Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Securities and Exchange Commission. Show all posts
Spear Phishing
Axios Data Breach Financial Loss Ransomware Attacks. Securities and Exchange Commission Sensitive Information Spear Phishing

Security Executives: Navigating Cyber Liability Risks

Businesses and organizations across all industries now prioritize cybersecurity as a top priority in an increasingly digital world. Following cyber threats and breaches, security executives are facing increasing liability issues, as reported in recent studies. In addition to highlighting the necessity of effective cybersecurity measures, the Securities and Exchange Commission (SEC) has been actively monitoring the activities of security leaders.

The SEC's recent complaint against a major corporation underscores the gravity of the situation. The complaint, filed in November 2023, alleges that the security executives failed to implement adequate measures to safeguard sensitive information, resulting in a significant data breach. The breach not only exposed sensitive customer data but also caused financial losses and reputational damage to the company. This case serves as a stark reminder that security executives can be held personally liable for lapses in cybersecurity.

As highlighted in the 2022 Axios report, boardroom cyber threats are becoming increasingly sophisticated, targeting high-level executives and their decision-making processes. Cybercriminals employ tactics such as social engineering, spear-phishing, and ransomware attacks to exploit vulnerabilities in organizational structures. This necessitates a comprehensive approach to cybersecurity that involves not only technological solutions but also robust policies, employee training, and incident response plans.

One invaluable resource for organizations striving to enhance their cybersecurity posture is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework provides a structured approach to managing and reducing cybersecurity risks. It outlines five key functions: Identify, Protect, Detect, Respond, and Recover. By following this framework, security executives can establish a clear roadmap for assessing and improving their organization's cybersecurity capabilities.

Security executives are dealing with an ever-growing amount of accountability in the field of cybersecurity. Reports and recent instances highlight the necessity of taking preventative action to reduce liability risks. An essential instrument for strengthening an organization's defenses against cyber threats is the implementation of the NIST Cybersecurity Framework. Organizations may better safeguard themselves, their stakeholders, and their reputations in an increasingly digital environment by implementing a comprehensive cybersecurity strategy.

Read more »
Securities and Exchange Commission
Cyber Security cyber theft Cyberattacks CyberCrime Securities and Exchange Commission

Demystifying the SEC's Enhanced Cybersecurity Disclosure Requirements

 


SEC (Securities and Exchange Commission) issued a regulation recently that imposes a greater level of transparency regarding cybersecurity risk management, governance, and incident reporting and response. There will be compliance requirements for public companies listed on U.S. stock exchanges starting mid-December 2023 (or early spring 2024 for small companies that meet the qualification criteria) regarding cyber risk management and incident disclosures under the rule. 

There will be an advantage to companies that proactively identify and fix vulnerabilities as a result of the new rule requiring companies to disclose features of their security programs to the public. By providing investors with information about public companies' cybersecurity risk management, the SEC aims to help them make informed investment decisions for their hard-earned money. 

A company's maturity in security can be used by investors as a market divider when it comes to its security as security becomes increasingly important to corporate governance. The regulatory authorities have taken a significant step towards improving cybersecurity disclosures for public companies by adopting new rules designed to give investors comprehensive and standardized information about how cybersecurity risks should be managed, strategies implemented, governance processes adopted, and incidents reported. 

The new rules were adopted in July 2023 following an extensive rule-making and public comment process that began back in January 2024. The rules represent an official recognition that cybersecurity threats are constantly present and impact investor decisions in several ways. 

It should be noted that the rules published by the US Securities and Exchange Commission apply only to American companies that are registrants of the SEC. The attack on the assets of US-registered companies is not restricted to assets located in the US - so incidental attacks that affect assets in other countries of SEC-registered companies are also included in the scope of this attack. 

The scope of this report excludes not only the government, but also non-SEC regulated companies (i.e. private companies who are not subject to SEC reporting requirements), and other types of organizations also. Various breach notification requirements will be implemented both within these categories as well as for others, to potentially harmonize and/or unified in some way with the SEC reporting requirements at some point in the future. 

To comply with the new rules, registrants will have to report any cybersecurity incident they determine to be material on Item 1.05 of Form 8-K and describe how the incident has materially affected the registrant and its material impact. They will also have to describe how the incident has materially affected the registrant, or whether it is reasonably likely to have materially affected the registrant.

When a registrant determines a cybersecurity incident as material, he or she will generally be required to file an Item 1.05 Form 8-K within four business days of determining that it is material. If the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety, and informs the Commission in writing, the disclosure may be delayed. 

In addition, Regulation S-K Item 106 has been added to the new rules, which requires that registrants explain their processes, if any, for assessing, identifying, and managing material risks resulting from cybersecurity threats, along with the material effects or reasonably likely material effects of risks resulting from cybersecurity threats and previous incidents affecting the company. 

A registrant's annual report on Form 10-K will also have to describe the board of directors' oversight of cybersecurity threats, as well as the management's role and expertise in assessing and managing material risks from cybersecurity threats. An annual report on Form 10-K will contain these disclosures, which will be required for all companies. 

Foreign private issuers are required to provide comparable disclosures for material cybersecurity incidents on Form 6-K and cyber risk management, strategy, and governance on Form 20-F by the regulations. It is always mandatory for the SEC to report material cybersecurity events that have occurred as part of general reporting requirements, however, it is only in the last few years that the timelines and nature of the reporting have become more so, and there is a ticking four-day clock on the reporting requirements. 

Taking a step back from all the rules, it is clear that the importance of visibility and continuous monitoring can’t be underestimated. Time to detection cannot be at the speed of your least experienced analyst. Platforms allow unified visibility instead of a wall of consoles. 

A robust array of telemetry must be available within the internal visibility system for breaches to be detected and stopped, as well as continuously monitored. It is clear from these new SEC rules that the risk of cyberattacks is a business risk for a great number of companies with operations outside of the US, and that means that visibility needs to extend beyond the US to other geographies as well. 

There are many ways in which companies can make proactive efforts to identify and mitigate security vulnerabilities, as well as bug bounties, that should encourage them to invest in proactive measures to ensure that vulnerabilities are identified and remedied as early as possible. 

It is documented that bug bounty can be a very effective means of preventing cyber incidents and demonstrating security maturity to investors when combined with comprehensive security safeguards. Companies that have placed a high priority on protecting their digital assets and sensitive data will stand out more and more as investors become more aware of cyber risks.
Read more »
Securities and Exchange Commission
ALPHV Beauty Brand Beauty Giant attacked BlackCat CLOP Clop Ransomware Gang Cyber Attacks Estée Lauder ransomware attacks Securities and Exchange Commission

Estée Lauder: Cosmetic Brand Amongst the new Victims of Ransomware Attack


On Tuesday, U.S.-based cosmetic brand Estée Lauder Cos. Inc. confirmed to have witnessed a ransomware attack, following which it compromised some of its data and took down some of its systems.

Apparently, ransomware gangs ALPHV/BlackCat claim to have executed the attacks, listing Estée Lauder to their illicit sites on the dark web along with an airline, comms regulator, hard drive storage provider, and others.

Among the attacked victims is the file transfer tool MoveIt, attacked by the massive Clop breach in late May. The data theft has caused disturbance to several entities that used MoveIt services and claim around 378 organizations and 20 million individuals as its victims.

However, it is still not clear if Estée Lauder is one of the victims. The company has not revealed the nature or scope of the data that is compromised, but some screenshots tweeted by Emsisoft threat analyst Brett Callow of posts from Black Cat and Clop claim that the compromised data include ‘customer data.’

Another message by Clop reveals that they have extracted 131 GB of data from the beauty giant. The ransomware gang also condemn the company stating it “doesn't care about its customers, it ignored their security!!!”

Adding to this, the ALPHV/Black Cat screen grab has threatened to expose more data that has been compromised, stating, “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe the data was worth a lot more.”

A statement from the beauty brand confirmed the attack, where its statement and disclosure with the Securities and Exchange Commission mentions an “unauthorized third party” that managed to “access to some of the company’s systems,” but it did not explain what the attackers hoped to gain or what they demanded if anything.

Estée Lauder added that “the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations.” The company is now focusing on “remediation.” It has taken down at least some of its systems and is working with law enforcement to investigate the matter.

In the recent series of ransomware attacks, Estée Lauder has thus joined list with other big names that were a victim, including Walmart, Ikea, McDonald’s, and many others.

Read more »
Subscribe to: Posts (Atom)