Policy & Regulation


  • SEC clarifies intent of cybersecurity breach disclosure rules after initial filings

    The rules require notification of “material” breaches, but some early filers have reported incidents that appear to fall short of the regulatory threshold.

    By Alexei Alexis • May 29, 2024
  • NIST administration building in Gaithersburg, Maryland.
    Image attribution tooltip
    Courtesy of NIST
    Image attribution tooltip

    Critical CVEs are going under-analyzed as NIST falls behind

    NIST has analyzed less than 1 in 10 vulnerabilities added to the National Vulnerability Database since mid-February, according to VulnCheck research.

    By May 28, 2024
  • A surgeon stands in a hospital room bending over a small table of medical instruments
    Image attribution tooltip
    Mario Tama via Getty Images
    Image attribution tooltip

    HHS agency launches program to automate cybersecurity at hospitals

    The program will invest more than $50 million to create a software suite that can automatically find potential vulnerabilities that hackers could exploit and deploy fixes.

    By Emily Olsen • May 24, 2024
  • A sunlit New York Stock Exchanges is seen with 6 columns and 3 American flags with people walking by in shadow.
    Image attribution tooltip
    Drew Angerer via Getty Images
    Image attribution tooltip

    SEC fines NYSE’s parent $10M for failing to report cyberattack

    The settlement sheds light on the costs of cyberattacks that can include penalties for non-compliance with timely disclosure requirements after the events occur.

    By Maura Webber Sadovi • May 24, 2024
  • National Cyber Director Harry Coker Jr. delivers keynote on the national cybersecurity strategy implementation plan on May 22, 2024 at the McCrary Institute at Auburn University in Washington D.C.
    Image attribution tooltip
    Permission granted by McCrary Institute
    Image attribution tooltip

    White House seeks critical cyber assistance for water utilities, healthcare

    The DOJ will also work to deter teens from joining criminal hackers like Lapsus$.

    By May 23, 2024
  • Abstract black and white monochrome art with surreal funnel.
    Image attribution tooltip
    Philipp Tur/Getty Images Plus via Getty Images
    Image attribution tooltip

    Cyberattacks are good for security vendors, and business is booming

    More secure technology could stem the tide of cyberattacks, but digital threats are ever present.

    By May 23, 2024
  • Microsoft logo is seen in the background.
    Image attribution tooltip
    Jeenah Moon via Getty Images
    Image attribution tooltip

    Microsoft president set to testify before Congress on ‘security shortcomings’

    After the tech giant asked for more time, Brad Smith will now testify before the House Committee on Homeland Security on June 13.

    By May 22, 2024
  • The HHS in DC
    Image attribution tooltip
    Alex Wong / Staff via Getty Images
    Image attribution tooltip

    Providers urge HHS to clarify Change data breach reporting requirements

    More than 50 provider groups are asking the federal government to publicly state that UnitedHealth should handle data breach reporting stemming from the cyberattack on its subsidiary.

    By Emily Olsen • May 22, 2024
  • Water rushing out of a pipeline and onto a wheat field.
    Image attribution tooltip
    lnzyx for iStock via Getty Images
    Image attribution tooltip

    EPA to ramp up enforcement as most water utilities lack cyber safeguards

    The agency may consider taking civil and criminal penalties against utilities following months of attacks against drinking and wastewater treatment facilities.

    By May 21, 2024
  • The U.S. Securities and Exchange Commission seal hangs on the facade of its building.
    Image attribution tooltip
    Chip Somodevilla via Getty Images
    Image attribution tooltip

    SEC requires financial firms to disclose data breaches within 30 days

    The regulatory agency’s rule change comes less than a year after it required publicly traded companies to disclose material security incidents within four business days.

    By May 20, 2024
  • CISA, cybersecurity, agency
    Image attribution tooltip
    Photo illustration by Danielle Ternes/Cybersecurity Dive; photograph by yucelyilmaz via Getty Images
    Image attribution tooltip

    CISA senior official Goldstein to leave agency in June

    The executive assistant director for cybersecurity at CISA often served as the voice of the agency and helped steer its secure-by-design efforts.

    By May 16, 2024
  • A closeup shot of long colorful lines of code on a computer screen.
    Image attribution tooltip
    Wirestock via Getty Images
    Image attribution tooltip

    Unsafe software development practices persist, despite CISA’s push

    The industry isn’t making sufficient progress in cleaning up code despite recurring efforts from the agency to eliminate entire classes of vulnerabilities.

    By May 15, 2024
  • U.S. National Cyber Director Harry Coker Jr. speaks during keynote at CyberUK 2024.
    Image attribution tooltip
    Permission granted by Matthew Horwood
    Image attribution tooltip

    National Cyber Director echoes past warnings: Nation-state cyber threats are mounting

    State-linked actors with ties to China and Russia are growing more sophisticated in their efforts to disrupt critical infrastructure, Harry Coker Jr. said during a CyberUK conference keynote.

    By May 15, 2024
  • A dimly lit school hallway is empty with a row of lockers standing on each side.
    Image attribution tooltip
    Stock Photo via Getty Images
    Image attribution tooltip

    How a CISA proposal could impact K-12 cyber incident reporting

    Overall, the nonprofit K12 Security Information Exchange backed the requirement for schools, but it asked for clarification on how the sector should report cyber incidents students initiate.

    By Anna Merod • May 14, 2024
  • FBI seal displayed on a wall
    Image attribution tooltip
    Chip Somodevilla/Getty Images via Getty Images
    Image attribution tooltip

    Black Basta ransomware is toying with critical infrastructure providers, authorities say

    The threat group has impacted more than 500 targets worldwide and the vast majority of critical infrastructure sectors.  Numerous attacks have exploited vulnerabilities in ConnectWise ScreenConnect.

    By May 13, 2024
  • Microsoft logo at Mobile World Congress.
    Image attribution tooltip
    David Ramos via Getty Images
    Image attribution tooltip

    Congress wants to question Microsoft exec over security defects

    The committee wants to question Brad Smith, Microsoft’s president and vice chair, over the company’s security shortcomings and how it plans to strengthen security measures.

    By May 13, 2024
  • The White House in Washington, D.C.
    Image attribution tooltip
    TriggerPhoto via Getty Images
    Image attribution tooltip

    White House wants to hold the software sector accountable for security

    Federal officials are taking steps toward a long-stated goal of shifting the security burden from technology users to the companies that build it.

    By May 10, 2024
  • CISA Director Jen Easterly speaks at Carnegie Mellon University urging the tech industry to embrace secure-by-design product development.
    Image attribution tooltip
    Permission granted by Carnegie Mellon University
    Image attribution tooltip

    68 tech, security vendors commit to secure-by-design practices

    CISA said companies ranging from Microsoft to Palo Alto Networks signed the voluntary pledge in an effort to boost resiliency and increase transparency around CVEs and cyberattacks.

    By May 9, 2024
  • Cybersecurity professionals walk into the RSA Conference at the Moscone Center in San Francisco on May 6, 2024.
    Image attribution tooltip
    Matt Kapko/Cybersecurity Dive/Cybersecurity Dive
    Image attribution tooltip

    CISA explains why it doesn’t call out tech vendors by name

    Federal officials rarely criticize tech companies when their mistakes result in attacks. The stinging conclusions CSRB levied at Microsoft are an exception, not the norm.

    By May 9, 2024
  • National Cyber Director Harry Coker speaks in Washington.
    Image attribution tooltip
    Permission granted by Information Technology Industry Council
    Image attribution tooltip

    The US really wants to improve critical infrastructure cyber resilience

    A report from the Office of the National Cyber Director highlights persistent threats targeting healthcare and water, echoing warnings from cyber officials earlier this year. 

    By May 8, 2024
  • A picture of a stethoscope on top of a notebook with blue charts and investment images overlaid over it.
    Image attribution tooltip
    ipopba via Getty Images
    Image attribution tooltip

    CISA, FBI urge software companies to eliminate directory traversal vulnerabilities

    The software defects are linked to recent exploitation campaigns against critical infrastructure providers, including healthcare and schools. 

    By May 7, 2024
  • Industrial Engineer working and control robotics with monitoring system software and icon industry network connection on tablet
    Image attribution tooltip
    ipopba via Getty Images
    Image attribution tooltip
    Sponsored by Indiana University

    How can AI companies navigate a complex regulatory framework? — Compliance Labels

    The rapid unregulated growth in the field of artificial Intelligence has given rise to Large Language Models (LLM’s) such as GPT-4 and Gemini which has contributed to major technical advancements but has also been coupled with legal and ethical issues.

    By Sai Prasad, Security Analyst, CyberProof, MS Cybersecurity Risk Management '22 • May 6, 2024
  • UnitedHealth Group CEO Andrew Witty
    Image attribution tooltip
    Kent Nishimura/Getty Images via Getty Images
    Image attribution tooltip

    Congress grills UnitedHealth CEO over Change cyberattack

    Legislators slammed Andrew Witty over the company’s lack of cybersecurity practices and the impact of the breach, which may have compromised the data of a third of Americans.

    By Emily Olsen • May 2, 2024
  • Matrix background of blurred programming code.
    Image attribution tooltip
    Getty Plus via Getty Images
    Image attribution tooltip

    CISA warned 1,750 organizations of ransomware vulnerabilities last year. Only half took action.

    More than half of CISA's ransomware vulnerability warning pilot alerts were sent to government facilities, healthcare and public health organizations.

    By May 1, 2024
  • Sewage water flowing into river body and polluting the water and environment.
    Image attribution tooltip
    Cinefootage Visuals via Getty Images
    Image attribution tooltip

    Hacktivists exploiting poor cyber hygiene at critical infrastructure providers

    CISA, the FBI and international partner agencies want water, energy, agriculture and other sectors to immediately reset passwords and apply multifactor authentication.

    By May 1, 2024