NAIC Insurance Data Security Model Law Update

by Brian Fischer on February 9, 2018

There are two interesting updates to the progress of the NAIC Model Law. First, there are four states working to add the Model Law to their 2018 legislative calendars: South Carolina, Rhode Island, Vermont and the District of Columbia. Of these, South Carolina is furthest along with their efforts. A newcomer, Louisiana, is now moving […]

NAIC Insurance Data Security Model Law

by Brian Fischer on October 31, 2017

The Big Picture On October 24, 2017 the NAIC passed the Insurance Data Security Model Law which establishes standards for data security and for the investigation of and notification to the Commissioner of a Cybersecurity event. The framework of the Insurance Data Security Law is similar to the New York Department of Financial Services Cybersecurity […]

What is 23 NYCRR 500?

by Brian Fischer on October 31, 2017

The Big Picture The NYDFS Cybersecurity Regulation, 23 NYCRR 500, requires New York banks, financial services companies and insurance companies, including non-New York insurance companies who do business in New York, to perform a Cybersecurity Risk Assessment and to create and maintain a Cybersecurity Program based on the Risk Assessment. This risk based approach is […]

A new worm, EternalRocks that exploits Windows SMB (Server Message Block) vulnerabilities has been discovered by a security researcher. EternalRocks uses seven SMB-specific NSA tools, while WannaCry used only two. It is a much scarier worm because it does not have any weaknesses, including the kill switch used to contain WannaCry. EternalRocks uses EternalBlue, EternalChampion, […]

WannaCry, Wanna Crypt, WannaCrypt0r 2.0 is a type of Trojan virus called ‘ransomware’, which holds the infected computer hostage until ransom is paid by the computer owner. Over the weekend (May 13-14, 2017) the world has experienced a major impact by the WannaCry ransomware attack.  More than 200,000 systems across more than 150 countries were […]

NCUA Examiner Insight for 2017

by Brian Fischer on March 1, 2017

The 12th annual CUISPA (Credit Union Information Security Professionals Association) conference was held on February 21 & 22 in San Antonio. SCA routinely participates in this conference to network with credit union information technology and risk management professionals, and just as importantly, to engage NCUA examiners about items on their priority list. This year’s panel […]

Ransomware Survival Guide

by Brian Fischer on August 16, 2016

Malware and ransomware cases are on the rise. Cybercriminals are lured to the lucrative win of encrypting an organization’s files, then holding them for ransom. According to Security Intelligence by IBM, Q1 2016 saw a record high for ransomware. Kaspersky Lab noted a 30% increase in ransomware victims in Q1 compared to the one before. […]

Recently, I attended the annual CUISPA (Credit Union Information Security Professionals Association) conference in Austin, TX. As you can imagine, cybersecurity was a popular topic of discussion. Also in attendance was a panel of 5 NCUA IT examiners from across the country including the Director of ONES (Office of National Examinations and Supervision). A panel […]


Cybersecurity and Incident Response Top NCUA Focus in 2016

by Brian Fischer on January 12, 2016

The NCUA’s first Letter to Credit Unions in 2016 intensifies the cybersecurity concern which started in 2014 through an FFIEC cybersecurity exam pilot program. Topping the list of this year’s supervisory focus are Cybersecurity Assessments. The letter states “As in 2014 and 2015, NCUA will continue to carefully evaluate credit unions’ cybersecurity risk management”. This […]


Vulnerability Scan vs. Pen Test – What’s the Difference?

by Brian Fischer on September 2, 2015

The term “penetration test” is getting some attention lately. I’ve been hearing that auditors, not necessarily state or NCUA examiners, are asking for pen test results. Pen test is one of the most overused, and as a result misunderstood, terms in the information security industry. People say pen test just as easily as they might […]