| Welcome to The Cybersecurity 202! I caught up on "Chimp Empire," and I was surprised at how animated I was watching it. I constantly shifted my allegiances and would make fun, out loud, of the alphas when they "displayed." Also, was I the only one who thought they missed out on a chance to name it "Chimpire?" Was this forwarded to you? Sign up here. Below: Rudy Giuliani is no longer legally contesting some false election statements, and NATO investigates a possible leak. First: | The SEC wants publicly traded companies to report major cyber incidents within four days |  Securities and Exchange Commission Chair Gary Gensler during the Competition Council meeting with President Biden in White House in February. (Demetrius Freeman/The Washington Post) | | | The Securities and Exchange Commission voted on Wednesday to require publicly traded companies to disclose within four days when they suffer a cyber incident significant enough to weigh into the decisions of prospective investors. By approving the regulation, the commission brought an end to a year worth of rulemaking, capping off a process for public reporting of so-called "material" cyber incidents that's long been in flux. It comes as the Biden administration works on a broader regulatory push to shore up cybersecurity weaknesses. It's just one of many efforts, including within the SEC, which has several other different cyber rules pending. "The rule will, among other things, provide investors and market participants across the board with critical information relating to a company's risk management and strategy as well as governance in its periodic reporting," Democratic Commissioner Caroline Crenshaw said at Wednesday's meeting. The SEC's action evokes a familiar pattern of cyber regulations drawing opposition from Republicans and industry. But the changes the SEC adopted before Wednesday's vote to ease private-sector criticism don't seem to have taken hold as well as some other Biden administration agency changes to regulations for other segments of the business world. | | The rule "mandates public disclosure of considerably too much, too sensitive, highly subjective information, at premature points in time, without requisite deference to the prudential regulators of public companies or relevant cybersecurity specialist agencies," Melissa MacGregor, the Securities Industry and Financial Markets Association's deputy general counsel and corporate secretary, said in a statement. | The rule and the debate among the players | | Under the rule, which is set to take effect 30 days after it's published in the Federal Register, publicly traded companies have to report and describe to the SEC when they suffer a "material" incident. In one change meant to tamp down industry disapproval, the four-day trigger can be delayed if the attorney general determines and affirms that disclosure would jeopardize national security. Registrants also will have to describe their processes for identifying and managing cyber risks in annual reports. Investors need to know when a company suffers something that would be "material," be it from a fire or the loss of millions to cyber crooks, said the SEC's Democratic chairman, Gary Gensler. While some companies already disclose such incidents, the idea is to make the process more consistent, he said. Besides the benefits to investors, the rule can raise the bar on cybersecurity in other areas, said Democratic Commissioner Jaime Lizárraga. | - "More timely reporting of cyber incidents can serve as an alert to companies in the same sector that malign actors are launching cyberattacks," he said at the commission meeting. "Such companies could have more time to raise their cyber defenses and to mitigate any potential damage."
- "Consumers may also benefit through more informed decision-making about which companies they can trust with their sensitive information," Lizárraga continued.
| | Both Republicans on the commission voted against adopting the regulations. With the regulation the SEC approved, the commission would "swing a hammer at the current regime and create new disclosure obligations for cybersecurity matters that simply do not exist for any other topic," Republican Commissioner Mark Uyeda said. For example, it requires companies to disclose management's role in assessing cyber risks, he pointed out. The other Republican commissioner, Hester Peirce, said the rule was improved over its original form. But both Republican commissioners voted against adopting a regulation they called overly prescriptive, meaning it advanced 3-2. | | Another industry group also wasn't pleased with the SEC's actions. "The SEC's cyber disclosure rule risks harming the very investors it purports to protect by prematurely publicizing a company's vulnerabilities," Heather Hogsett, senior vice president of technology and risk strategy for the technology policy division of the Bank Policy Institute. "No reasonable investor would want premature disclosure of a cyber event to malicious actors or a hostile nation-state, which could exacerbate security risks and creates a recipe for disaster the next time a major cyber incident occurs." | Outside of industry and political labels | | Attorneys who work on SEC issues offered some analysis of the rule. Here's what David Lynn, chair of Morrison Foerster's public company advisory and governance practice (and former chief counsel of a division of the SEC) told me: | - "The encouraging aspect is that they did listen to commenters on a number of points," he said.
- Lynn's been tracking the long history of similar ideas at the SEC, going back to 2011, and overall isn't convinced yet that the latest rule will change much. "It takes away perhaps some last vestige of gray area around whether or not you had to do it," he said.
| | And here's David Martin, who also once worked at the SEC and now practices enforcement cases in front of the commission as senior counsel for Covington & Burling. | - "Now we have a little clarity about how they're going to regulate in the space," he told me.
- The changes from the original draft "narrow the gap between what went out and the complaints that people had," Martin said.
- A key development to watch is how the regulation will fit into others circulating within the Biden administration, he said.
| | And a credit rating firm weighed in on the SEC rule. It will "provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability," Lesley Ritter, senior vice president for Moody's Investors Service, said in a statement. "Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources." | | |  | The keys | | Giuliani no longer contesting false statements on Georgia election workers |  Rudy Giuliani, former lawyer for President Donald Trump, speaks during a news conference about lawsuits contesting the results of the presidential election at the Republican National Committee headquarters in Washington, D.C., on Thursday Nov. 19, 2020. (Photo by Sarah Silbiger for The Washington Post) | | | Rudy Giuliani — who served as a lawyer to former president Donald Trump — is no longer legally contesting false statements he made about two Georgia election workers, though a new filing late Tuesday argues that his accusations of vote-rigging in the 2020 presidential election were constitutionally protected speech that did not damage the workers, our colleagues John Wagner and Amy B Wang report. The filing "is the latest twist in a lawsuit brought by Ruby Freeman and her daughter, Shaye Moss, who counted ballots in Fulton County, Ga., during the November 2020 election," our colleagues write. | - The pair in a 2021 lawsuit alleged they became the focus of election conspiracy theories brought on by Giuliani and employees of the right-wing news organization One America News, the latter of which settled with them last year at an undisclosed amount.
- His latest filing says his election claims "carry meaning that is defamatory per se," but his lawyer noted that he was "not admitting to the plaintiffs' allegations but instead was seeking to speed up the litigation through a legal maneuver," John and Amy write.
| - Smith's office asked former officials to provide information on a February 2020 Oval Office meeting where President Donald Trump praised improvements to U.S. election security, CNN reported this week. Those remarks contrast with the voter fraud conspiracy theories that Trump often spoke of just weeks later.
- As our colleagues recently reported: Mark Meadows, Trump's last White House chief of staff, joked about Trump's baseless election claims just before participating in a phone call where Trump claimed some 5,000 dead voters were in Georgia and said the results should be overturned in the state.
| Russia sentences top cybersecurity executive to 14 years on treason charges |  Group-IB founder Ilya Sachkov stands in an enclosure for defendants behind his lawyers during a court hearing in Moscow on Wednesday. (Moscow City Court/Reuters) | | | Group-IB founder Ilya Sachkov was sentenced by a Russian court to 14 years in a high-security prison on treason charges, Jessica Lyons Hardcastle reports for the Register. "While the details of the charges against Sachkov remain top secret, he reportedly was accused of handing over information to the FBI about the Kremlin-backed cyberespionage team APT28, also known as Fancy Bear, and its reported interference in Western elections. Sachkov has always denied the charges," according to the report. He was arrested in September 2021 and has been held in detention since. Little is known about the charges since they are linked to top secret information, Hardcastle writes. Group-IB is one of the most prominent cybersecurity firms to have come out of Russia. In April, the company finalized its exit from Russia in an effort to focus on non-Russian markets amid the war in Ukraine. | - "Since day one, we have had full confidence in Ilya's innocence. We are unwaveringly convinced that Ilya's ideas and approach to cybersecurity have many followers worldwide, and they unite people and organizations across the globe," Group-IB said in a Wednesday statement.
- "While he remains wrongfully imprisoned, we will continue to stand up against injustice and operate our business with the same mission in mind — to fight against cybercrime," it says. His attorneys will appeal the decision, the Register adds.
| NATO investigating breach of data-sharing platform |  A NATO flag stands on the day of a NATO leaders summit in Vilnius, Lithuania, on July 11. (Kacper Pempel/Reuters) | | | NATO is investigating what it believes to be a cyber incident after hacking group SiegedSec on Sunday posted a Telegram link to over 700 internal documents belonging to the intergovernmental security alliance, AJ Vicens reports for CyberScoop. | - The report says: "A cursory review by CyberScoop showed roughly 710 files purportedly obtained from the NATO Community of Interest Cooperation Portal, which the agency says is an 'unclassified information sharing and collaboration environment.'"
- "NATO cyber experts are actively looking into the recent claims associated with a Communities of Interest Cooperation Portal," a NATO official told CyberScoop in an email. "We face malicious cyber activity on a daily basis and NATO and Allies are responding to this reality, including by strengthening our ability to detect, prevent and respond to such activities."
| | The breached files in question reportedly reveal sensitive information like agency personnel names and their contact info, among other things. The SiegedSec group "is known for politically motivated attacks that typically don't have a financial connection," Vicens writes, citing instances where the group targeted the infrastructure of U.S. states that have worked to limit access to gender-affirming care and abortion resources. | | |  | Government scan | | | |  | Hill happenings | | | |  | Industry report | | | |  | National security watch | | | |  | Global cyberspace | | | |  | Cyber insecurity | | | |  | Privacy patch | | | |  | Daybook | | | |  | Chat room | | | A cyber-themed real estate listing, as flagged by our editor: | | |  | Secure log off | | | Thanks for reading. See you tomorrow. | | |
No comments:
Post a Comment