What We Do & Why We Do It

We provide a battlefield strategy to win against cyberwar adversaries.

Our approach is very different by looking at business from the outside to fix the most common access point vulnerabilities then moving to the inside to provide cyber defense countermeasures against phishing, ransomware, malware, and bot attacks.

Why do we do it?   

Did you know 42% of respondents to a cyber risk were asked to keep threats confidential?

We must change the culture to report suspicious activity to the SOC incident response teams as good security stewardship. 

Business Justifications 

Cyber Alignment with 3rd Party Risk Management

Major cyber risk areas in 2023 and beyond 

Why we need a new approach to handling this explosive threat

Zurich's call to cyber action with Loyd's following the lead.

ReInsurance and Carriers Uninsurable for Cyber Protection - Zurich's CEO quote that cyber attacks uninsurable 

Executive Order -  Executive Order to Improve the nations' cybersecurity. 

Mandates Form 8-K - SEC  - Cyber Threat Reporting Requirement  

Securities and Exchange Commission (SEC) requirements - In 2022, the SEC introduced cybersecurity-related requirements

The SEC for the protection of investors now requires companies to inform investors and shareholders of "material incidents" within four business days of discovery. More recently, in March 2023, the SEC proposed updates to its cybersecurity rules, imposing stringent disclosure requirements for covered entities and requiring affected institutions to adopt "written policies and procedures" for incident response that includes informing affected individuals within 30 days.

CISA Protective DNS Initiative - CISA Protective DNS Resolver

Cloudflare and HLS Mandate Protected DNS Registrar -  Cloudflare Mandate by HLS 

GDPR - The GDPR asks companies to report breaches within 72 hours "where feasible" with the only exception being if the breach does not "result in a risk to the rights and freedoms of natural persons." If an organization delays in reporting the breach, reasons for the delay need to be provided. The GDPR has heavy fines for non-compliance. Depending on violations, fines can reach: €10 million ($11 million) or 2% of annual turnover, whichever is higher. €20 million ($22 million) or 4% of annual turnover, whichever is higher. This all depends on the regulator’s investigation, the amount of negligence, and the severity of the breach.

California Consumer Privacy Act (CCPA) - The CCPA requires companies to report breaches within 72 hours if unencrypted data is involved or if an unauthorized user has access to encryption keys of encrypted data. It also requires companies to notify the California AG if more than 500 California residents are affected.

New York SHIELD Act ("Stop Hacks and Improve Electronic Data Security") - The "NYS Information Security Breach and Notification Act" says a disclosure must be made “in the most expedient time possible and without unreasonable delay...." but doesn’t specify a specific timeframe. It also allows companies to delay a disclosure if law enforcement believes the disclosure can impede a criminal investigation. As is the case with the CCPA, if the breach affects more than 500 New York Residents, the affected companies must tell the NY AG within 10 days. Companies who don’t comply with the act can face up to $5,000 per violation.

European NIS-2 Directive ("Network and Information Security, Version 2") - The EU regulation, NIS-2, entered into force on January 6, 2023 and introduced stringent supervisory measures and streamlined reporting obligations. Affected companies must now provide an initial notification within 24 hours of becoming aware of an incident to their reporting authority and within 72 hours, the company must provide an initial breach assessment. Within one month of the attack, companies are expected to provide a final report detailing the attack's scope as well as any mitigation efforts undertaken. NIS-2 fines can be as high as €10 million ($11 million) or 2% of the company's annual revenue, whatever is higher.

State by State reporting requirements - All 50 US states have laws relating to reporting requirements for data breaches. Puerto Rico, Guam, the District of Columbia, and the Virgin Islands also have reporting and notification requirements in place. It would be impossible to cover all of these here, but the NCSL (National Conference of State Legislatures) maintains a list of the latest bills and acts on its website.