Monthly Archives: February 2024

Vendor Breach Reporting in the Modern Market

Vendor Breach Reporting guidelines findings 2024

We’ve hit a point in time where data breaches are becoming more common and the repercussions more severe. This highlights that the importance of effective vendor breach reporting cannot be overlooked. As companies are relying more and more on third-party vendors for a variety of services — from cloud storage solutions to customer relationship management systems, the potential for data breaches originating from these vendors escalates. This blog will explore the current landscape of vendor breach reporting, highlighting the challenges, best practices, and the evolving regulatory environment that shapes how businesses respond to and report breaches.

Understanding the Landscape

The modern market is interconnected, with businesses routinely sharing sensitive information with vendors. This symbiotic relationship, however, introduces vulnerabilities. A breach at a vendor can have cascading effects, compromising the data integrity of all connected businesses. The 2023 Verizon Data Breach Investigations Report underscores this point, noting an uptick in incidents originating from third-party vendors.

Challenges in Vendor Breach Reporting

One of the primary challenges in vendor breach reporting is the detection and attribution of breaches. Identifying that a breach has occurred, and tracing it back to a specific vendor, requires sophisticated monitoring tools and a high degree of coordination between parties. Moreover, the variability in reporting requirements across jurisdictions adds a layer of complexity, making compliance a moving target for global businesses.

Best Practices for Effective Reporting

To navigate these challenges, businesses must adopt a proactive and comprehensive approach to vendor management and breach reporting. Key strategies include:

  • Due Diligence: Before entering into agreements with vendors, assess their security policies and incident response capabilities. Regular audits can ensure ongoing compliance with agreed-upon standards.

  • Transparent Communication: Establish clear lines of communication for reporting potential security incidents. This includes setting up contractual obligations for vendors to notify you immediately in the event of a breach.

  • Incident Response Planning: Develop a coordinated incident response plan that includes vendors. This plan should outline steps for breach investigation, notification, and mitigation, ensuring a swift and unified response.

  • Regulatory Compliance: Stay informed about the evolving regulatory landscape. Many regulations have set stringent requirements for data breach notification, including specific timelines and conditions under which breaches must be reported. Failure to comply can result in significant fines, legal fees, and damage to a company’s reputation.

The Evolving Regulatory Environment

Governments around the world are tightening regulations around data protection and breach notification. The trend is towards more stringent reporting requirements, with an emphasis on consumer protection. For instance, amendments to the GDPR and CCPA are pushing for shorter notification windows and greater transparency in the event of a breach. More recently, in 2024, The Federal Communications Commission (FCC) has finalized new breach reporting rules that significantly tighten the requirements for telecommunications carriers in the US. Now, these carriers have only seven days to disclose data breaches. The rules have expanded the definition of breaches to include inadvertent access or disclosure of customer information, which now encompasses not only Customer Proprietary Network Information (CPNI) but also personally identifiable information (PII) such as names, government ID numbers, biometric data, and email addresses/passwords. This change aims to cover a broader range of data and ensure customers are notified of breaches unless the carrier determines no harm is reasonably likely to occur. The updated rules now require that, in addition to the FBI and U.S. Secret Service, the FCC must also be notified of breaches.

Lastly, The Federal Trade Commission (FTC) has introduced an amendment to its Safeguards Rule, imposing a 30-day deadline for non-banking financial organizations to report incidents involving 500 consumers or more. This amendment aims to bolster consumer data security by demanding comprehensive incident reports, driving stronger security practices in the financial sector.

Closing Thoughts:

In the modern market, effective vendor breach reporting is not just a regulatory requirement; it’s a critical component of a company’s overall cybersecurity strategy. By implementing best practices for vendor management and staying abreast of regulatory changes, businesses can better protect themselves and their customers from the fallout of data breaches. As the digital landscape continues to evolve, so too must the strategies for safeguarding against and responding to security incidents. The key to resilience in the face of these challenges lies in preparation, partnership, and proactive engagement with the issue of vendor breach reporting.

 

Findings Can Help

The EU-U.S. Data Privacy Framework and Its Implications

What is the EU-US Data Privacy Framework?

 

Navigating the New Era of Data Privacy:

Nowadays, data is as valuable as gold and understanding and adapting to international data privacy regulations is crucial for global business operations. The recent development of the EU-U.S. Data Privacy Framework (DPF) marks a pivotal moment, particularly for businesses operating across the Atlantic. If you’re curious about the essence, significance, and potential challenges of the DPF in the context of international data transfers, against the backdrop of our increasingly digital world where data privacy has become a paramount concern – read on.

The Essence of EU-U.S. Data Privacy Framework: 

A landmark event occurred on July 10th, 2023, when the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, affirming that the U.S. ensures an adequate level of protection for personal data transferred under this framework. An adequacy decision allows for the free and safe flow of personal data from the EEA to third countries deemed to offer comparable protection of personal data as the EU. This decision on the EU-U.S. DPF enables data transfers without further conditions, ensuring a level of protection deemed essentially equivalent to that of the European Union.

This decision was bolstered by the U.S. signing an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, introducing new safeguards and establishing an independent redress mechanism. These steps were taken in response to the Schrems II decision, emphasizing the U.S.’s commitment to addressing European privacy concerns. The EU-U.S. DPF emerged in the wake of the invalidation of its predecessors, the Safe Harbor and Privacy Shield frameworks, which faced significant legal challenges in Europe due to concerns over U.S. surveillance practices and the protection of EU citizens’ privacy rights.

However, the DPF aims to provide a more robust and legally sound mechanism for data transfers, aligning with the EU’s stringent data protection standards. Unlike its predecessors, the DPF incorporates enhanced protections and oversight mechanisms to address European concerns about American data practices.

Impact on Businesses:

For businesses, the DPF presents both opportunities and obligations. Companies transferring data from the EU to the U.S. can now do so under this framework, ensuring compliance with EU standards. However, this requires stringent adherence to DPF principles, including transparency, data security, and accountability. Businesses must revamp their data handling practices, which may involve significant operational changes but also offer the benefit of increased consumer trust and legal clarity.

Challenges and Future Outlook:

The DPF’s structure doesn’t shield it from legal scrutiny. Organizations like NOYB (None of Your Business) have signaled intentions to challenge the framework, questioning its effectiveness in safeguarding data from unauthorized access. The evolving landscape of data privacy laws also means that the DPF might undergo amendments and rigorous evaluations. The intersection of technology advancements, such as AI and big data, with data privacy, adds another layer of complexity to the future of international data transfer laws. The DPF isn’t just an EU-U.S. affair; it has global implications. Its adoption and implementation may influence data privacy regulations in other countries, shaping the global approach to data security. This framework’s handling of consumer privacy will also be closely watched, potentially setting standards for international data protection and shaping public perception of data security.

As we navigate compliance in 2024, the EU-U.S. Data Privacy Framework represents a significant, although potentially transient, solution in the intricate world of data privacy. Businesses must remain agile and informed to effectively navigate this evolving landscape. While the DPF currently offers a path for compliance, the journey toward comprehensive international data privacy continues to unfold.

 

AI’s Role in Enhancing Compliance and Regulatory Processes

AI's Role in Cybersecurity - Illustration

Artificial Intelligence (AI) is revolutionizing the way companies adhere to regulations. It offers a new level of efficiency and accuracy in navigating regulatory complexities.

 

Automating Compliance Monitoring

AI excels at analyzing vast data sets continuously to ensure compliance. This real-time oversight helps businesses quickly identify and correct issues, reducing legal risks.

 

Improving Accuracy and Predictive Analysis

AI’s machine learning algorithms can foresee compliance risks by studying data patterns. This allows organizations to adjust proactively and stay aligned with regulations.

 

Simplifying Document Analysis

AI automates the analysis of compliance documents. It extracts pertinent information and evaluates documents more rapidly and accurately than manual methods.

 

Customizing Compliance Strategies

AI customizes compliance plans based on a company’s specific needs and risks. It analyzes operations and regulations to offer tailored compliance recommendations.

 

Enhancing Regulatory Reporting

AI automates the creation of regulatory reports, streamlining what is typically a manual process. This boosts report speed and accuracy.

 

The Importance of AI in Compliance

AI is essential for managing compliance in today’s complex, data-driven environment. It offers scalable solutions to adapt to new regulatory challenges, helping businesses grow while staying compliant.

AI’s transformative role in compliance offers new opportunities for proactive risk management and operational efficiency. Its continued evolution will be vital for navigating the regulatory landscape effectively.

Emerging Trends in the Tech Industry for the Next Decade

emerging trends in the tech industry for the next decade

The next decade in the tech industry promises unprecedented transformation. Emerging trends are set to redefine innovation, efficiency, and societal impact. These include the acceleration of artificial intelligence (AI) and the advent of quantum computing. They promise to reshape our world. Here’s a closer look at these transformative trends:

 

Artificial Intelligence and Machine Learning

AI and machine learning will deepen their integration into various sectors. They will automate tasks, enhance decision-making, and personalize user experiences. The evolution of AI algorithms will enable smarter, autonomous systems. These systems can perform a range of tasks, revolutionizing healthcare, finance, and manufacturing.

 

Quantum Computing

Quantum computing marks a significant advancement. It can process and analyze data much faster than current supercomputers. This advancement could revolutionize drug discovery, optimization problems, and cryptography. It’s changing the computational science landscape.

 

The Rise of 5G and Beyond

The global rollout of 5G networks will unlock new connectivity possibilities. It enables faster, more reliable internet services. This development is crucial for IoT devices, autonomous vehicles, and AR and VR applications. It offers a more interconnected and immersive digital experience.

 

Blockchain and Decentralized Finance (DeFi)

Blockchain and DeFi are transforming traditional financial systems. They offer transparent, efficient, and secure transaction methods. As these technologies mature, they could democratize financial services access. They create new asset ownership and investment strategies.

 

Edge Computing

With the explosion of data generation, edge computing’s importance is growing. By processing data closer to its source, edge computing reduces latency, improves speed, and enhances privacy. This is vital for real-time applications in various sectors.

 

Sustainability and Green Technology

Technology is crucial in addressing environmental challenges. Innovations in renewable energy, smart grids, and sustainable computing will reduce carbon footprints. They promote environmental sustainability.

 

Cybersecurity Evolution

Digital transformation increases cyberattack risks. The next decade will see cybersecurity measures evolve. The use of AI and blockchain will protect data privacy and secure online activities against sophisticated threats.

 

Augmented Reality (AR) and Virtual Reality (VR)

AR and VR are expanding beyond entertainment. They offer transformative applications in education, training, remote work, and healthcare. These technologies will become more accessible, providing immersive experiences that enhance various fields.

 

Digital Health Innovations

Digital health will transform healthcare delivery. Technologies like telehealth, wearable devices, and AI-powered diagnostics will make healthcare more accessible and efficient.

 

Ethical AI and Technology Governance

As technology’s influence grows, ethical considerations and governance will become crucial. Ensuring AI fairness, transparency, and accountability is paramount. It’s vital in building trust and ensuring equitable benefits from these technologies.

The next decade of tech innovation holds great promise. It has the potential to address some of the world’s most pressing challenges. However, it also raises questions about ethics, privacy, and the digital divide. The tech industry must navigate these challenges responsibly. It must ensure the future of technology is inclusive, sustainable, and beneficial for all.

ICYMI: Watch the Recording of Our Latest EU Taxonomy Webinar

Why Isn’t Everyone Talking About the EU Taxonomy?

Comply with the EU Taxonomy in 2024 with Findings.co

Despite its far-reaching implications for corporate sustainability, ESG standards, and compliance landscapes, the EU Taxonomy Regulation seems to fly under the radar of mainstream conversations. Why is this groundbreaking framework not the talk of every boardroom and the headline of every business news outlet? Let’s dive into the essence of the EU Taxonomy, its impacts, and the reasons it should be at the forefront of global sustainability discussions.

The EU Taxonomy Explained

The EU Taxonomy is a legally binding classification system developed by the European Commission to direct investments towards sustainable projects. It aims to enhance transparency, prevent greenwashing, and ensure that environmental sustainability is embedded in the heart of financial and economic activities. By defining what constitutes a sustainable economic activity, it mandates financial and non-financial undertakings to disclose how their operations align with specific criteria related to environmental sustainability, covering aspects such as turnover, capital expenditures (CapEx), and operating expenditures (OpEx). The taxonomy represents a framework for categorizing economic activities based on their alignment with a net zero pathway by 2050 and wider environmental objectives beyond climate concerns.

The Current State of Compliance and the Chasm Ahead

The EY EU Taxonomy Barometer 2023 provides illuminating insights into the current state of compliance. While an encouraging 89% of companies report some level of disclosure, the actual alignment with the taxonomy’s objectives is less than 40%. This discrepancy underscores a critical challenge: companies are struggling to fully integrate the taxonomy’s rigorous environmental standards into their operations. The complexities of disclosure requirements, coupled with interpretative uncertainties and the detailed technical analysis required for alignment assessments, present formidable hurdles.

Despite these challenges, the benefits of adopting the EU Taxonomy are manifold. Beyond compliance, alignment with the taxonomy fosters improved transparency, access to green financing, enhanced reputation, and opportunities for value creation and employee retention. Yet, as the research analyzing 320 companies across various EU countries and sectors indicates, there is a significant variation in the levels of taxonomy alignment, with certain sectors like power and utilities faring better than others.

Why the Silence?

Given the critical importance of the EU Taxonomy in steering the continent towards sustainability, the lack of widespread discourse is perplexing. Several factors contribute to this silence:

  1. Complexity and Uncertainty: The intricate details and the evolving nature of the taxonomy’s criteria make it a challenging subject for widespread discussion. Businesses are still grappling with understanding and implementing these regulations, leading to a focus on internal compliance efforts rather than external discourse.

  2. Sector-Specific Impacts: The impact of the taxonomy is more pronounced in certain sectors, leading to uneven levels of engagement and discussion across industries. Companies in sectors with clearer pathways to sustainability may find it easier to align and thus more likely to engage in discussions.

  3. Emerging Reporting Requirements: The integration of the Corporate Sustainability Reporting Directive (CSRD) into the taxonomy framework is set to expand the scope of companies required to disclose sustainability information. As companies prepare for these new requirements, the focus may be more on internal readiness rather than public conversation.

  4. Investment and Partnership Implications: The stark reality is that companies with low ESG scores, and by extension, poor alignment with the EU Taxonomy, face significant barriers to investment and partnerships. This looming threat may prompt companies to prioritize internal adjustments over public engagement on the topic.

The Path Forward

The time to talk, act, and lead on the EU Taxonomy is now. The EU Taxonomy is not just another regulatory requirement; it is a pivotal element of the EU’s ambition to become a carbon-neutral continent. It represents a fundamental shift towards embedding sustainability at the core of economic activities. As the taxonomy evolves and expands, companies must not only strive for compliance but also recognize the strategic value of sustainability reporting.

Businesses should embrace the taxonomy as a tool for strategic planning, risk management, and market differentiation. Developing comprehensive reporting strategies, mapping financial data to the taxonomy’s requirements, and establishing robust processes and controls are critical steps in this journey.

Moreover, fostering a broader dialogue about the EU Taxonomy and its implications for global sustainability efforts is essential. By bringing this conversation to the forefront, businesses, policymakers, and stakeholders can collectively navigate the complexities of the taxonomy, leverage its benefits, and drive meaningful progress towards a sustainable future.

ICYMI: Watch the Recording of Our Latest EU Taxonomy Webinar

The Ripple Effect – Unraveling Scope 3 Emissions

ESG Compliance with Findings.co - Unraveling scope 3 emissions

Unraveling the Complexity of Scope 3 Emissions

Understanding and managing greenhouse gas (GHG) emissions is crucial for any organization committed to reducing its carbon footprint in 2024. Among these emissions, Scope 3 emissions present a formidable challenge – yet offer a significant opportunity at the same time. These emissions, stemming from activities not directly controlled by an organization but crucially impacting its value chain, are often the largest share of an organization’s carbon output. In this blog I will discuss Scope 3 emissions, offering practical insights into their calculation, reporting, and reduction, tailored for the sustainability champions within organizations.

The Scope 3 Emission Landscape

Scope 3 emissions, as defined by the GHG Protocol, encompass all indirect emissions that occur in an organization’s value chain, excluding direct emissions (Scope 1) and indirect emissions from purchased electricity, steam, heating, and cooling (Scope 2). This broad category covers emissions from both upstream and downstream activities, ranging from the production of purchased goods and services to the end-of-life treatment of sold products. With 15 categories outlined by the GHG Protocol, Scope 3 emissions can be seen as a complex web interconnecting an organization with its suppliers, customers, and the broader environment.

Given their extensive nature, Scope 3 emissions often account for the majority of an organization’s GHG footprint, sometimes dwarfing the combined total of Scope 1 and 2 emissions. This vast impact underscores the importance of accurately identifying, calculating, and reporting these emissions. However, the path to mastering Scope 3 emissions is fraught with challenges, from determining relevant categories to ensuring accurate data collection and calculation.

Charting a Course Through Scope 3 Calculation

The journey to Scope 3 begins with identifying relevant emission categories. This process involves assessing which of the 15 categories are significant based on factors such as size, influence, risk, and stakeholder expectations. Following this, organizations will have the task of estimating GHG emissions. This step requires navigating through various calculation methods, from spend-based approaches to more detailed activity-based data collection, each method offering a different level of accuracy and complexity.

A critical aspect of Scope 3 management is the continuous improvement and expansion of emissions estimates. Organizations are encouraged to refine their data collection methods over time, shifting from generalized estimates to more precise measurements. This evolution not only enhances the accuracy of Scope 3 reporting but also highlights opportunities for targeted emissions reductions within the value chain.

Strategies for Scope 3 Emission Reduction

Addressing Scope 3 emissions effectively requires a multifaceted approach. Engaging with suppliers to encourage better environmental practices is a key strategy, as is selecting vendors based on their carbon management efforts. Furthermore, optimizing product design for sustainability and exploring opportunities for renewable energy procurement can significantly reduce the environmental impact of both upstream and downstream activities.

The path to reducing Scope 3 emissions also involves leveraging technology and innovation. Leading reporting frameworks like CDP, GRI, ENERGY STAR, and GRESB provide a variety of support to assist organizations in figuring out their greenhouse gas emissions information. Additionally, embracing software-as-a-service (SaaS) solutions for GHG emissions data management can streamline reporting and analysis, enabling organizations to identify and act on reduction opportunities more efficiently.

Embracing the Scope 3 Challenge

For sustainability leaders, tackling Scope 3 emissions is not just about compliance or reporting; it’s about seizing the opportunity to make a profound impact on the planet’s future. By embracing the complexity of Scope 3 emissions, organizations can uncover hidden opportunities for improvement, drive innovation in their value chains, and take a leading role in the global transition to a low-carbon economy. The journey may be challenging, but with the right strategies, tools, and commitment, it is a journey that can lead to significant environmental, economic, and social rewards.

In conclusion, as we navigate the intricacies of Scope 3 emissions together, let’s remember that every step taken towards understanding and reducing these emissions is a step towards a more sustainable and resilient future. The task at hand is not just a responsibility but an opportunity to lead change and make a lasting difference.

The Evolution of Compliance Automation

Cybersecurity and ESG supply chain compliance automation

The Revolutionary Impact of Compliance Automation

Cybersecurity and ESG criteria are evolving everyday and the significance of compliance is undeniable. Compliance automation has emerged as a beacon of innovation, reshaping how companies navigate the complex landscape of regulatory requirements and societal expectations. Here at Findings, we’re leading the charge in harnessing the power of AI automation to reshape how companies demonstrate their commitment to security and sustainability. This transformation is not just about staying within legal boundaries; it’s about leveraging technology to demonstrate a company’s commitment to security and sustainability in a transparent, efficient manner.

The Evolution from Manual to Automated Compliance

Our journey began against the backdrop of an era dominated by manual compliance processes.

Think: endless excel spreadsheets.

The initial focus was on digitizing paperwork and making audits more manageable. However, as regulations grew, and continue to grow increasingly complex, the limitations of manual processes became glaringly apparent. This challenge paved the way for the era of compliance automation—an era we’re pioneering. By integrating generative AI and machine learning, we’ve transformed difficult, error-prone tasks into streamlined, precise operations.

We’re at the forefront of this transformative wave, offering a comprehensive suite of services, including audit automation and assessment automation, as well as offering our clients continuous risk ratings, and continuous monitoring. Our approach to compliance automation doesn’t just simplify adherence to regulations; it completely redefines the landscape. Our platform enables real-time assessment of compliance postures and transparent demonstration of adherence to both industry standards and ESG principles. For CISOs, compliance officers and cybersecurity professionals, we provide not just the tools to meet compliance expectations but the means to surpass them with unparalleled efficiency and dependability.

The rise of automation marks a pivotal shift for professionals. Freed from the burdens of manual oversight and exhaustive paperwork, you can now pivot towards strategic imperatives. This enhancement in decision-making capabilities fosters a culture of proactive risk management and corporate accountability, aligning closely with our mission to empower businesses.

Automate Your Compliance Journey With Findings.co

* indicates required
Your work email please

Intuit Mailchimp

Transforming Compliance and Corporate Resilience

As we look into the future, it’s evident that compliance automation is a fundamental evolution in how businesses meet regulatory obligations. Our journey exemplifies the potential of automation to not only streamline compliance processes but also to bolster a company’s standing and trustworthiness among stakeholders. For businesses ready to embrace this change, it signifies a gateway to growth, resilience, and a competitive edge.

The evolution of compliance automation is a testament to technology’s capacity to effectuate positive change. By automating routine tasks, we enable companies to concentrate on what truly matters—building a safer, more sustainable future for all.

Everything You NEED to Know About the TCFD

everything you need to know about the tcfd

In the world of climate change and sustainability, the transition from the Task Force on Climate-related Financial Disclosures (TCFD) to the International Financial Reporting Standards (IFRS) marks a significant evolution. Initially spearheaded by the Financial Stability Board (FSB) in 2015, the TCFD’s recommendations have been pivotal in shaping regulatory frameworks globally. However, as of 2024, the IFRS takes the baton, introducing a newer, more detailed framework for international ESG reporting, risk management, and climate-related financial disclosures. This blog explores the transition, its implications, and what it means for the future of climate risk disclosures.

The Birth of TCFD and Its Impact on the Global Landscape

First, let’s start with what The Task Force on Climate-related Financial Disclosures (TCFD) even is. Led by Michael Bloomberg, this was created by the Financial Stability Board (FSB) in the aftermath of the 2008 global financial crisis to promote international financial stability. The TCFD’s primary objective is to improve and standardize organizations’ disclosures related to climate change. By promoting transparency, the TCFD seeks to help companies integrate climate-related risks and opportunities into their strategic planning, risk management, and decision-making processes. This proactive approach encourages companies and investors to understand the financial implications of climate change, paving the way for investments in sustainable and resilient solutions.

Global Adoption and Impact

The TCFD’s recommendations have gained significant momentum worldwide. Several jurisdictions, including the European Union, Singapore, Canada, Japan, and South Africa, have incorporated these guidelines into their regulatory frameworks. The United Kingdom and New Zealand were also on the verge of mandating climate risk disclosures using the TCFD framework.

The Transition to IFRS: A New Chapter in Climate-Related Disclosures

The FSB has announced that the TCFD has completed its mission and will be replaced by the IFRS, a move that signifies a step towards a more standardized global approach to disclosing climate-related risks and opportunities. The IFRS, through the International Sustainability Standards Board (ISSB), will adopt and enhance the TCFD’s framework, ensuring a seamless transition while calling for more detail and transparency in disclosures.

What is the IFRS?

The IFRS is a non-profit organization focused on establishing globally accepted sustainability disclosure standards. It aims to closely monitor companies’ progress in climate-related disclosures, adopting the TCFD’s recommendations with additional insights from the ISSB. This approach ensures a comprehensive framework for organizations to communicate their sustainability-related financial information effectively.

Key Differences and New Directions Under IFRS

The IFRS standards, particularly IFRS S1 and IFRS S2, build upon the TCFD’s foundational work, integrating its recommendations while introducing new requirements for a more detailed disclosure process. Key differences include:

  • Comprehensive Coverage: IFRS S1 extends beyond climate to cover all sustainability-related issues, offering a holistic approach to ESG reporting.

  • Scope 3 Emissions Reporting: IFRS S2 mandates detailed reporting on Scope 3 emissions, providing a fuller picture of a company’s environmental impact.

  • Material Information Focus: Both IFRS S1 and S2 stress the importance of disclosing all material sustainability-related information, ensuring that investors have a complete understanding of a company’s sustainability performance.

  • Industry and Sector Specifics: The new standards require disclosures tailored to specific industries and sectors, enhancing the relevance and comparability of information.

Preparing for the IFRS Transition

Companies need to align their reporting practices with the upcoming ISSB standards, starting with a thorough review of current sustainability reporting to identify any gaps. Establishing robust data collection and management systems is crucial for capturing the necessary sustainability information, including detailed greenhouse gas emissions data and insights into climate risks and opportunities.

The Legacy of TCFD and the Path Forward

The TCFD has been instrumental in advancing the practice and quality of climate-related disclosures. Its recommendations have laid the groundwork for the ISSB standards, ensuring that the transition to IFRS reporting will continue to support informed decision-making by investors, lenders, and insurers. As the ISSB takes over monitoring responsibilities from the TCFD in 2024, companies are encouraged to familiarize themselves with the new requirements to maintain compliance and support transparency in financial markets.The shift to IFRS reporting not only reflects the evolving landscape of financial disclosures but also shows the collective commitment of businesses, investors, and regulators to address the financial implications of climate change.

January 2024 Data Breach Round Up

January 2024 data breaches findings.co

Enhancing Cybersecurity in the Face of Growing Threats

U.S. SEC’s X Account Compromise

The U.S. Securities and Exchange Commission’s (SEC) X account was hacked to falsely announce the approval of Bitcoin ETFs, causing a temporary spike in Bitcoin prices. The false claim was quickly addressed by SEC Chairperson Gary Gensler, who clarified that the SEC had not approved Bitcoin ETFs and that the tweet was unauthorized. This hacking incident is part of a broader wave of cyberattacks on verified X accounts aimed at promoting cryptocurrency scams. Notably, companies like Netgear, Hyundai MEA, and cybersecurity firms such as CertiK and Mandiant have also been targeted. The SEC has terminated the unauthorized access and is collaborating with law enforcement to investigate the breach and its implications. The incident underscores the growing concern over cybersecurity in the digital finance space.

VF Corporation Data Breach

On January 18, 2024, VF Corporation, the parent company of popular brands such as Vans, Timberland, The North Face, Dickies, and Supreme, reported a ransomware attack it experienced in December that compromised the personal information of over 35 million customers. Fortunately, sensitive information like social security numbers, bank account, or payment card details were not stolen as the company does not store these details on its systems. Despite no evidence of stolen consumer passwords, the breach disrupted business operations, leading to the temporary shutdown of IT systems, inventory replenishment issues, and delayed order fulfillments. VF Corp has since managed to restore the affected IT systems and reported minimal operational issues in its retail stores, e-commerce sites, and distribution centers as of the latest update.

Trello API Misuse

An exposed Trello API vulnerability was exploited to link private email addresses to 15 million Trello accounts, leading to a significant data leak. The issue came to light when a user named ’emo’ attempted to sell the data on a hacking forum, which included emails, usernames, full names, and other account information. Trello, owned by Atlassian, attributed the leak to public data scraping and not unauthorized system access. However, further investigation revealed that a publicly accessible API allowed the association of email addresses with Trello profiles without requiring authentication. Trello has since modified the API to prevent unauthenticated queries, aiming to balance user convenience with security. The data breach underscores the potential for abuse in public APIs and highlights the importance of securing such interfaces against unauthorized access. This incident also raises concerns about the use of public data in targeted phishing campaigns, prompting users to be vigilant.

Capital Health Ransomware Attack

The LockBit ransomware group has taken responsibility for a cyberattack on Capital Health, a key healthcare provider in New Jersey and Pennsylvania, in November 2023. On their data leak site, the group wrote, “We purposely didn’t encrypt this hospital so as not to interfere with patient care. We just stole over 10 million files.” They have threatened to release seven terabytes of sensitive data and negotiation communications if their ransom demands are not met. Although LockBit typically forbids affiliates from encrypting hospital network files to avoid disrupting patient care, they claim to have stolen data without encryption in this instance. Capital Health has restored its systems and enhanced security measures but is still assessing the extent of the data breach. This incident is part of a disturbing trend where healthcare organizations, despite guidelines advising against such attacks for ethical reasons, are increasingly targeted by ransomware gangs. LockBit’s actions, including previous attacks on healthcare institutions globally, challenge the notion of “harmless” cyberattacks by highlighting the potential for significant operational disruptions and data breaches within the healthcare sector.

loanDepot Cyberattack

loanDepot, a leading U.S. mortgage lender, experienced a cyberattack that disrupted its IT systems and online payment portal, affecting customers’ ability to make loan payments and contact the company via phone. In company notice, it is now revealed that, “Although its investigation is ongoing, the Company has determined that an unauthorized third party gained access to sensitive personal information of approximately 16.6 million individuals in its systems. The Company will notify these individuals and offer credit monitoring and identity protection services at no cost to them.” The incident led loanDepot to take certain systems offline as they work with law enforcement and forensic experts to investigate and resolve the issue. In an 8-K filing, the company reported that the unauthorized actor gained access to certain company systems and the encryption of data. This attack raises concerns about potential data theft, including sensitive customer information, which could lead to phishing attacks or identity theft. This event marks another significant cyber challenge for loanDepot, following a data breach disclosed in May from an August 2022 cyberattack, highlighting ongoing security threats in the financial services sector.

Trezor Support Site Breach

Trezor, a leading hardware cryptocurrency wallet provider, announced a security breach affecting its third-party support ticketing portal, exposing personal data of 66,000 customers. The breach, detected on January 17, led to unauthorized access but did not compromise users’ digital assets. Trezor reassured customers that their funds remain secure and their devices are unaffected. However, the breach exposed names or usernames and email addresses of users who interacted with Trezor Support since December 2021. Although other personal information like postal addresses and phone numbers were stored, there’s no evidence they were accessed. The company confirmed 41 instances of data exploitation, with attackers phishing for users’ recovery seeds via email, posing as Trezor Support. Trezor has alerted potentially affected users, emphasizing that wallet recovery seeds should never be shared, as disclosing them could lead to irreversible cryptocurrency theft. The unauthorized access has been terminated, and the risk mitigated.

Veolia North America Ransomware Attack

Veolia North America, part of the global Veolia group, was hit by a ransomware attack affecting its Municipal Water division’s systems and disrupting online bill payment services. Veolia responded by taking certain systems offline and is collaborating with law enforcement and forensic experts to understand the attack’s full impact. The company reassured customers that payments made during the disruption have been processed and no late fees or interest charges will apply. Importantly, Veolia’s water treatment and wastewater services remained uninterrupted, indicating the attack was limited to internal back-end systems. A small number of individuals’ personal information may have been compromised, and Veolia is assessing the extent of this breach. This incident underscores the growing cybersecurity threats facing critical water infrastructure, highlighting recent attacks on other water services and CISA’s efforts to bolster security within the sector.

Jason’s Deli Credential Stuffing Attack

Jason’s Deli has reported a data breach due to a credential stuffing attack, impacting customers of its online platform. Hackers obtained login credentials from other breaches and tested them on Jason’s Deli’s website on December 21, 2023. This type of attack exploits the common practice of using the same password across multiple services, posing a risk to accounts with reused credentials. The breach potentially exposed personal data including names, addresses, phone numbers, birthdays, preferred locations, account numbers, Deli Dollar points, and the last four digits of credit card and gift card numbers. The exact number of affected accounts is unknown, but all potentially impacted customers, estimated at 344,034, have been notified and advised to reset their passwords. Jason’s Deli is also restoring any unauthorized use of Deli Dollars to ensure customers do not face losses.

A Call to Action for Cybersecurity Leaders

These incidents collectively highlight the multifaceted nature of cyber threats and the critical need for advanced security measures, employee training, and regulatory compliance. CISOs, cybersecurity experts, and risk managers must remain vigilant, adopting a proactive approach to cybersecurity that anticipates and mitigates potential threats. Collaboration, innovation in security technologies, and adherence to best practices are essential in safeguarding against the evolving cyber threat landscape, ensuring the integrity and resilience of organizational operations in an increasingly digital world.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!