Policy & Regulation: Page 4
-
Hacktivists exploiting poor cyber hygiene at critical infrastructure providers
CISA, the FBI and international partner agencies want water, energy, agriculture and other sectors to immediately reset passwords and apply multifactor authentication.
By David Jones • May 1, 2024 -
FTC broadens health breach notification rule
Regulators have been pursuing more enforcement actions against health applications sharing consumers’ data. Friday’s final rule should give those actions more heft.
By Rebecca Pifer • April 29, 2024 -
CISA director pushes for vendor accountability and less emphasis on victims’ errors
Stakeholders need to address why vendors are delivering products with common vulnerabilities, which account for the majority of attacks, Jen Easterly said.
By Matt Kapko • April 25, 2024 -
Sponsored by Apiiro
Preparing for CISA’s Secure Software Development Attestation and PCI compliance updates with ASPM
With increased expectations and a prime position in the spotlight, AppSec teams need reliable tools that can act as a force multiplier for their AppSec programs.
April 22, 2024 -
Fears rise of social engineering campaign as open source community spots another threat
Federal officials are said to be investigating potential links between the recent XZ Utils campaign and new threat activity against JavaScript project maintainers.
By David Jones • April 16, 2024 -
Top officials again push back on ransom payment ban
In lieu of a ban, the Institute for Security and Technology advises governments to achieve 16 milestones, most of which are already in place or in the works.
By Matt Kapko • April 15, 2024 -
CISA to big tech: After XZ Utils, open source needs your support
The attempted malicious backdoor may have been part of a wider campaign using social engineering techniques, the open source community warned.
By David Jones • April 15, 2024 -
FBI director echoes past warnings, as critical infrastructure hacking threat festers
Chris Wray says adversaries from China, Russia and Iran are ramping up cyber, espionage and other threat activity against key sectors, including water, energy and telecommunications.
By David Jones • April 11, 2024 -
What’s going on with the National Vulnerability Database?
CVE overload and a lengthy backlog has meant the federal government’s repository of vulnerability data can’t keep up with today’s threat landscape.
By Matt Kapko • April 10, 2024 -
Industry stakeholders seek 30-day delay for CIRCIA comments deadline
Industry officials are asking for additional time to comb through hundreds of pages of detailed rules about disclosure of covered cyber incidents and ransom payments.
By David Jones • April 8, 2024 -
CISA assessing threat to federal agencies from Microsoft adversary Midnight Blizzard
Microsoft previously warned that the Russia-linked threat group was expanding malicious activity following the hack of senior company executives, which it disclosed in January.
By David Jones • April 5, 2024 -
What CISA wants to see in CIRCIA reports
The most consequential federal critical infrastructure cyber incident regulation will be on the books in 18 months. Here are some of CIRCIA's main asks.
By Matt Kapko • April 4, 2024 -
Microsoft Exchange state-linked hack entirely preventable, cyber review board finds
The technology giant’s corporate culture fell short on security investments and risk management, and needs significant reforms, according to a damning report by the U.S. Cyber Safety Review Board.
By David Jones • April 3, 2024 -
Progress Software continues to cooperate with SEC probe into MOVEit exploitation
The company said it still cannot quantify the potential impact of multiple government agency inquiries.
By David Jones • March 29, 2024 -
Boards need to brush up on cybersecurity governance, survey finds
SEC cyber disclosure rules are calling attention to corporate boards’ need to enhance their approach to cybersecurity oversight and compliance.
By Rosalyn Page • March 29, 2024 -
Water woes: A federal push for cyber mitigation is highlighting the sector’s fault lines
The water utility industry says they recognize the heightened threat environment, but the current federal push fails to account for their resource constraints.
By David Jones • March 28, 2024 -
CISA issues notice for long-awaited critical infrastructure reporting requirements
CIRCIA will require covered entities to promptly disclose major cyber incidents and ransomware payments.
By David Jones • March 27, 2024 -
Senior lawmaker questions UnitedHealth over Change cyberattack
Rep. Jamie Raskin, D-Md., said UnitedHealth’s “rapid consolidation and vertical integration” has major consequences for the healthcare sector, including increased control of the health IT market.
By Emily Olsen • March 27, 2024 -
Sponsored by Indiana University
The nation’s first academic space cybersecurity program welcomes the 2nd cohort
IU’s new Space Governance Lab is breaking new grounds (or spaces) again.
March 25, 2024 -
Five Eyes implores critical infrastructure execs to take China-linked threats seriously
Officials are pushing tips to help potential victims detect and mitigate Volt Typhoon’s evasive techniques as the was warnings take on urgency.
By Matt Kapko • March 20, 2024 -
More warnings emerge about state-linked cyber threats to water infrastructure
The White House and EPA set an urgent virtual meeting with state homeland security and other top officials, citing efforts to boost the resiliency of drinking and wastewater treatment systems.
By David Jones • March 20, 2024 -
How companies describe cyber incidents in SEC filings
The words businesses use in cybersecurity disclosures matter. They can channel confidence in the recovery process, potential impacts and legal liabilities.
By Matt Kapko • March 19, 2024 -
Opinion
Threat environment is changing for individuals and SMBs, White House order shows
An executive order is trying to prevent the large-scale transfer of Americans’ data, as countries seek troves of U.S. data for blackmail, AI training and analysis, among a multitude of other purposes.
By Michael Kosak • March 18, 2024 -
What’s material to the SEC, 3 months into cyber disclosure rules?
As attacks become more sophisticated and destructive, companies are struggling to find conclusive estimates of the financial impact of cyberattacks.
By David Jones • March 18, 2024 -
Stronger FCC data breach reporting rules for telecom go live
The updated rules expand the scope of breach disclosure requirements to cover all PII and carriers have to notify customers within 30 days of determining a breach occurred.
By Matt Kapko • March 15, 2024