incident reporting – Page 2

SEC’s breach notification proposal one step closer to a final vote

Posted on February 9, 2022 by Tonya Riley

The Securities and Exchange Commission voted Wednesday 3-1 to approve a recommendation for tighter mandatory cybersecurity requirements for financial institutions. The proposed rule will now open to public comment before a final vote. “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks,” SEC Chairman Gary Gensler said at the agency’s open meeting. Most critically, the new rule would require confidential reports of any “significant” cybersecurity incidents to the SEC within 48 hours. The proposal also would require advisers and funds to adopt, at a minimum, cybersecurity protections including a risk assessment; user security and access controls; information protection and monitoring to protect systems from unauthorized use; and an annual written review of cybersecurity risks and policies. The report would require review by a board of directors. Commissioners said they want more […]

The post SEC’s breach notification proposal one step closer to a final vote appeared first on CyberScoop.

Continue reading SEC’s breach notification proposal one step closer to a final vote→

SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector

Posted on January 25, 2022 by Tim Starks

U.S. Securities and Exchange Commission Chairman Gary Gensler is exploring an expansion of the SEC’s core cybersecurity rules to cover a broader swath of entities and require public companies to improve disclosure of breaches and risks. Gensler said in a speech on Monday that he instructed staff to look into an update of the commission’s “Regulation Systems Compliance and Integrity,” or Reg SCI, which the SEC adopted in 2014. Staff will examine whether the regulation — under which trading organizations and others must take security steps like backing up data — should extend to include the largest market-makers and broker-dealers. Gensler also said he asked staff to consider recommendations on bolstering the financial sector’s cybersecurity hygiene and incident reporting, how customers and clients receive notifications of financial sector breaches and how public companies disclose cybersecurity practices and risks. And he wants staff to examine how to better address cyber risk […]

The post SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector appeared first on CyberScoop.

Continue reading SEC’s Gensler signals enhancement of cybersecurity, breach disclosure rules for financial sector→

Congressional cyber heavyweights Langevin, Katko won’t seek reelection

Posted on January 18, 2022 by Tim Starks

In the span of a few days, two House members who have concentrated much of their energy on cybersecurity — and perhaps just as importantly, on working across the aisle on the issue — have announced their plans to depart Congress. Rep. Jim Langevin, D-R.I., said on Tuesday that he would not run for reelection in 2022. Rep. John Katko, R-N.Y., made his own announcement on Friday. Matt Masterson, a former election security official at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, called the exit of Langevin and Katko “tough” and “a big loss.” “These are two members of Congress that have both employed staff and taken the time themselves to understand the technical challenges and nuances that are part of this conversation about cybersecurity,” said Masterson, now a nonresident policy fellow with the Stanford Internet Observatory. “You have a Republican and a Democrat, both who recognized […]

The post Congressional cyber heavyweights Langevin, Katko won’t seek reelection appeared first on CyberScoop.

Continue reading Congressional cyber heavyweights Langevin, Katko won’t seek reelection→

Cyber incident reporting mandates suffer another congressional setback

Posted on December 7, 2021 by Tim Starks

House and Senate negotiators have excluded provisions from a must-pass defense bill that would have mandated many companies to report major cyberattacks and ransomware payments to federal officials. A compromise version of the fiscal 2022 National Defense Authorization Act (NDAA) released Tuesday leaves out the language, which would set timeframes for when critical infrastructure owners and operators must report major incidents and some companies would have to report making ransomware payments. Supporters of the language ran out of time to reach an agreement on the final phrasing before NDAA sponsors moved ahead on their final compromise bill, a senior Senate aide said. It’s a big setback for backers of the reporting mandates, as attaching provisions to the annual NDAA has been the path for a number of monumental cyber ideas to become law. Still, some key disputes over the reporting mandate provisions have been resolved, and backers might be able […]

The post Cyber incident reporting mandates suffer another congressional setback appeared first on CyberScoop.

Continue reading Cyber incident reporting mandates suffer another congressional setback→

Incident reporting, ransomware payment legislation faces trouble in Senate

Posted on November 24, 2021 by Tim Starks

Legislation requiring critical infrastructure owners to report major cyber incidents to the federal government, and mandating that ransomware victims disclose when they make payments, has hit a significant snag in the Senate. A bipartisan group of senators announced a proposal in November that would require critical infrastructure owners and operators to report within 72 hours to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency when they suffer major cyber incidents, as defined by CISA. It also would require reporting of ransomware payments to CISA from a broader set of organizations, excluding only individuals and some smaller businesses, within 24 hours. Advocates hope that by requiring swift reporting of major incidents, federal officials can help reduce the damage more quickly. Gathering intelligence about ransomware payments would help law enforcement and national security officials understand and act on digital extortion trends, officials say. Backers were unable to advance the proposal last […]

The post Incident reporting, ransomware payment legislation faces trouble in Senate appeared first on CyberScoop.

Continue reading Incident reporting, ransomware payment legislation faces trouble in Senate→

Banks must report major cyber incidents within 36 hours under finalized regulation

Posted on November 19, 2021 by Tim Starks

Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday. Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system. The rule, dubbed the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, was cemented by the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation. There is currently no specific window that banks must repot such incident to the agencies in question. The final approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on […]

The post Banks must report major cyber incidents within 36 hours under finalized regulation appeared first on CyberScoop.

Continue reading Banks must report major cyber incidents within 36 hours under finalized regulation→

Biden administration officials push Congress to shape breach reporting mandates

Posted on September 23, 2021 by Tim Starks

U.S. cybersecurity officials are seeking to put their stamp on cyber incident reporting legislation, wading into debates on Capitol Hill about questions like how swiftly companies must report attacks to federal agencies — and what happens if they don’t. The head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency testified at a Senate hearing Thursday in favor of requiring critical infrastructure owners and operators, federal contractors and agencies to report attacks to CISA within 24 hours of detection. There are three leading proposals in Congress, each with a different timeframe for reporting attacks. The leaders of the Senate Intelligence Committee favor a 24-hour deadline. A draft bill from leaders of the Senate Homeland Security and Governmental Affairs Committee would set the range at between 72 hours and seven days, as determined by CISA. And a draft from leading members of the House Homeland Security Committee proposes leaving […]

The post Biden administration officials push Congress to shape breach reporting mandates appeared first on CyberScoop.

Continue reading Biden administration officials push Congress to shape breach reporting mandates→

Key Compliance Concepts for Financial Services

Posted on October 25, 2019 by grainnemckeevera

The Sarbanes-Oxley Act (SOX) was introduced following a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of f… Continue reading Key Compliance Concepts for Financial Services→

White House releases 2016 agency cyberattack stats, claiming progress

Posted on March 10, 2017 by Shaun Waterman

The White House Office of Management and Budget released fiscal 2016 statistics on cybersecurity measures and incidents at U.S. agencies Friday, using new methodologies that make comparison with prior years essentially impossible, but nonetheless saying the government had made progress. For the first time, agencies were required to report only incidents that affected their operations, and to break those incidents down based on the attack vector used. “This is a shift from the previous reporting methodology,” wrote Grant Schneider, the acting federal chief information security officer, in a blog post unveiling the findings. He added that the shift meant “that the FY 2016 incident data is not comparable to prior years’ incident data.” But he stressed the new reporting requirement OMB, the Department of Homeland Security and other agencies “to focus on incidents that may impact operations.” Of the 30,899 incidents that agencies reported, only 16 were determined by agency heads to be “major […]

The post White House releases 2016 agency cyberattack stats, claiming progress appeared first on Cyberscoop.

Continue reading White House releases 2016 agency cyberattack stats, claiming progress→