Good day. Hefty questionnaires have long been a favored method for banks to perform due diligence on service providers, but financial companies are suggesting to regulators that these are increasingly inadequate, WSJ Pro’s James Rundle reports. Risk management in the financial supply chain is of keen interest to regulators, some of which are looking into how banks vet cloud and other technology firms.
We also have an update about three Alabama hospitals battling ransomware, in a report from WSJ Pro’s Adam Janofsky, below.
and WhatsApp could see GDPR case decisions soon.
Have you visited our new website? Check it out: https://www.wsj.com/pro/cybersecurity Let me know what you think by email<mailto:[email protected]>.
When asked to log in, your username is the email address where you receive this newsletter. You may be prompted to create a password.
Financial System Security
Cyber risks force banks to rethink vendor relationships. The usual means of assessing vendor risk—lengthy questionnaires—are no longer appropriate, companies tell regulators.
Surveys that financial firms typically send to business partners often end up being a check-box exercise full of yes or no questions. The method doesn’t uncover all cybersecurity risks.
Banks worry that weak controls at technology providers could allow hackers into their own systems. Regulators are also concerned that a cyberattack that takes down a major financial company could destabilize markets. The problem is, no one has any good alternatives to questionnaires, WSJ Pro’s James Rundle reports.
Read the full story at the WSJ Pro Cybersecurity website.
Update: Ransomware at Alabama Hospitals
The Alabama hospital system battling a ransomware attack since last week decided to pay a ransom.
“We work with law enforcement and IT security experts to assess all options...in the best interest of our patients,” a spokesman for the group told WSJ Pro Cybersecurity Monday. “This included purchasing a decryption key from the attacker to expedite system recovery and help ensure patient safety.”
Operations at the hospitals—DCH Regional, Northport and Fayette—had been disrupted since Oct. 1. Non-emergency patients were asked to find alternate providers and medical staff resorted to written notes.
The spokesman declined to say how much the group paid and had no time frame for full recovery, adding that restoration work continues.
Would you pay attackers? The Federal Bureau of Investigation advises against paying hackers, saying it only encourages more attacks, and the U.S. Conference of Mayors in July adopted a resolution opposing ransom payments.
But some security professionals say there may be times when municipalities have few options other than to pay, especially if the systems taken hostage are critical to public health and safety and can’t be restored quickly. Read how experts weigh both sides of the argument and let us know<mailto:[email protected]> how you come down.
More Cyber News
Ireland’s privacy regulator moves closer to decisions on WhatsApp, Twitter. Ireland’s Data Protection Commission said Monday that it has completed investigations in two of the first cases involving big tech companies, The Wall Street Journal reports. The results are now on the desk of
the body’s commissioner, for her draft decisions and possible fine recommendations, which could come by the end of the year. Representatives for WhatsApp,
and Twitter declined to comment.
WhatsApp: The case looks at whether the Facebook-owned chat app gives sufficient information to users and nonusers about how it shares data, in particular with other Facebook units.
Twitter: The case examines whether the company complied with notification obligations for a personal data breach the company disclosed to the regulator in January.
All eyes: The Irish cases have been closely watched. How EU regulators eventually decide the cases under the GDPR, and the size of any fines they might impose, will help determine the role the EU will play in regulating the tech sector world-wide.