure on the other states and Congress to follow suit so that California companies don’t have an unfair advantage over others. This is a big “if,” but it could happen. </p> <p> If you are confused after reading this, you are not alone. Your compliance team has a lot of work ahead of them. Also remember that you must consider that there is a difference between what you are legally required to do and what your customers expect you to do. If your customer, for example, asks for a copy of his or her data and you say, “We are not legally required to do that; go pound sand,” (or some other “get-lost” version of that, you can count on social media not being your friend. If you need help sorting this out, please contact us. </p> </div> <div class="para-container" id="industrystandard"> <h3>3. Industry Standards </h3> <p> When governments build cybersecurity and/or privacy legislation/regulations, they typically look to established industry standards for guidance about best practices. While not perfect (for example, none cover work-from-anywhere yet), they are typically quite good and thorough. </p> <p> The standards which currently dominate are: </p> <ul> <li> <strong>Europe:</strong> The International Standards Organization (ISO) 27000 standard family.20</li> <li> <strong> U.S.:</strong> the National Institute of Standards (NIST) Cybersecurity Framework (CF) and the Privacy Framework (PF).</li> </ul> <p> The U.S. DoD has built its compliance standards upon the NIST standard.</p> </div> <div class="para-container" id="technologyindustry"> <h3>4. The Technology Industry </h3> <p> All of us have experienced reading an End User License Agreement (EULA) presented by a technology company as we purchased some type of technology product. Buried in the obtuse and difficult-to-understand language are clauses that shift virtually all risk and responsibility for the use of those technologies to us…the end users. The technology companies already understand the impossibility of their industry assuming responsibility for the security of their hardware and software products. Therefore, they minimize their risk and shift responsibility to the end users. </p> <p> This represents a deep, systemic flaw in our ability to manage risk and increase company valuations. This type of problem can only be addressed by new laws that shift these risks back upon the product manufacturers. </p> <p> This problem represents such a deep and core insecurity in global IT infrastructures, leading edge cybersecurity thinkers and policy makers believe that the problem is actually unsolvable in the context of “fixing this broken system” and that a new security paradigm is required.<sup>21</sup> </p> </div> <div class="para-container" id="caremarkstandar"> <h3>5. Caremark Standard and Corporate Governance </h3> <p> A common problem in corporate governance is that often boards of directors just don’t do their jobs of making executive management do their jobs. Of course, with the advent of the cyberwar, the problem has only gotten worse. Few directors know the first thing about cybersecurity and privacy– not even enough to ask questions of management. But it is hard to hold directors' feet to the fire. </p> <p>That may be changing, however.</p> <p> In 2019 there was a lawsuit that established that members of boards of directors had personal liability for regulatory compliance oversight. This new liability, this new responsibility, is referred to as the Caremark Standard.<sup>22</sup> </p> <p> In 2019 there was a lawsuit that established that members of boards of directors had personal liability for regulatory compliance oversight. This new liability, this new responsibility, is referred to as the Caremark Standard.<sup>22</sup> </p> <p> There is much that boards of directors can do to ensure that management meets its cybersecurity and privacy responsibilities<sup>23</sup>. And since the individual director's personal liability is now on the table, they are more likely to pay more attention to the cyberwar. Naturally, directors would like to shift the risk of cyber liability to the insurance companies who sell them Directors and Officers (D&O) liability insurance. But insurance companies are raising rates and denying coverage to directors and boards that fail to meet their responsibilities for protecting company assets and data. </p> <p> These changes are bound to improve corporate governance, reduce risk, and increase company valuations. </p> <p> To make this even more of a concern, the Federal Trade Commission and the Securities and Exchange Commission are about to drop new rules regarding boards of directors’ responsibilities and company data protection requirements. </p> <div class="box-para-container"> <p> Sanjai Bhagat, <a href="https://www.linkedin.com/in/sanjaibhagat/">Professor of Finance at the University of Colorado</a> (and associate of ours) has written an informative paper on the Caremark standard and how changing the financial incentives for board members would achieve greater risk management behavior from board members. This paper has several good ideas that could make a difference. If you have an interest, please let us know and we’ll get you a copy. </p> </div> </div> <div class="para-container" id="regulatingai"> <h3>6. Regulating AI, Quantum Computing, IoT, and Crypto Currencies</h3> <p>As previously discussed, AI, quantum computing, IoT, and crypto currencies pose HUGE new risks to the global IT infrastructures and associated financial systems. Again, business leadership will not be capable of reacting fast enough to protect the fragile social fabric–so once again it will be up to governments to respond. </p> <p> But it won’t be easy. Here’s a glimpse of what is involved. </p> <ul> <li> <strong> Internet of Things- </strong>Thankfully, there are a lot of efforts globally to bring some kind of order and security to the IoT world. See the footnote below for a link to an authoritative report on the subject. And we recommend Bruce Schneier’s excellent book Click Here to Kill Everybody which presents policy solutions to the critical issue. However, given that there are tens of millions of devices already deployed, retrofitting that inventory will be a major challenge </li> <li> <strong>Crypto Currencies-</strong> Such currencies are already legal all around the world and many governments are attempting to regulate them. But people access such currencies via software. How do you regulate crypto currencies and the software that lets people use such currencies? How do you deal with bugs in this class of software which allows hackers to steal hundreds of millions of dollars with just a click of a mouse - from anywhere on the planet. </li> <li> <strong>Artificial Intelligence-</strong> Technologists such as Elon Musk regularly state that AI is a very real threat to humanity’s existence and that it must be regulated ASAP. The EU via the European Commission's proposed Artificial Intelligence (AI) Act attempts to regulate a wide range of AI applications, aligning them with EU values and fundamental rights through a risk-based approach. </li> <li> <strong>Quantum Computing-</strong> While quantum computing (and the new threats associated with it) have arrived, there appears to be little appetite for regulating any aspect of it Governments around the world are funding it to one degree or another, so they have their fingers in the pie, but no real regulation has happened yet. See the footnote for an article that explores the various issues associated with regulating this new technology. </li> </ul> </div> <div class="para-container" id="breachlaw"> <h3>7. Breach Laws</h3> <h4 id="breachComplying"> Complying with Cybersecurity, Cyber-Breach Notification and Privacy Laws</h4> <p>If your company or organization suffers a breach, when and who must you report this to?</p> <p> In terms of when you must report, that can be “as soon as you know about it”. That can be as short as 24 hours or as long as 30 days, it happens fast, and you must be ready to respond. You cannot figure this out when it is happening.</p> <p> With respect to who you must report it to, the answer to that question depends upon:</p> <ul> <li>The industry you are in</li> <li>The physical location of the breach</li> <li> The location of the owners of the data breached</li> <li>Your compliance requirements</li> <li>The state and country where your company is located</li> <li>The state and country where the “data subjects” (the people whose data was compromised) are located</li> <li>Vendor and partner contractual obligations</li> <li>Insurance requirements</li> <li>The size and nature of the breach</li> </ul> <p> But it may include:<br> State Attorney Generals<br> Vendors<br> Customers<br> Law Enforcement<br> Federal Trade Commission<br> Customers<br> Insurance carriers<br> Industry Regulators<br> National security agencies as required<br> Your company staff and their families<br> Banks<br> …and on and on<br> </p> <p> Again, this information should be readily available in the company’s pre-prepared and tested Incident Response Program. </p> <h4 id="breachreporting"> Breach Reporting Requirements </h4> <p> As we said, every state currently has some form of law or laws covering these subjects. Likely multiple laws, written at different times, by different people, who will never have to comply with any of them. This reality makes things harder for businesses. Each state has different rules. Different rules for what must be reported, to whom and when. Different rules for what is considered protected. Different rules for how you must handle the information. Some states have very basic laws while others have more sophisticated laws. </p> <p> The extraterritoriality requirements of state laws make life very difficult for companies. Let’s say that you have a tiny breach of 1,000 records. Because you do not have (or do not enforce) a records retention policy, some of this data is 10 to 20 years old. Of the 1,000 records (people), at the time you collected this data, they lived in 5 states. Since this data is old, it is likely that you don’t have a current address for some of them. You are still required to notify them. So, you hire a company to find the current addresses for you. This costs money and time. Same issue with privacy laws. You didn’t disclose your plans for the use of the data that you collected, but now the state law for the state these people lived in at the time (but maybe not now) requires that you redisclose your intended use </p> <p> You must take those 1,000 records, find these people, figure out where they live now, understand which laws apply, etc. In the case of a breach, you must understand who you are required to notify (such as the state AG, state regulator(s), state police and national credit reporting agencies, among others). This may depend on the number of people affected in that jurisdiction. </p> <p> This must happen before you can use the data for alternate purposes or, in case of a breach, within the breach reporting timeline. </p> <p> Most notably, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), thus far the most sweeping cybersecurity disclosure mandate applicable to the private sector. CIRCIA requires “covered entities” to disclose substantial cyber incidents to the federal government within 72 hours and ransom payments within 24 hours. CISA is directed to propose rules implementing the legislation within two years of enactment (i.e., by March 15, 2024); the rules then must be made final within 18 months. CIRCIA’s coverage is expected to be broad and could apply to those critical infrastructure sectors identified by DHS, which range from communications and financial services to water systems. </p> </div> <div class="para-container" id="insurancepressure"> <h3>8. Insurance Industry Pressure</h3> <p> The first cybersecurity insurance policy was written and deployed by AIG in 1997. This was the first time an insurance company started covering this type of business risk. Since then, much has happened in the cybersecurity insurance marketplace. Initially cybersecurity insurance companies did not understand this type of risk, but since then they have learned much. And most businesses </p> <p> that are responsible for protecting data and who must comply with national, or state regulations seek out this type of protection. As a result, the insurance industry is exerting much pressure on businesses to improve their cybersecurity practices. Insurance companies now closely question cyber insurance customers to determine cybersecurity maturity and many insurance companies employ technology tools to continuously monitor clients’ networks for problems. And the old days of lying to the insurance carrier about what you were or weren’t doing to meet data and system protection are over. One wrong move and you lose your insurance at the very moment you need it the most. </p> <p> Here is an article that goes into more depth on this important topic: <a href="https://www.chicagofed.org/publications/chicago-fed-letter/2019/426">https://www.chicagofed.org/publications/chicago-fed-letter/2019/426</a> </p> <p> While we have observed that the insurance industry and their lawyers have gotten much better at crafting insurance policies that protect their interests, most business leaders are not able to decipher their policies to determine if they have the correct coverage. The use of a company such as ours to assist in a cyber insurance policy review can be a very wise decision that pays off at a critical moment. </p> <div class="box-para-container" > <p> <strong> Note:</strong> Cyber insurance companies have their own security issues. Here is a post in author Mitch Tannenbaum’s nationally recognized blog that describes the recent, very embarrassing hack of Lloyds of London <a href="https://cybercecurity-mitch-tanenbaum-blog.com/security-news-for-the-week-ending-october-7-2022/">https://cybercecurity-mitch-tanenbaum-blog.com/security-news-for-the-week-ending-october-7-2022/</a> </p> </div> </div> <div class="para-container" id="dataprotection"> <h3>9. Data Protection and Company Valuations</h3> <p> In May of 2019, Raymond Hutchins, one of the authors of this whitepaper, approached the National Association of Certified Valuators and Analysts (NACVA) with (what seemed to Ray) an obvious question. The NACVA is the organization that sets the standards for how business valuations are conducted. Ray’s question was, “is a company’s cybersecurity maturity considered as a valuation metric in business valuations?” The answer (at the time) was no, but the NACVA asked Ray to write an article about the subject which then led to the first formal efforts to account for cybersecurity maturity in valuations. </p> <p> Today, it seems obvious to any business leader that a company that is committed to protecting the data it is responsible for via professional risk management and cybersecurity practices is worth more than a company that is not. Cybersecurity assessments are now routine parts of the valuation processes used by venture capitalists, private equity firms, banks and other investors. </p> <p> Here is a link to Ray’s article that started it all:<br> <a herf="https://www.turnkeycybersecurityandprivacysolutions.com/pdf/ValueExaminer-CybersecandCompanyValuationsSep2019.pdf">https://www.turnkeycybersecurityandprivacysolutions.com/pdf/ValueExaminer-CybersecandCompanyValuationsSep2019.pdf</a><br> </p> </div> <div class="para-container" id="creditrating"> <h3>10. Credit Rating Agencies </h3> <p> Credit rating agencies like Moody’s Investor Services and Fitch Ratings are now factoring in how companies respond to cyber attacks when calculating credit ratings. These ratings not only affect the creditworthiness of these companies, they will also affect the valuation of those companies. Credit rating agencies have determined that even if there are not short-term effects of a cyberattack, there very well may be long-term negative effects. How a company responds to an attack says a great deal about the company’s leadership and their commitment to protecting the company’s assets and valuation.<sup>24</sup> </p> </div> <div class="para-container" id="committedgoverence"> <h3>11. Committed Governance: The Missing Piece </h3> <p> Over and over again, we find that the main obstacle for clients to build professional risk management and cybersecurity programs is a lack of commitment by the leadership. In military terms…if the generals are not fully committed to the battle, there is no way you will get the support of the troops. </p> <p> Committed leadership. Committed governance. Without it, the ball does not move down the field. </p> <p> An example of just how prevalent this problem is in our business hierarchies is that Gartner reports that less than 10% of boards currently have a dedicated cybersecurity committee. That’s the bad news. Gartner predicts that 40% will establish one by 2025. That’s more bad news. By 2025 only half of boards will have committed cybersecurity governance </p> <p> There are many reasons for the lack of committed leadership and governance. </p> <ul> <li>Historically, boards and executive management have not been correctly incentivized to tackle the issue. If it doesn’t immediately drop to the bottom line, then it’s not worth doing.</li> <li>Lack of understanding of how truly secure IT infrastructure translates to less risk and increased corporate value.</li> <li>Unwillingness to buck the internal legacy establishment with respect to raising the alarms and providing the funding required for improvements</li> <li>Unwillingness to view cyber risk with the same degree of alarm as legislators and regulators. </li> </ul> <p> But this is changing because of many factors: </p> <ul> <li>New government regulations (like the FTC and SEC changes)</li> <li>Customer demands (we are not going to do business with you unless you …)</li> <li>Insurance company demands (we are going to cancel your insurance unless you …) </li> <li>The Caremark Standard</li> <li>New state laws</li> <li>The change in federal courts view on what constitutes Article III Standing, making lawsuits easier</li> </ul> <h4>Achieving committed governance requires the following:</h4> <p> A successful cybersecurity and privacy program requires fully committed leadership and hands-on governance. And once leadership commits to the battle, its on-going support must never waiver. It becomes part of the business operations. </p> <ul> <li>A company Risk Management Program that highlights cybersecurity and privacy</li> <li>An acknowledgement by the board and executive management that cybersecurity and privacy negligence may threaten the existence of the organization and result in personal liability.</li> <li>Written risk governance procedures for the board and executive management</li> <li>Designated individuals on the board and within management whose compensation is tied to specific cybersecurity and privacy metrics.</li> <li> Recalculation of the organization’s financial valuation that accounts for organizational risk associated with cybersecurity and privacy. </li> </ul> <h4> With the stakes so high, directors’ must do the following: </h4> <ul> <li>Continue to elevate the importance of managing cybersecurity risk on a company-wide basis, and not just as an IT matter.</li> <li>Ensure proper disclosure. Enhanced disclosures clarify for investors and other stakeholders the rigor of the board’s oversight, and management’s role in assessing and managing cybersecurity risks.</li> <li>Break out of their silos and echo chambers and promote a culture of cooperation, both internally and with other organizations.</li> <li>Utilize outside parties to help expand knowledge bases, strengthen capabilities, and identify blind spots in security and risk management. </li> </ul> <div class="box-para-container" > <p style="text-align:center;"> Are you ready to apply correct risk management governance to your organization?<br> Do you have the right partner to make this happen?<br> Call us: Turnkey Cybersecurity & Privacy Solutions, LLC–303-887-5864 </p> </div> <div class="box-para-container-white" > <p style="text-align:center;"> Did you find this white paper of value? Here are some of our other white papers. </p> <ol start="1"> <li> <a href="https://www.cybercecurity.com/wp-it-infrastructure-monitoring-issues/">IT Infrastructure Monitoring Issues-Making the Best Choice for Your Company</a> </li> <li> <a href="https://www.cybercecurity.com/wp-secrets-of-hiring-and-firing-vciso/">Secrets of Hiring and Firing vCISOs</a> </li> <li> <a href="https://www.cybercecurity.com/wp-cmmc-compliance/">CMMC Compliance-The New Enclave Approach</a> </li> <li> <a href="https://www.cybercecurity.com/wp-cmmc/">THE "NEW" CMMC 2.0 (AKA 800-171): NOT THE RIGHT WAY TO FIX THE DIB SECURITY CRISIS</a> </li> </ol> </div> <h4 style='text-align:Center;'>About the Authors</h4> <p> Ray Hutchins and Mitch Tanenbaum own and operate two cybersecurity companies: </p> <ul> <li> <a href="https://www.cybercecurity.com/">CyberCecurity, LLC</a> </li> <li> <a href="https://www.turnkeycybersecurityandprivacysolutions.com/">Turnkey Cybersecurity and Privacy Solutions, LLC</a> </li> </ul> <p> Their wide-range of experiences with companies all over the world make them authorities on the subject matter above. Please learn more about Ray and Mitch here:<br> <a href="https://www.cybercecurity.com/about/">https://www.cybercecurity.com/about</a> </p> </div> </div> <!-- <div class="left1"> </div> --> <style> footer{ width:100%; height:auto; padding:60px; } footer a{ text-decoration:none; } .footer-container{ width:90%; height:auto; float:left; margin:0 5%; } .footer-container-main{ width:100%; height:auto; float:left; } .first-section-footer{ width:20%; height:auto; float:left; padding-right: 15px; padding-left: 15px; } .last-section-footer{ width:30%; height:auto; float:right; } .middle-section-footer{ width:40%; height:auto; float:left; } .new-footer-menu-image { width: 100%; height: auto; float: left; margin-top: 20px; } .new-footer-menu-image img { width: 65%; /* text-align: center; */ float: left; display: block; } .container-center { margin-bottom:35px; } .new-footer-menu-text,.container-center { width: 100%; height: auto; float: left; } .new-footer-menu-text a { text-align: left; display: block; text-decoration: none; color: black; font-weight: 600; } .middle-img-conatiner{ width:33.33%; height:auto; float:left; } .bottom-certi-container { width: 100%; height: auto; margin: 0 auto; text-align: center; } .bottom-certi-container img { width: 70%; } .cus_pad{ width: 90%; padding-left: 5%; padding-right: 5%; } .text-ali{ text-align:center; } @media screen and (max-width:768px) { .first-section-footer{ width:100%; height:auto; float:left; padding-right: 15px; padding-left: 15px; } .last-section-footer{ width:100%; height:auto; float:left; margin: 0px; } .middle-section-footer{ width:100%; height:auto; float:left; } .cus_pad{ width: 90%; padding-left:0%; padding-right: 5%; } .text-ali{ text-align:left; } .perso{ margin: 0px; } } </style> <div class="clr"></div> </div> </div> <footer style="width: 100%" class="section footer-classic footer-position"> <div class="footer-container-main"> <div class="footer-container"> <div class="first-section-footer"> <div class="footer-img"> <div class="new-footer-menu-text-image"> <div class="new-footer-menu-image"> <a href="/home"> <img style="margin-bottom:5px;" src="/img/Huttan Holding LLC-A1 - Editado.png" alt="Cyber Security"> </a> </div> <div class="new-footer-menu-text"> <span style="line-height:1.5;"> <ul><Strong>Assets and Companies:</Strong> <li style="font-size: 0.7rem"><a href="https://turnkeycybersecurityandprivacysolutions.com/" target="__blank">Turnkey Cybersecurity and Privacy Solutions</a></li> <li style="font-size: 0.7rem"><a href="https://cybercecurity.com/" target="__blank">CyberCecurity</a></li> <li style="font-size: 0.7rem"><a href="https://cyberboardtalent.com/" target="__blank">Cyber Board Talent Agency</a></li> <li style="font-size: 0.7rem"><a href="https://cybersecurity-expert-witness.com/" target="__blank">Expert Witness Services</a></li> <li style="font-size: 0.7rem"><a href="https://www.yourvirtualciso.us/" target="__blank">Virtual CISO Services</a></li> <li style="font-size: 0.7rem"><a href="https://www.turnkeycyber.us/" target="__blank">Turnkey Cyber</a></li> <li style="font-size: 0.7rem"><a href="https://bizcybercert.us/" target="__blank">Business Cybersecurity Certifications</a></li> <li style="font-size: 0.7rem"><a href="https://micc.us/" target="__blank">Mortgage Cybersecurity Certifications</a></li> <li style="font-size: 0.7rem"><a href="https://denvercybersecurity.com/" target="__blank">Denver Cyber Security</a></li> <li style="font-size: 0.7rem"><a href="https://cybercecurity-mitch-tanenbaum-blog.com/" target="__blank">CyberCecurity Blog</a></li> <li style="font-size: 0.7rem"><a href="https://cyberwarhq.com/" target="__blank">Cyber War HQ Blog and Info Resource</a></li> <li style="font-size: 0.7rem"><a href="https://data1qbit.com/" target="__blank">Data1Qbit</a></li> <li style="font-size: 0.7rem"><a href="https://vendorassessmentasaservice.com/" target="__blank">Vendor Assessment as a Service</a></li> <li style="font-size: 0.7rem;"><a href="https://agentfarm.ai/" target="__blank">Agent Farm</a></li> </ul> </span> </div> </div> </div> </div> <div class="middle-section-footer"> <h4 class="f-15 head-colo-dark text-ali">Three Cybersecurity Certifications We Offer:</h4> <div class="container-center"> <div style="" class="row cus_pad"> <div class="middle-img-conatiner"> <div class="bottom-certi-container"> <a href='https://www.turnkeycybersecurityandprivacysolutions.com/nist-cybersecurity-program'><img src="/img/NIST_Newlogo.png" alt="MICC"></a> </div> </div> <div class="middle-img-conatiner"> <div class="bottom-certi-container"> <img src="/img/CMMC-NewLogo.png" alt="MICC" onclick="cmmc()"> </div> </div> <div class="middle-img-conatiner"> <div class="bottom-certi-container"> <a href='https://cloudsecurityalliance.org/trusted-cloud-provider/'><img src="/img/new_csa_image_2.png" alt="MICC"></a> </div> </div> </div> <div style="" class="row cus_pad"> <div class="col-md-12 col-sm-12"> <h4 class="f-15 head-colo-dark mb-3 mt-3 text-ali">Organizations We Are Part Of:</h4> </div> </div> <div style="" class="row cus_pad"> <div class="middle-img-conatiner"> <div class="bottom-certi-container"> <a href='https://cyberab.org/Catalog#!/c/s/Results/Format/list/Page/1/Size/1/Sort/NameAscending?term=mitch%20tanenbaum'><img src="/img/assertion-we_-e5GfQUC7sEqtzCpXRg.png" alt="MICC"></a> </div> </div> <div class="middle-img-conatiner"> <div class="bottom-certi-container"> <a href='https://www.iotsecurityfoundation.org/'><img style="width: 50%" src="/img/IoT-services.png" alt="MICC"></a> </div> </div> <div class="middle-img-conatiner"> <div class="bottom-certi-container"> <a href='https://www.infragard.org/'><img src="/img/infraguard.png" alt="MICC"></a> </div> </div> </div> </div> <script type="text/javascript"> let class_name = "demo"; let imwidth = '200px'; //don't change anything below let mc = document.getElementsByClassName(class_name); if (mc.length > 0) { let img_content = "https://micc.us/dashboard/api/user/getimg/5654b586307993be30930da9003bf1b36da82495"; console.log(img_content); for (let i = 0; i < mc.length; i++) { let mi = document.createElement('img'); mi.src = img_content; mi.alt = "MICC"; // mi.style.width = imwidth; let ma = document.createElement('a'); ma.href = "https://micc.us/dashboard/user/showdetail/5654b586307993be30930da9003bf1b36da82495?referrer=" + location.hostname + ""; mc[i].appendChild(ma); ma.appendChild(mi); } } </script> <div class="middle-img-conatiner" style="padding-left:5%; margin-bottom:20px;"> <div class="bottom-certi-container"> <a href='https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/'><img src="/img/nsa-badge.png" alt="MICC"></a> </div> </div> <div> <ul> <p style="font-size: 12px; line-height: 1;"><b><a target="__blank" href="https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/">NSA Cybersecurity Collaboration Partner</b></a><br></p> <li style="font-size: 12px; line-height: 1.5 !important; list-style: none;"><b>Partner Responsibilities:</b></li> <li style="font-size: 11px; line-height: 1;">Serve as liaison between NSA CCC and our clients</li> <li style="font-size: 11px; line-height: 1;">Communicate identified risks in the NSA CCC database to our clients</li> <li style="font-size: 11px; line-height: 1;">Help our clients implement NSA CCC services and technologies to reduce their risk profiles</li> </ul> </div> </div> <div class="last-section-footer padding-div4-mob"> <h4 class="f-15 head-colo-dark perso" style="margin: 0px; !important"><a class=" text-decoration-css head-colo-dark" href="/about">About Us</a> </h4> <h4 class="f-15 head-colo-dark perso" style="margin: 0px; !important"><a class=" text-decoration-css head-colo-dark" href="/technical-products">Products</a> </h4> <h4 class="f-15 head-colo-dark" style="margin: 0px; !important"><a class="text-decoration-css head-colo-dark" href="https://cybercecurity-mitch-tanenbaum-blog.com/">Blog</a></h4> <h4 class=" f-15 head-colo-dark hand-pointer " data-toggle="modal" data-target=".bd-example-modal-lg" style="margin: 0px; !important"><a href="/contact/">Contact Us</a></h4> <div class="mt-4"> <p class="m-0"><i class="fas fa-phone-alt pr-2" aria-hidden="true"></i><span class="f-small"><a href="tel:7208911663" target="_blank">720-891-1663</a></span></p> <p class="m-0"> <span class="f-12"><i class="fas fa-info-circle pr-1" aria-hidden="true"></i> <a class="mail-mob-css " href="mailto:mitch@turnkeycybersecurityandprivacysolutions.com" target="_blank">mitch@turnkeycybersecurityandprivacysolutions.com</a> </span> </p> <p class="mt-2"> <a class="do-not-sell" href="/do-not-sell-my-personal-information">We do not sell or share ANY data</a><br> <a href="/do-not-sell-my-personal-information"><span style="padding: 8px !important;margin: 0px 0px 0px 0px !important;float: none !important;font-size: 12px;">Click HERE to view our PRIVACY POLICY</span></a> </p> <a href="https://www.linkedin.com/company/tcps-llc/?viewAsMember=true" target="_blank"> <img alt="ray hutchins linked in" src="/img/linked%20in.jpg" class="pr-2"> </a> </div> <img alt="gsa contract holder" src="/img/gsa-contract-holder.png" style="width: 270px; margin-top: 30px;"> <br><a href="https://veterans.certify.sba.gov/" target="__blank"><img alt="sba badge huttan" src="/img/SBA-badge.png" style="width: 120px; margin-top: 30px;"></a> </div> </div> </div> <div class="footer-bg mt-4 px-lg-5 text-white"> <div class=""> <div class="text-white "> <a class="text-decoration-css" href="#"> <span class="font-size-footer text-white"> </span> <span class="pl-3 font-size-footer text-white"></span></a><a class="text-decoration-css text-white f-12" href="#"> </a> </div> <div class="float-right"></div> </div> </div> </footer> <div class="footer"> <div class="footer_resize"> <div class="menu-block"> <div class="new-footer-menu"> <ul> <li><a href="/">Home</a></li> <li><a href="/services/">services</a></li> <li><a href="/testimonials/">testimonials</a></li> <li><a href="/client-confidentiality/">client confidentiality</a></li> <li><a href="#" onclick="window.open('https://cybercecurity-mitch-tanenbaum-blog.com/', 'newwindow', 'width=1000, height=700 left=24, top=24, scrollbars, resizable'); return false;"><span>Blog</span></a></li> <li><a href="/d1qb/">d1qb</a></li> </ul> </div> <div class="new-footer-menu"></div> </div> <p><span>© 2024 Copyright CyberCecurity, All rights reserved.</span> <span class="private-policy"><a href="https://www.cybercecurity.com/privacy-policy/">Privacy Policy</a> Last Updated June 21, 2022</span> <div class="clr"></div> </div> </div> <link href="https://fonts.googleapis.com/css?family=Roboto:400,700,700italic,400italic" property="stylesheet" rel="stylesheet" type="text/css" /> <style> .promo-banner { background-color: #1a1a1a; color: #ffffff; text-align: center; padding: 15px; position: fixed; top: 0; width: 100%; z-index: 9999; font-family: Arial, sans-serif; box-shadow: 0 2px 5px rgba(0,0,0,0.3); transition: all 0.3s ease; display: block; /* Force display */ visibility: visible; /* Ensure visibility */ } .promo-banner a { color: #00ccff; /* Vibrant link color to stand out */ text-decoration: underline; font-weight: bold; } .promo-banner button { background: none; border: none; color: #ffffff; font-size: 20px; position: absolute; right: 20px; top: 10px; cursor: pointer; } @media (max-width: 600px) { .promo-banner { padding: 10px; font-size: 14px; } .promo-banner button { font-size: 18px; top: 5px; right: 10px; } } </style> <link rel="stylesheet" href="./includes/promo-banner.css" type="text/css"> <script src="./includes/promo-banner.js" type="application/javascript"></script> <div class="promo-banner" id="promo-banner"> <span>Use Our New Secure AI Agents to Build Your Business. Explore Custom AI Solutions with <a href="https://agentfarm.ai" target="_blank">AgentFarm.ai</a> ! Learn More.</span> <button onclick="closeBanner()">×</button> </div> <script> // Push the website content down by the height of the banner document.addEventListener('DOMContentLoaded', function() { var banner = document.getElementById('promo-banner'); var bannerHeight = banner.offsetHeight; document.body.style.marginTop = bannerHeight + 'px'; }); function closeBanner() { var banner = document.getElementById('promo-banner'); banner.style.display = 'none'; document.body.style.marginTop = '0'; // Reset the margin when banner is closed } </script> <script type="module" src="./js/agent.js" data-name="did-agent" data-mode="fabio" data-client-key="YXV0aDB8NjZmYzA0ZWRhZDJhYWYxOGI5NjEzOWVlOjU0alJEQ3VBalZ1dVpBVlYtTUxsUg==" data-agent-id="agt_K0LoXaHI" data-monitor="true"> </script> </body> </html>
