Policy & Regulation: Page 2

Congress adds historic cyber incident reporting rule to massive $1.5 trillion package

Key members of Congress and CISA say the bill will help protect critical infrastructure against malicious attacks.

By David Jones • March 11, 2022

SEC pushes for tougher cybersecurity disclosure rules

Companies would need to report breaches within four days under the proposed rules. 

By Jim Tyson • March 10, 2022

Russian cyberattacks surprisingly limited in Ukraine, US officials say

U.S. Cyber Command Gen. Paul Nakasone said Russia-backed cyber activity has been much lower than expected.

By David Jones • March 9, 2022

Would a cyberattack on a NATO country trigger Article 5?

Few nations have sophisticated cyber capabilities and for operational security reasons, they are closely guarded, rarely shared, and carefully used.

By Mark Laity • March 2, 2022

New York rolls out statewide cyber command center

Russia's invasion of Ukraine should make local government leaders watchful of critical infrastructure risk, expert says.

By Cailin Crowe • Feb. 28, 2022

DHS to lead federal response to Russia-Ukraine crisis

Cyberattacks in Ukraine continue as Russian troops enter Kyiv.

By David Jones • Feb. 25, 2022

Apache tells US Senate committee the Log4j vulnerability could take years to resolve

While a software bill of materials could improve supply chain security, users still download vulnerable versions of software. 

By David Jones • Feb. 9, 2022

NIST targets software supply chain with guidance on security standards

Guidelines call for developers to attest they use secure software practices.

By David Jones • Feb. 7, 2022

DHS adds review board to advise federal response to major cyberattacks

The board, which follows President Biden's May 2021 executive order on cybersecurity, will start with a review of the Apache Log4j vulnerability. 

By David Jones • Feb. 3, 2022

Conflict over Ukraine raises cyber risk for US enterprises

A diplomatic standoff with Russia threatens to drag U.S. companies and critical infrastructure into wider security crisis that could echo NotPetya. 

By David Jones • Feb. 1, 2022

White House targets security 'paradigm shift' with federal zero-trust strategy

Agencies have 60 days to submit zero-trust plans to OMB and CISA. 

By Samantha Schwartz • Jan. 28, 2022

GDPR regulators crack down on data processing as companies struggle with privacy compliance

Almost four years into GDPR, it has taken regulators time to find their footing to pursue violations.

By Samantha Schwartz • Jan. 28, 2022

Industry responded to Treasury ransomware sanctions but full impact unknown

The list of sanctioned ransomware-related parties has made incident responders take a more "cautious approach," said OFAC's Michael Lieberman.

By Samantha Schwartz • Jan. 27, 2022

It's time to focus on critical infrastructure systems security

Cyber-physical systems running on legacy infrastructure are ideal attack surfaces for malicious actors. 

By Katell Thielemann • Jan. 24, 2022

Biden gives defense, intel agencies 180 days to apply MFA, encryption

The White House's memorandum builds on past requirements to bolster U.S. cyber standards. This time, the administration is targeting agencies that handle classified intelligence. 

By Samantha Schwartz • Jan. 20, 2022

Log4j raises cyber risk for public finance entities, Fitch warns

Local agencies and critical sites face increased operational and financial risk as the vulnerability opens organizations to ransomware or other malicious activity. 

By David Jones • Jan. 19, 2022

Feds want businesses to report cyberattacks — the agency doesn't matter

The FBI's Bryan Vorndran compared a cyberattack to a house robbery: Law enforcement assists with attack response while CISA is representative of an alarm company tasked with prevention. 

By Samantha Schwartz • Jan. 14, 2022

FCC seeks stronger breach reporting rules for telecoms

After massive breaches at T-Mobile and other telecoms, the proposed regulations would create faster consumer disclosure and mandate reporting of inadvertent cases.

By David Jones • Jan. 13, 2022

Congressional cyber commission expires but work to continue with 'Solarium 2.0'

Despite the commission's success, unfinished business includes setting up a joint collaborative environment, institutionalizing the Cyber Diplomacy Act, creating a bureau of cyber statistics, and codifying critical infrastructure.

By Samantha Schwartz • Dec. 23, 2021

Long-expected cyber incident reporting rule loses ground once again

The House's recently passed National Defense Authorization Act is set to advance to the Senate. But it omitted a key cyber rule: mandatory incident reporting. 

By Samantha Schwartz • Dec. 10, 2021

What incident reporting could look like

Legislation could remove some of the complexity of overlapping standards when CISA's roles and authorities become more robust. 

By Samantha Schwartz • Dec. 10, 2021

TSA rolls out rail cyber requirements, targeting prevention and rapid response

The directives, with immediate implementation expected, are primarily for higher-risk freight railroads, passenger rail, and rail transit, DHS said. 

By Samantha Schwartz • Dec. 3, 2021

Insurer Lloyd's slashes coverage on state-sponsored cyberattacks, reflecting battered market

The limits for state-sponsored attack coverage comes at a time when nation-state activity and ransomware linked to foreign threat actors is surging.

By David Jones • Dec. 3, 2021

Crypto becoming the preferred currency of cybercriminals and rogue governments

Authorities are turning the tables on cybercriminals by tracing the steps of illicit transactions and making it more difficult for ransomware operators to evade detection.

By David Jones • Nov. 24, 2021

Recovering ransom payments could become routine for law enforcement

Backed by blockchain analysts and crypto-tracers, law enforcement agencies want to become more proficient in seizing ransomware-related funds.

By Samantha Schwartz • Nov. 23, 2021