Tag: Reporting | SpinSafe

EU Commission pitches double reporting of open security loopholes in cybersecurity law – EURACTIV.com

November 15, 2023/in Computer Security

The question of who should receive extremely sensitive cyber threat intelligence has been a sticking point in the negotiations on the Cyber Resilience Act. The Commission proposed a middle ground that would double the receivers.

The Cyber Resilience Act is a legislative proposal introducing security requirements for connected devices. The file is being finalised in ‘trilogues’ between the EU Commission, Council and Parliament.

Among the obligations of product manufacturers, there is one to report not only cybersecurity incidents, as has been the case in previous legislation, but also actively exploited vulnerabilities.

If a vulnerability is being actively exploited, it means there is an entry point for hackers that has not been patched yet. As a result, this type of information is highly dangerous if it falls into the wrong hands, and who should handle this task is a politically sensitive question.

In the original Commission text, ENISA, the EU cybersecurity agency, was assigned this complex work – an approach that found support in the Parliament. By contrast, European governments want to move this task to the national Computer Security Incident Response Teams (CSIRTs).

Following the last trilogue on 8 November, Euractiv reported how a possible landing zone could be envisaged by accepting the role of the CSIRTs but with a stronger involvement of ENISA and that the EU executive proposed that both bodies could receive the reporting simultaneously.

In an undated compromise text circulated after the trilogue, seen by Euractiv, the Commission put its idea in black-and-white.

“The manufacturers shall notify any actively exploited vulnerability contained in the product with digital elements that they become aware of to [the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 and ENISA],” reads the text.

National CSIRTs would, therefore, be in the driving seat of the reporting process, for instance, to request the manufacturer provide an intermediate report. The notifications would be submitted via a pan-European platform to the end-point of the CSIRT of the country where the company has its main establishment.

“A manufacturer shall…

Source…

Top US Cyber Agency Pushing Toward First Hack Reporting Rule

October 20, 2023/in Computer Security

A new US notification requirement for victims of malicious hacks could push in-house counsel to disclose cyberattacks when faced with ransomware and other network compromises.

Among the first-ever cyber regulations to be enforced by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the top US cyber authority, the proposed rules would require companies in 16 critical infrastructure sectors—including healthcare, energy, and finance—to report security incidents within three days and ransomware payments in 24 hours.

CISA’s proposed rule is part of a US effort to shore up defenses against the increasingly disruptive attacks of cyber criminals and nation-backed hacking groups, while simultaneously streamlining overlapping and inconsistent breach-notification reporting requirements across sectors. The rule would nudge companies toward new hiring and staff retraining, and push general counsel toward more active cybersecurity responsibilities.

The Biden administration set December 2025 as the deadline for the final rule, which was mandated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

“One glaring challenge has been our cyber incident reporting system, which has recently been revealed as a bureaucratic maze,” said Jackie Singh, a consultant who was a senior cybersecurity staffer in the Biden campaign. “With over 50 disparate reporting channels scattered across numerous government entities, this broken system represents a potential Achilles’ heel. Agility is key to withstand cyber threats in a resilient manner; convoluted reporting structures don’t fit into what we commonly think of as ‘agile.’”

Companies only compound cyber threats when they delay reporting information that could protect other companies or national security, Singh said.

The agency’s new rule is designed to encourage greater visibility into cyber incidents with security implications beyond a single company, so information submitted in the breach reports is guaranteed certain protections.

Chief among those: local, state, and federal governments can’t use the information in the reports to regulate a company providing notice, unless…

Source…

NCSC urges timely reporting of ransomware attacks | Jordan News

July 16, 2023/in Internet Security

Ammon News – The National Cyber Security Center (NCSC) has issued a call to action for institutions across the country, urging them to immediately report any suspicion of ransomware threats, in light of the recent surge in cyber attacks.

In a statement on Sunday, the Center revealed that numerous institutions targeted by ransomware fail to notify the authorities, thereby violating the Cyber Security Law, which mandates reporting of all cybersecurity breaches to the center.

“This crucial reporting enables the NCSC to take swift and necessary actions to contain the attack, prevent its propagation to other entities within the country, and leverage its resources to aid in the recovery of critical information and services,” the statement added.

Recent findings by the Center indicate a significant surge in ransomware incidents impacting national companies, government entities, academic institutions, and private businesses across Jordan since the start of the current year. Such attacks have severely disrupted their operations, hampering their ability to deliver essential services and, in certain cases, leading to irrecoverable data losses.

The Center highlighted that particularly concerning instances are where entities lack comprehensive business continuity and disaster recovery plans. Regrettably, the extent of financial losses incurred by these institutions remains difficult to accurately quantify.

Additionally, the NCSC pointed to the existence of a specialized intelligence unit, working in collaboration with other security agencies, to gather and analyze intelligence on cyberattacks originating from international hacking and piracy groups targeting national institutions. This unit possesses the capability to monitor and trace these cyber campaigns, effectively identifying the affected national entities.

Consequently, the Center stresses the utmost importance of timely reporting from all national institutions, as it serves the greater national interest and offers considerable benefits to the victims.

To enforce compliance with cybersecurity protocols, the Cyber Security Law empowers the Center to impose financial penalties on entities found to be non-compliant with reporting regulations….

Source…

SEC Spanks Blackbaud Over Lapses in Reporting Ransomware Attack

March 17, 2023/in Internet Security

Cloud computing firm Blackbaud is the latest company to find itself targeted by SEC, which alleges the company botched its response to a 2020 ransomware attack. To settle the matter, Charleston, South …

Source…

Tag Archive for: Reporting