Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

April 2024

What is the Critical Entities Resilience (CER) Directive?

The Critical Entities Resilience (CER) Directive is a new initiative in the EU that aims to ensure that critical entities providing essential services are effectively managing their network and information security. The CER Directive is part of the EU’s latest effort to build stronger cyber resilience across Europe, alongside NIS2 and the EU Cyber Resilience Act.

Choosing Attack Surface Visibility Software in 2024

There’s one major between organizations that fall victim to a data breach and those that don’t - attack surface awareness. Even between those who have implemented an attack surface management solution and those who haven’t, the more successful the cybersecurity programs more likely to defend against a greater scope of cyber threats are those with greater attack surface visibility.

NIS2 Compliance Checklist (Free)

In January 2023, the European Commission (EC) released an updated version of the European Union (EU) Network and Information Security Directive (NIS2) to strengthen cybersecurity risk management across Europe’s essential services. NIS2 updates the original NIS directive and focuses more on regulations for cloud infrastructure, internet exchanges, domain service providers, and digital service providers.

What is the Connecticut Data Privacy Act (CTDPA)?

The Connecticut State Government signed the Connecticut Data Privacy Act (CTDPA) into law on May 10, 2022, and the law became effective on July 1, 2023. The CTDPA joins the ranks of other US state privacy laws, like the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act, providing Connecticut consumers with robust data privacy rights and protections.

What is the Oregon Consumer Privacy Act (OCPA)?

The Oregon State Government passed Senate Bill 619, also known as the Oregon Consumer Privacy Act (OCPA), in July 2023. The OCPA will become effective on July 1, 2024, the same day the Texas Data Privacy and Security Act will also impose obligations on data controllers and processors. Oregon’s privacy legislation follows the structure of several other US data privacy laws, including the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and the Montana Consumer Privacy Act.

The EU's Strategy for a Cybersecure Digital Single Market

The EU Digital Single Market Strategy (DSM Strategy) is a comprehensive initiative launched by the European Union to enhance Europe’s digital economy and maximise its growth potential across member states. The strategy includes evolving policies and specific initiatives aimed at the digitalisation of the European Union and adapting it to the rapidly changing digital ecosystem.

What is the EU Cyber Solidarity Act?

The EU Cyber Solidarity Act is a new initiative that follows the European Union's latest efforts to build stronger cyber defenses against evolving cybersecurity threats. This legislation introduces a new strategy for enhanced cooperation between EU member states and focuses on how EU nations can better prepare and respond to cyber incidents.

How to Perform a Vendor Risk Assessment

Vendor risk assessments are critical for any organization that relies on third-party vendors. Third-party risk can negatively affect an organization’s security, compliance, and performance, resulting in devasting security breaches or disruptions in its supply chain that halt business operations. Organizations use vendor risk assessments to evaluate and manage third-party vendor risks associated with outsourcing business operations or procuring goods from external suppliers.

What is the Montana Consumer Data Privacy Act (MTCDPA)?

Montana Governor Greg Gianforte signed Senate Bill 384, the Montana Consumer Data Privacy Act (MTCDPA), on May 19, 2023. The consumer privacy law will become effective on October 1, 2024, and requires covered entities that process personal data to comply with several transparency and disclosure obligations. The MTCDPA follows the structure and scope of other US state data privacy laws, including the California Consumer Privacy Act, Tennessee Information Protection Act, and Colorado Privacy Act.

What is the Tennessee Information Protection Act (TIPA)?

Tennessee Governor Bill Lee passed the Tennessee Information Protection Act (TIPA) on May 11, 2023. TIPA becomes effective on July 1, 2025, and groups Tennessee with California, Colorado, Virginia, and other states that have published their own data privacy law while waiting for a comprehensive federal law from the U.S. Government.

Introducing UpGuard Trust Exchange

Security questionnaires represent the cornerstone of most third-party risk management (TPRM) programs. They allow organizations to responsibly appraise a vendor's security posture before they move forward with onboarding and grant the vendor access to internal systems and data. Nevertheless, most security teams feel burdened by time-consuming and lengthy security questionnaires, especially when faced with additional resource and staffing limitations.

Implementing A Vendor Risk Assessment Process in 2024

A Vendor Risk Assessment (also referred to as a third-party risk assessment) is a critical component of a Vendor Risk Management program. As such, the overall impact of your VRM efforts hangs on the efficiency of your vendor risk assessment workflow. This post outlines a framework for implementing a streamlined vendor risk assessment process to prevent potential data breach-causing third-party security risks from falling through the cracks.

Advanced GDPR Compliance Strategies for Cybersecurity

As digital transformation continues to multiply pathways to personal data, complete GDPR compliance is getting harder to attain. Whether you’re a data protection officer or a cybersecurity professional helping your organization remain compliant, this blog suggests advanced GDPR compliance strategies you may not have yet considered - beyond that delightful cookie consent notice we all love.

4-Stage Vendor Risk Management Framework (2024 Edition)

A Vendor Risk Management framework is the skeleton of your VRM program. Without it, your Vendor Risk Management program will collapse under a heavy burden of inefficient processes. This post outlines the anatomy of an effective VRM framework to help you seamlessly manage security risks in your third-party network.

Cybersecurity Challenges in European Telehealth

Telehealth or telemedicine is one of the most common ways of providing healthcare services in the EU, with nearly 77% of countries adopting some type of telehealth service. Countries like Norway, Sweden, Denmark, and Italy are considered some of the world’s leaders in providing telehealth services. Following the COVID-19 pandemic, telehealth became widely adopted across Europe, with many countries participating in cross-border collaboration.

Third-Party Risk Management Policy Template (Free)

Organizations commonly rely on third parties such as vendors, suppliers, and other business partners to handle critical operations. While third-party relationships can provide many benefits, they also introduce a range of risks that can threaten data security, compliance, and business continuity. Therefore, it's crucial to recognize and manage these risks with a robust Third-Party Risk Management policy.

The NIST AI Risk Management Framework: Building Trust in AI

The NIST Artificial Intelligence Risk Management Framework (AI RMF) is a recent framework developed by The National Institute of Standards and Technology (NIST) to guide organizations across all sectors in the use of artificial intelligence (AI) and its systems. As AI continues to become implemented in nearly every sector — from healthcare to finance to national defense — it also brings new risks and concerns with it.

Vendor Risk Management Assessment Matrix (Clearly Defined)

A vendor risk management assessment matrix could enhance your visibility into vendor risk exposure, helping you make more efficient risk management decisions. In this post, explain what a vendor risk assessment matrix is, how to use it, and provide a step-by-step guide for designing your own.

Cross-Border Data Flow: The EU-US Privacy Shield's Demise

Digital advancement has drastically changed businesses' operations, including increasing global data flows. One consequential aspect of this transformation is the transfer of data across national borders, which poses significant legal, privacy, and security challenges. The EU-US Privacy Shield was a critical agreement that previously protected data transferred between the European Union and the United States.

The EU Cyber Resilience Act: Securing Digital Products

The EU Cyber Resilience Act (CRA) is a major piece of cyber legislation passed in 2024 in the European Union (EU) that regulates cybersecurity for digital products and services. The EU Cyber Resilience Act directly complements the NIS2 Directive, which regulates risk management and incident reporting across the European market.

G2 Spring Report 2024: UpGuard Awarded #1 TPRM Software

In the latest G2 Spring Report, UpGuard ranked as the leading third-party and supplier risk management solution. G2 also recognized UpGuard as a market leader in third-party risk management (TPRM) for the seventh consecutive quarter, reaffirming UpGuard’s continued excellence and commitment to providing world-class cybersecurity solutions to global mid-market and enterprise organizations.

Meeting Third-Party Risk Requirements of DORA in 2024

The deadline for achieving complaince with the Digital Operational Resilience Act (DORA) will be here before you know it, with enforcement beginning in January 2025. With Third-Party Risk Management being the central focus of the EU regulation, it’s imperative to cater your TPRM program to the DORA regulation to achieve sustainable compliance. In this post, we outline the DORA requirements related to third-party risk management and explain how to comply with them.

Third-Party Risk Management vs Vendor Risk Management

Organizational risk management often mentions third-party risk management (TPRM) and vendor risk management (VRM). The cybersecurity industry commonly uses these terms interchangeably, but there is a distinct difference between these two crucial components of an organization's broader risk management strategy.

Vendor Due Diligence Questionnaires: Free Template

Vendor due diligence questionnaires are a type of security questionnaire for third-party vendors or service providers that are an essential part of any third-party risk management program (TPRM) program. By using a vendor due diligence questionnaire, security teams can evaluate a new vendor’s overall risk hygiene before entering into a business partnership.

8 Steps to Cultivate a Culture of Risk Awareness in Higher Education

Over the last few years, the education industry has increased its dependency on third-party service providers, expanding the average attack surface and escalating the importance of comprehensive risk awareness. Higher education institutions that rely on large vendor ecosystems must develop robust cultures of risk awareness to safeguard their data and daily operations from cyber attacks, data breaches, and other disruptions.

Deciphering CUI: What is Controlled Unclassified Information?

In today’s interconnected digital world, safeguarding sensitive data and preventing unauthorized access is vital, especially for U.S. government agencies, contractors, and other information-sharing partners that compete for Department of Defense (DoD) contracts. While many organizations that work alongside the U.S.

What's New in NIST CSF 2.0: The Top 4 Changes

In celebration of its 10th anniversary, the National Institute of Standards and Technology (NIST) has finally updated its cybersecurity framework, now known as the NIST Cybersecurity Framework 2.0. This isn’t a minor facelift. It's a substantial revamp further improving what's already regarded as the gold standard of cyber risk management frameworks. To learn about the key changes in NIST CSF 2.0, and how they could impact your cybersecurity posture improvement efforts, read on.

What is the Health Records and Information Privacy Act 2002 (HRIPA)?

The Health Records and Information Privacy Act 2002 (HRIPA) is a comprehensive legislation established to protect the privacy and security of health information in New South Wales (NSW), Australia. This legislative framework shares many similarities with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in the United States in their goals to ensure data privacy, security, and handling of health information in the healthcare sector.