IT Security & Privacy

Today marks a pivotal moment in the realm of financial regulatory compliance as the U.S. Securities and Exchange Commission's (SEC) new cybersecurity incident disclosure rules, specifically Form 8-K, come into effect. This initiative, aimed at bolstering transparency and fortifying the response to cybersecurity incidents, applies to all filers except smaller reporting companies. The rules mandate reporting to the SEC within four business days from the determination of materiality.

In anticipation of the Securities and Exchange Commission's (SEC) upcoming requirements for companies to disclose material cybersecurity incidents, the Federal Bureau of Investigation (FBI), in collaboration with the Department of Justice, is providing crucial guidance for victims of cyber incidents. With the SEC's new rules set to take effect on December 18, 2023, the FBI aims to assist companies in navigating these reporting requirements, particularly in scenarios involving national security or public safety concerns.

In a recent data breach notification filed with Maine's attorney general, Norton Healthcare revealed that a ransomware attack in May exposed sensitive data on 2.5 million individuals. The Kentucky-based clinic and hospital group discovered the cyberattack on May 9, determining later that ransomware was involved. The threat actors gained access to some network storage devices between May 7 - 9, although the medical record system remained uncompromised.

Approximately 60 credit unions are grappling with service disruptions following a ransomware attack on Trellance, a third-party IT vendor catering to the industry, as reported by the National Credit Union Administration (NCUA) on Friday. Trellance subsidiaries, including Ongoing Operations and FedComp, have confirmed the cyber incident, with Ongoing Operations specifying a ransomware attack on November 26.

A recent ruling by the European Court of Justice (ECJ) in the case of German property company Deutsche Wohnen is expected to have far-reaching financial implications for organizations found in breach of the General Data Protection Regulation (GDPR). Legal experts have deemed the decision a "landmark" ruling, altering the landscape of GDPR enforcement.

The U.S. Department of Health and Human Services (HHS) has introduced a comprehensive cybersecurity strategy aimed at fortifying the resilience of the health care sector against the escalating threat of cyber-attacks. The concept paper, aligned with President Biden's National Cybersecurity Strategy, outlines four pivotal pillars for action with a focus on bolstering cybersecurity for hospitals, patients, and communities vulnerable to cyber threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a crucial mitigation guide aimed at fortifying the cybersecurity defenses of the Healthcare and Public Health (HPH) Sector. The new guidance, a supplement to the HPH Cyber Risk Summary released on July 19, 2023, outlines strategic measures to combat pervasive cyber threats affecting the sector.