What’s going on with the National Vulnerability Database?

CVE overload and a lengthy backlog has meant the federal government’s repository of vulnerability data can’t keep up with today’s threat landscape.

By Matt Kapko • April 10, 2024

Industry stakeholders seek 30-day delay for CIRCIA comments deadline

Industry officials are asking for additional time to comb through hundreds of pages of detailed rules about disclosure of covered cyber incidents and ransom payments.

By David Jones • April 8, 2024

CISA assessing threat to federal agencies from Microsoft adversary Midnight Blizzard

Microsoft previously warned that the Russia-linked threat group was expanding malicious activity following the hack of senior company executives, which it disclosed in January.

By David Jones • April 5, 2024

What CISA wants to see in CIRCIA reports

The most consequential federal critical infrastructure cyber incident regulation will be on the books in 18 months. Here are some of CIRCIA's main asks.

By Matt Kapko • April 4, 2024

Microsoft Exchange state-linked hack entirely preventable, cyber review board finds

The technology giant’s corporate culture fell short on security investments and risk management, and needs significant reforms, according to a damning report by the U.S. Cyber Safety Review Board.

By David Jones • April 3, 2024

Progress Software continues to cooperate with SEC probe into MOVEit exploitation

The company said it still cannot quantify the potential impact of multiple government agency inquiries.

By David Jones • March 29, 2024

Boards need to brush up on cybersecurity governance, survey finds

SEC cyber disclosure rules are calling attention to corporate boards’ need to enhance their approach to cybersecurity oversight and compliance.

By Rosalyn Page • March 29, 2024

Water woes: A federal push for cyber mitigation is highlighting the sector’s fault lines

The water utility industry says they recognize the heightened threat environment, but the current federal push fails to account for their resource constraints.

By David Jones • March 28, 2024

CISA issues notice for long-awaited critical infrastructure reporting requirements

CIRCIA will require covered entities to promptly disclose major cyber incidents and ransomware payments.

By David Jones • March 27, 2024

Senior lawmaker questions UnitedHealth over Change cyberattack

Rep. Jamie Raskin, D-Md., said UnitedHealth’s “rapid consolidation and vertical integration” has major consequences for the healthcare sector, including increased control of the health IT market.

By Emily Olsen • March 27, 2024

The nation’s first academic space cybersecurity program welcomes the 2nd cohort

IU’s new Space Governance Lab is breaking new grounds (or spaces) again.

March 25, 2024

Five Eyes implores critical infrastructure execs to take China-linked threats seriously

Officials are pushing tips to help potential victims detect and mitigate Volt Typhoon’s evasive techniques as the was warnings take on urgency.

By Matt Kapko • March 20, 2024

More warnings emerge about state-linked cyber threats to water infrastructure

The White House and EPA set an urgent virtual meeting with state homeland security and other top officials, citing efforts to boost the resiliency of drinking and wastewater treatment systems.

By David Jones • March 20, 2024

How companies describe cyber incidents in SEC filings

The words businesses use in cybersecurity disclosures matter. They can channel confidence in the recovery process, potential impacts and legal liabilities.

By Matt Kapko • March 19, 2024

Threat environment is changing for individuals and SMBs, White House order shows

An executive order is trying to prevent the large-scale transfer of Americans’ data, as countries seek troves of U.S. data for blackmail, AI training and analysis, among a multitude of other purposes. 

By Michael Kosak • March 18, 2024

What’s material to the SEC, 3 months into cyber disclosure rules?

As attacks become more sophisticated and destructive, companies are struggling to find conclusive estimates of the financial impact of cyberattacks.

By David Jones • March 18, 2024

Stronger FCC data breach reporting rules for telecom go live

The updated rules expand the scope of breach disclosure requirements to cover all PII and carriers have to notify customers within 30 days of determining a breach occurred.

By Matt Kapko • March 15, 2024

FCC approves voluntary cyber labeling program for smart home IoT devices

The Biden administration wants the U.S. Cyber Trust Mark program to incentivize higher security standards in future IoT product development.

By David Jones • March 15, 2024

HHS opens investigation into Change Healthcare cyberattack

The Office for Civil Rights will focus on whether protected health information was breached and if UnitedHealth complied with privacy and security requirements. 

By Emily Olsen • March 14, 2024

White House adds teeth to secure software development requirements

CISA and OMB released an attestation form to ensure compliance with secure development practices.

By David Jones • March 13, 2024

White House meets with UnitedHealth, industry groups on Change Healthcare cyberattack fallout

Officials called on payers to cut red tape and offer financial support to providers, including advanced payments. 

By Emily Olsen • March 13, 2024

CMS rolls out provider flexibilities amid fallout from Change cyberattack

Provider groups said the government should go further to financially bolster providers during the outage at Change Healthcare.

By Emily Olsen • March 5, 2024

Provider groups urge HHS, Congress to mitigate damage from Change cyberattack

The American Hospital Association and the American Medical Association pushed the federal government to offer more financial support as the Change outage limits providers’ ability to receive payment.

By Emily Olsen • March 5, 2024

NIST makes it official: governance is a critical part of cybersecurity

A collection of resources accompany CSF 2.0 to make the guidance easier for businesses to use and put into practice across their operations.

By Matt Kapko • Feb. 29, 2024

Utility regulators take steps to raise sector’s cybersecurity ‘baselines’

The voluntary cyber recommendations are intended to serve as a resource for state public utility commissions, utilities and distribution operators and aggregators.

By Robert Walton • Feb. 29, 2024