Major cyber incident reporting requirement, CISA budget hike on precipice of becoming law

The incident reporting legislation, long in the works, also comes with nearly $2.6 billion for the agency for fiscal 2022.

The post Major cyber incident reporting requirement, CISA budget hike on precipice of becoming law appeared first on CyberScoop.

Continue reading Major cyber incident reporting requirement, CISA budget hike on precipice of becoming law

SEC weighs reporting requirements for publicly traded companies

The amendments follow a similar proposal the agency released last month aimed at tightening security for investment firms and advisers.

The post SEC weighs reporting requirements for publicly traded companies appeared first on CyberScoop.

Continue reading SEC weighs reporting requirements for publicly traded companies

SEC weighs reporting requirements for publicly traded companies

The amendments follow a similar proposal the agency released last month aimed at tightening security for investment firms and advisers.

The post SEC weighs reporting requirements for publicly traded companies appeared first on CyberScoop.

Continue reading SEC weighs reporting requirements for publicly traded companies

Proposal for industries to report big cyberattacks, ransomware payments wins Senate approval

The Senate passed legislation Tuesday evening requiring critical infrastructure owners to report to the feds when they suffer a major cyberattack or make a ransomware payment — shaking loose a bill that got stuck in the chamber last year. Under the measure, which now moves to the House for potential consideration, those critical infrastructure owners and operators as well as federal agencies would have to disclose a significant incident to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency within 72 hours. The same owners and operators would have to report any ransomware payments to CISA, too, only within 24 hours. Its intent is to give CISA the information it needs to more widely share threat data to help curtail major cyberattacks rippling through key targets, such as what happened in late 2020 when federal contractor SolarWinds suffered a compromise that ended up spreading to federal agencies and major tech […]

The post Proposal for industries to report big cyberattacks, ransomware payments wins Senate approval appeared first on CyberScoop.

Continue reading Proposal for industries to report big cyberattacks, ransomware payments wins Senate approval

SEC’s breach notification proposal one step closer to a final vote

The Securities and Exchange Commission voted Wednesday 3-1 to approve a recommendation for tighter mandatory cybersecurity requirements for financial institutions. The proposed rule will now open to public comment before a final vote. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,”  SEC Chairman Gary Gensler said at the agency’s open meeting. Most critically, the new rule would require confidential reports of any “significant” cybersecurity incidents to the SEC within 48 hours. The proposal also would require advisers and funds to adopt, at a minimum, cybersecurity protections including a risk assessment; user security and access controls; information protection and monitoring to protect systems from unauthorized use; and an annual written review of cybersecurity risks and policies. The report would require review by a board of directors. Commissioners said they want more […]

The post SEC’s breach notification proposal one step closer to a final vote appeared first on CyberScoop.

Continue reading SEC’s breach notification proposal one step closer to a final vote

SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector

U.S. Securities and Exchange Commission Chairman Gary Gensler is exploring an expansion of the SEC’s core cybersecurity rules to cover a broader swath of entities and require public companies to improve disclosure of breaches and risks. Gensler said in a speech on Monday that he instructed staff to look into an update of the commission’s “Regulation Systems Compliance and Integrity,” or Reg SCI, which the SEC adopted in 2014. Staff will examine whether the regulation — under which trading organizations and others must take security steps like backing up data — should extend to include the largest market-makers and broker-dealers. Gensler also said he asked staff to consider recommendations on bolstering the financial sector’s cybersecurity hygiene and incident reporting, how customers and clients receive notifications of financial sector breaches and how public companies disclose cybersecurity practices and risks. And he wants staff to examine how to better address cyber risk […]

The post SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector appeared first on CyberScoop.

Continue reading SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector

Congressional cyber heavyweights Langevin, Katko won’t seek reelection

In the span of a few days, two House members who have concentrated much of their energy on cybersecurity — and perhaps just as importantly, on working across the aisle on the issue — have announced their plans to depart Congress. Rep. Jim Langevin, D-R.I., said on Tuesday that he would not run for reelection in 2022. Rep. John Katko, R-N.Y., made his own announcement on Friday. Matt Masterson, a former election security official at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, called the exit of Langevin and Katko “tough” and “a big loss.” “These are two members of Congress that have both employed staff and taken the time themselves to understand the technical challenges and nuances that are part of this conversation about cybersecurity,” said Masterson, now a nonresident policy fellow with the Stanford Internet Observatory. “You have a Republican and a Democrat, both who recognized […]

The post Congressional cyber heavyweights Langevin, Katko won’t seek reelection appeared first on CyberScoop.

Continue reading Congressional cyber heavyweights Langevin, Katko won’t seek reelection

Cyber incident reporting mandates suffer another congressional setback

House and Senate negotiators have excluded provisions from a must-pass defense bill that would have mandated many companies to report major cyberattacks and ransomware payments to federal officials. A compromise version of the fiscal 2022 National Defense Authorization Act (NDAA) released Tuesday leaves out the language, which would set timeframes for when critical infrastructure owners and operators must report major incidents and some companies would have to report making ransomware payments. Supporters of the language ran out of time to reach an agreement on the final phrasing before NDAA sponsors moved ahead on their final compromise bill, a senior Senate aide said. It’s a big setback for backers of the reporting mandates, as attaching provisions to the annual NDAA has been the path for a number of monumental cyber ideas to become law. Still, some key disputes over the reporting mandate provisions have been resolved, and backers might be able […]

The post Cyber incident reporting mandates suffer another congressional setback appeared first on CyberScoop.

Continue reading Cyber incident reporting mandates suffer another congressional setback

Incident reporting, ransomware payment legislation faces trouble in Senate

Legislation requiring critical infrastructure owners to report major cyber incidents to the federal government, and mandating that ransomware victims disclose when they make payments, has hit a significant snag in the Senate. A bipartisan group of senators announced a proposal in November that would require critical infrastructure owners and operators to report within 72 hours to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency when they suffer major cyber incidents, as defined by CISA. It also would require reporting of ransomware payments to CISA from a broader set of organizations, excluding only individuals and some smaller businesses, within 24 hours. Advocates hope that by requiring swift reporting of major incidents, federal officials can help reduce the damage more quickly. Gathering intelligence about ransomware payments would help law enforcement and national security officials understand and act on digital extortion trends, officials say. Backers were unable to advance the proposal last […]

The post Incident reporting, ransomware payment legislation faces trouble in Senate appeared first on CyberScoop.

Continue reading Incident reporting, ransomware payment legislation faces trouble in Senate

Banks must report major cyber incidents within 36 hours under finalized regulation

Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday. Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system. The rule, dubbed the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, was cemented by the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation. There is currently no specific window that banks must repot such incident to the agencies in question. The final approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on […]

The post Banks must report major cyber incidents within 36 hours under finalized regulation appeared first on CyberScoop.

Continue reading Banks must report major cyber incidents within 36 hours under finalized regulation