The Importance of Good Vendor and Customer Vetting

Low-cost smartphones running Google’s Android operating system have been found to be replete with malware. From the article:

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

The news will have a negative impact on Google’s stock and is also likely to hurt sales of phones made by these brands as well. Many of these smartphone manufacturers may not have been aware that their phones included malware. Instead, their business model focused on offsetting production costs through the installation of paid-for applications, which (hopefully) inadvertently included the malicious applications. But it illustrates a fundamental issue all companies face today: how well do you know your customers and vendors?

Criminals will use a variety of means to hide their actions, and you will never stop them all. But, if companies begin following the Department of Defense’s lead and push for third-party certification of cybersecurity and data privacy programs before they will do business with a vendor or onboard certain types of customers, this will go a long way toward reducing the companies’ overall risk surface.

Executives Face Jail, Significant Fines if Cybersecurity Incidents are not Handled Properly

Jail Cells

According to news reports, the former CIO of Equifax was recently sentenced to 4 months in prison and ordered to pay over $170,000 in fines and restitution for selling shares in Equifax before the now infamous 2017 breach was reported to the public. He is the second Equifax executive to plead guilty to insider trading related to that data breach.

As we previously discussed, in 2018 the SEC issued guidance on how companies should address reporting cybersecurity incidents to their shareholders, and they are aggressively enforcing this guidance. This creates additional risks that are not always covered by traditional Director and Officer insurance, including jail.

Is your company’s executive cybersecurity education program fully informing your executives about the risks they face? Does the company’s incident response plan include measures to address these risks? Unlike other consultants who focus only on the technical aspects of cybersecurity, Fathom Cyber uses a holistic approach that addresses the technical, business, and legal issues so your executives are better prepared and better protected. In short, we make cybersecurity make sense.

Contact Fathom Cyber to find out how we can help your company build a more comprehensive cybersecurity program.

The Data Privacy Officer’s Role in Strategic Planning

Training and Advisory Services

Many people are aware that, in the absence of action by the U.S. Congress, all fifty states have enacted some form of data breach notification laws. However, the state legislatures, and their constituents, are not content with the laws as written, and nine states have passed new and expanded data breach notification laws. The changes include broadening definitions of personal data (New Jersey, Oregon, Washington), expanded breach notification requirements (Massachusetts, Illinois, Oregon, Texas, Washington), increases scope of those covered (Maryland, Maine), and even establishing minimum protections for certain kinds of information (New York). This rapidly changing privacy landscape means that companies must embrace privacy-by-design and security-by-design principles if they are to survive. Without feedback from the Data Privacy Officer and Chief Information Security Officer, companies can waste time and money developing products or solutions that will encounter significant legal and regulatory problems.

Fathom Cyber’s innovative, Enterprise Risk Management-based approach to creating cybersecurity and data privacy programs provides processes and policies that allow the DPO, CISO, and other relevant parties to weigh in on critical business decisions before the wrong decision is made. Contact Fathom Cyber to learn more about how we can help your company succeed.

The DoD to Contractors: Time to be More Mature

American Flag

Is your company’s cybersecurity program mature and effective?  When asked this question, most executives will answer yes, but the Department of Defense (“DoD”) disagrees.  According to Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Cyber:

“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base [(“DIB”)] doesn’t have robust cyber hygiene. Only 1% of DIB companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”  

That is why the United States Department of Defense (“DoD”) recently announced two important changes to its approach to securing its supply chain:  1) cybersecurity costs will soon be allowable under DoD contracts, and 2) the creation of a Cybersecurity Maturity Model Certification (“CMMC”) which will be required under all DoD contracts.[1]

The DoD has not announced additional cost allowability details yet. Subscribe to our newsletter for more details when they become available.

Aggressive CMMC Implementation Timeline

The DoD knows it needs to make fundamental changes quickly to combat threats to its supply chain and has set out an aggressive timeline: CMMC Version 1.0 and the certification process will be finalized in January 2020, and the CMMC will be a mandatory go/no-go part of all solicitations beginning in September 2020

CMMC Details

Rather than focusing on whether certain technologies are deployed in the contractor’s environment, the CMMC measures the maturity of contractors’ cybersecurity programs.  The CMMC will define five levels of maturity, from “basic” to “state-of-the-art”, and all government solicitations will soon include threshold maturity requirements for all contractor cybersecurity programs.  Every vendor on a contract, including subcontractors, must meet those maturity requirements or their proposal will not be considered.  Internal maturity evaluations are not enough: the maturity certifications must be conducted by third-party cybersecurity auditors who will conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.

Conduct a Maturity Assessment Now

Although the CMMC won’t be finalized until January, the uncertainty shouldn’t keep your company from acting.  In our experience, initial cybersecurity maturity assessments are a wake-up call for many companies, and it can take many months, or even years, for the companies to find the resources necessary to improve their maturity.  Assessing systems now will allow your company to improve its maturity before the CMMC requirements take effect.  Fathom Cyber’s maturity assessments use many of the industry standards upon which the CMMC is likely to be built so your company can start acting now.

For more details on the CMMC and how Fathom Cyber can improve your company’s cybersecurity maturity, visit

[1] “Help Me, Help You”: Defense Department Advises Contractors That Cybersecurity Is An Allowable Cost – Damon Silver and Catherine Tucciarello – (last viewed 6/28/2019)

What would you do differently?

Retrospective review is an important part of any good cybersecurity program. So much so, NIST builds it into the Cybersecurity Framework, and many other industry standards and best practices incorporate continuous improvement as part of their methodologies. But one frequently overlooked, but critical, point of retrospection is for a CISO who has been on the job for a while to consider how they might have made things better from the beginning. In an interesting article posted on HelpnetSecurity, Ray Pompton of F5 networks started asking CISOs that very question. If you follow our blog, the results shouldn’t be that surprising: the single biggest regret was that they had not put in place a cybersecurity strategy. Instead, they dove into the technical weeds, and the result is a patchwork of cybersecurity tools and duplicated efforts that was neither cost-effective nor efficient.

Another interesting take-away is that CISOs would implement more independent validation of the information from their staff. As we discussed in an earlier post, traditional approaches to cybersecurity and data privacy create inherent, systemic incentives for staff to down-play, and sometimes outright hide, problems they encounter or create. Independent review, though a combination of a strong compliance program and automation, can significantly strengthen a company’s cybersecurity program and is an important part of a comprehensive cybersecurity strategy.

Are you a CISO with similar concerns, but are you unsure how to get started? Fathom Cyber can help you create a defensible cybersecurityTM program that protects your organization, and you, when a breach occurs.

Shareholders Holding Executives Accountable

In a first-of-its-kind move, Yahoo!’s former shareholders have successfully obtained a $29 million settlement based around the failure of the company’s executives to properly protect the company from cybersecurity threats. The shareholders argued that the executives were not involved in setting cybersecurity policies or in the cybersecurity decision making process. Many experts see this as opening the floodgates for future, large dollar shareholder derivative suits which will add additional costs and distractions to companies already struggling to recover from a cybersecurity incident or privacy breach. When you add in the efforts of institutional shareholders to remove executives, including board members and the C-suite, from the companies in which they invest after a significant cybersecurity incident or privacy breach, executives are being forced to play an active role in cybersecurity and data privacy.

To survive these internal struggles, your company needs a defensible cybersecurity program. As the Yahoo! settlement drives home, empowering the executives with the information they need to take the reigns for the company’s cybersecurity and data privacy efforts is core to a defensible cybersecurity program. Executives need to shift their mindset from one in which they are merely informed about cybersecurity and data privacy issues to one in which they are involved in the cybersecurity decision making process. They need cybersecurity and data privacy to make sense.

Don’t wait for your company’s next security event or data breach to implement a defensible cybersecurity program. By then it may be too late.

Fathom Cyber’s unique, risk-based approach to cybersecurity and data privacy allows companies to create agile yet defensible cybersecurity programs. Contact us at [email protected], or visit our website at for more information.

Fathom Cyber in the News

Fathom Cyber’s CEO, Jim Goepel, was quoted in an article about cyber insurance published on The article has some excellent insight into how and when companies are purchasing cyber insurance.

Are you confident that your company’s cyber insurance covers the risks your company faces? Fathom Cyber can help you find peace of mind.

Fathom Cyber in the News

Fathom Cyber’s Jim Goepel was interviewed in an article about the importance of a strong cybersecurity culture and appropriate policies for companies looking to implement a Bring your own Device (“BYOD”) plan.  For many companies, BYOD is a boon, helping to cut costs and improving employee morale by allowing employees to use devices they already have and with which they are comfortable.  But for many companies, BYOD quickly becomes BYODB…Bring your own Data Breach.  Executives must  carefully examine the risks and rewards before authorizing a BYOD policy, and they must ensure that appropriate controls are in place to measure, monitor, and assess the effectiveness of those controls.  Fathom Cyber’s unique approach to cybersecurity helps ensure not only that the risks and rewards are carefully identified and balanced, but also that they decisions made are properly documented for regulatory, compliance, and litigation defense purposes.