CyberSecurityBoard
Sponsor Register Login

Biden veto waiting for bill to kill SEC breach report rule The Register

The Biden administration has expressed to congressional representatives its strong opposition to undoing the Securities and Exchange Commission's strict data breach reporting rule.
The joint resolution, along with House Joint Resolution 100, sponsored by Representative Andrew Garbarino and introduced the same day, would nullify the SEC rules adopted in July of last year.
The SEC's rule require public companies hit by cybercriminals to report the incident within four days.
Undoing any breach reporting requirement seems antithetical to the work a Senator ought to be doing; we asked Tillis's office to explain his reasoning, but didn't hear back.
Garbarino, on the other hand, issued a statement in November after submitting his companion resolution in the House that makes his position on the matter clear: Breach reporting requirements are the Cybersecurity and Infrastructure Security Agency's job.
Garbarino said Congress and the Biden administration are on the same page with regards to harmonizing cybersecurity reporting requirements.
Part of those concerns may stem from the public nature of SEC incident reports, which have to be submitted on SEC Form 8-K, the contents of which are public.
Disclosures must include the scope, timing, and nature of the incident, though disclosure may be delayed if the US Attorney General determines doing so would pose a risk to national security or public safety.
It's not clear what the Senator and Congressman think of the Federal Trade Commission's 30-day breach reporting requirement passed in October, which isn't mentioned in the earlier statement or resolutions.
Despite Garbarino's professed belief that CISA is the one that should be handling breach reporting requirements, the agency has yet to pass any rules that would do so.
President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law in March 2022, but CISA had 24 months from passage to present a rule for consideration, which it has yet to do.
When CISA's reporting requirements eventually go into effect, the disclosure window will be even smaller than the SEC's.
CIRCIA asked CISA to give cybersecurity incident victims a mere 72 hours - three days - to report a breach.
In the meantime, the FTC and SEC have taken matters into their own hands, which appears to be helping - we've even been able to report on breaches at companies like HPE thanks to SEC reports.
As previously reported, the number of victims paying ransomware operators has fallen to 29 percent.
The company behind that statistic, ransomware negotiation firm Coveware, attributes much of the decrease in ransom payments in recent months to reporting requirements from the SEC and FTC. Those payments are down despite what the White House OMB said was a 45 percent increase in ransomware attacks year-over-year.
Maybe giving the SEC cybersecurity reporting authority isn't the best move - after all, the agency can't even keep its Twitter account secure.


This Cyber News was published on go.theregister.com. Publication date: Thu, 01 Feb 2024 17:43:04 +0000


Cyber News related to Biden veto waiting for bill to kill SEC breach report rule The Register

Biden veto waiting for bill to kill SEC breach report rule The Register - The Biden administration has expressed to congressional representatives its strong opposition to undoing the Securities and Exchange Commission's strict data breach reporting rule. The joint resolution, along with House Joint Resolution 100, ...
5 months ago Go.theregister.com
5 Questions to Ask Before Backing the TikTok Ban - With strong bipartisan support, the U.S. House voted 352 to 65 to pass HR 7521 this week, a bill that would ban TikTok nationwide if its Chinese owner doesn't sell the popular video app. The TikTok bill's future in the U.S. Senate isn't yet clear, ...
3 months ago Eff.org
Data Breach Response: A Step-by-Step Guide - In today's interconnected world, organizations must be prepared to respond swiftly and effectively in the face of a data breach. To navigate these challenges, a well-defined and comprehensive data breach response plan is essential. Let's explore the ...
4 months ago Securityzap.com
Tech Security Year in Review - In this Tech Security Year in Review for 2023, let's look into the top data breaches of the past year. Each factor contributes to the growing threatscape, demanding a proactive and adaptable cybersecurity approach to safeguard your organization ...
6 months ago Securityboulevard.com
SEC to require financial firms to have data breach incident plans - The Securities and Exchange Commission announced new rules on Thursday requiring certain kinds of financial institutions to have well-defined plans for what to do when a data breach involving customer information occurs. The rules - pushed through as ...
1 month ago Therecord.media
SEC to require financial firms to have data breach incident plans - The Securities and Exchange Commission announced new rules on Thursday requiring certain kinds of financial institutions to have well-defined plans for what to do when a data breach involving customer information occurs. The rules - pushed through as ...
1 month ago Therecord.media
CISOs on alert following SEC charges against SolarWinds - While the outcome of the Security and Exchange Commission's complaint against SolarWinds remains to be seen, infosec experts say the charges are likely to have a major impact on the role of the CISO going forward. In late October, the SEC charged ...
5 months ago Techtarget.com
Securities and Exchange Commission Cyber Disclosure Rules: How to Prepare for December Deadlines - Starting Dec. 18, publicly traded companies will need to report material cyber threats to the SEC. Deloitte offers business leaders tips on how to prepare for these new SEC rules. The U.S. Securities and Exchange Commission’s new rules around ...
6 months ago Techrepublic.com
The House Intelligence Committee's Surveillance 'Reform' Bill is a Farce - Earlier this week, both the House Committee on the Judiciary and the House Permanent Select Committee on Intelligence marked up two very different bills, both of which would reauthorize Section 702 of the Foreign Intelligence Surveillance Act-but in ...
6 months ago Eff.org
SEC Shares Important Clarifications as New Cyber Incident Disclosure Rules Come Into Effect - The US Securities and Exchange Commission has shared some important clarifications on its new cyber incident disclosure requirements, which come into effect on Monday, December 18. The SEC announced in late July that it had adopted new cybersecurity ...
6 months ago Securityweek.com
MeridianLink confirms cyberattack after ransomware gang claims to report company to SEC - Financial software company MeridianLink confirmed that it is dealing with a cyberattack after the hackers behind the incident took extraordinary measures to pressure the company into paying a ransom. MeridianLink, which reported more than $76 million ...
7 months ago Therecord.media
FCC orders telecom carriers to report PII data breaches within 30 days - Starting March 13th, telecommunications companies must report data breaches impacting customers' personally identifiable information within 30 days, as required by FCC's updated data breach reporting requirements. FCC's final rule follows several ...
4 months ago Bleepingcomputer.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
6 years ago
Protecting Encryption And Privacy In The US: 2023 Year in Review - The best technology to protect that right is end-to-end encryption. 2023 has been a year of unprecedented threats to encryption and privacy. In the US, three Senate bills were introduced that, in our view, would discourage, weaken, or create ...
6 months ago Eff.org
What CISOs Should Exclude From SEC Cybersecurity Filings - As enterprises continue to weigh which security incidents constitute something material enough to be reported under the Securities and Exchange Commission's new rules, CISOs face the challenge of deciding which details to report and, far more ...
7 months ago Darkreading.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
CISOs and Their Companies Struggle to Comply With SEC Disclosure Rules - About six months ago, CISO Steve Cobb noticed that the contract language proposed by public companies had some notable additions. In the case of a breach, publicly traded companies wanted more control over how their third-party providers responded to ...
1 month ago Darkreading.com
SEC: Financial orgs have 30 days to send data breach notifications - The Securities and Exchange Commission has adopted amendments to Regulation S-P that require certain financial institutions to disclose data breach incidents to impacted individuals within 30 days of discovery. Regulation S-P was introduced in 2000 ...
1 month ago Bleepingcomputer.com
Biden's budget proposal boosts CISA's funding to $3b The Register - US President Joe Biden has asked Congress to approve an extra $103 million in funding for the Cybersecurity and Infrastructure Security Agency, bringing CISA's total budget to $3 billion. Biden proposed his $7.3 trillion spending plan for fiscal year ...
3 months ago Go.theregister.com
Understanding the New SEC Rules for Disclosing Cybersecurity Incidents - The U.S. Securities and Exchange Commission recently announced its new rules for public companies regarding cybersecurity risk management, strategy, governance, and incident exposure. "Currently, many public companies provide cybersecurity disclosure ...
7 months ago Feeds.dzone.com
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
1 month ago Tenable.com
Welltok data breach exposes data of 8.5 million US patients - Healthcare SaaS provider Welltok is warning that a data breach exposed the personal data of nearly 8.5 million patients in the U.S. after a file transfer program used by the company was hacked in a data theft attack. Welltok works with health service ...
7 months ago Bleepingcomputer.com
FTC orders non-bank financial firms to report breaches in 30 days - The U.S. Federal Trade Commission has amended the Safeguards Rules, mandating that all non-banking financial institutions report data breach incidents within 30 days. Such entities include mortgage brokers, motor vehicle dealers, payday lenders, ...
7 months ago Bleepingcomputer.com
Ted Cruz wants to stop the FCC from updating data-breach notification rules - Sen. Ted Cruz and other Republican senators are fighting a Federal Communications Commission plan to impose new data-breach notification requirements on telecom providers. In a letter sent to FCC Chairwoman Jessica Rosenworcel today, the senators ...
6 months ago Arstechnica.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)