Tag Archive for: Regulatory

how financial institutions can prepare to react quickly through regulatory compliance

/in


All over the world, the number of attacks by cybercriminals targeting the financial sector is increasing, and the UK & Ireland is no exception
to this trend. According to Veritas research half of UK organisations said that, over the past two years, they had been the victim
of at least one successful ransomware attack in which hackers were able to infiltrate their systems.   

The increasing profitability of these attacks for the criminals, means a whole new industry – Ransomware-as-a-Service (RaaS) – is growing rapidly.  Professional hackers, exploiting AI-driven target identification, breach execution, victim extortion, and
ransom collection, all offering their malware as a service to the highest bidder.  

The increasing threat this poses to national economies led the EU to pass the Digital Operational Resilience Act (DORA) setting out specific requirements
for financial service providers concerning risk management. DORA legislated specifically on key areas including reporting accuracy of any ICT-related incidents, and management of third party risk.   

This means that when an attack on any financial services provider occurs, the decisions and actions taken in the hour following an attack will be decisive for the level of organisational impact, and the ultimate survival of the business.  

For financial institutions, process predictability is paramount  

IT teams must prepare thoroughly to anticipate an attack by implementing effective operational resiliency practices to secure their data.  Ongoing training for IT and business teams, together with tools for data identification and visibility, are critical
when it comes meeting regulatory requirements.   

As part of the ICT risk management process to comply with DORA regulations, successful completion of a specialised audit to identify all types, locations and classifications of data and storage infrastructure must be carried out. These rules have been developed to
help prevent and mitigate cyber threats and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.  

Compliance with these processes…

Source…

Biden’s National Security Strategy Reinforces Tech Decoupling and Increased Regulatory Focus

/in


November 18, 2022

Originally published in The Hill

Click for PDF

The recently released National Security Strategy sets forth the Biden administration’s approach to a changing world at an inflection point providing a roadmap for the administration and for Congress. The administration’s national security priorities largely echo those of past administrations, but they diverge with their focus on a “modern industrial and innovation strategy” that promises deep use of industrial and economic tools to create a bulwark against autocracies like Russia and China. The resulting message is clear: The administration’s national security goals are inherently tied to, and will necessarily impact, a broad swath of American companies.

Five areas of the strategy stand-out for their potential impact on companies.

First, increased investment scrutiny will ensure the Committee on Foreign Investment in the United States (CFIUS), with its expansive authority to review foreign investments, continues to be a prominent national security tool. The strategy also contemplates new outbound investment restrictions, which have been gaining congressional momentum as well. Should “reverse-CFIUS” come into effect, companies will need to transform their outbound investment strategies, planning for increased investment timelines, heightened scrutiny for investments in certain sectors and in certain countries, and potentially restrictions on certain outbound investments deemed to pose national security risk. Further, increased export controls will require companies to reinforce compliance programs and reevaluate offshoring operations. As the Commerce Department’s recent semiconductor restrictions demonstrate, new regulations can quickly reverberate across an industry, in some cases having a material impact.

Second, foreign policy and domestic policy lines blur with the focus on making strategic public investments in strategic sectors and supply chains, especially critical and emerging technologies. New laws, including the CHIPS and Science Act and the Inflation Reduction Act, illustrate the administration’s commitment — and congressional support —…

Source…

T-Mobile Faces Regulatory Scrutiny After Hack

/in


A Federal Communications Commission probe into the hack of

T-Mobile US Inc.

is the agency’s first high-profile cyber inquiry under a Biden administration that has promised to more aggressively police companies’ security standards and privacy safeguards.

The hack, which T-Mobile disclosed on Monday, hit a communications sector in which cyber oversight is spread across federal agencies, including the FCC, which has taken a largely hands-off approach to data security in recent years. But U.S. officials this year have signaled a new willingness to use regulatory power to shore up the cyber defenses of critical infrastructure.

“Telecommunications companies have a duty to protect their customers’ information,” an FCC spokeswoman said on Wednesday, declining to comment further.

A T-Mobile representative didn’t respond to a request for comment on the inquiry.

The FCC’s cybersecurity guidelines are largely voluntary, with agency officials producing recommendations for best practices. The Transportation Security Administration took a similar approach to pipeline cyber standards until the hack of Colonial Pipeline Co. in May. Since then, the agency has rolled out first-of-their-kind regulations, including a requirement that pipeline operators report cyberattacks.

While the T-Mobile hack didn’t disrupt U.S. communications networks, the company said on Wednesday that hackers stole personal data like Social Security and driver’s license numbers on about 48 million people.

The Federal Trade Commission has investigated other personal data breaches, including the 2017

Equifax

hack that concluded with a settlement of at least $575 million. The agency, which in…

Source…

Regulatory system needs a rethink after data breaches at Juspay and MobiKwik, say experts

/in


The fintech and startup ecosystem that has emerged in recent years has a major governance issue: data breaches and leaks are not taken seriously. Unfortunately, the regulatory system has not woken up to the fact that the recent data breaches at Juspay and MobiKwik can significantly cause harm to idle users in the future.

The Indian government is yet to introduce a Personal Data Protection Law (PDP Law) in Parliament at a time when incidents of data breaches and personal information being sold on the darkweb are increasing year-on-year. The lack of a Data Protection Authority and a Personal Data Protection Law means that there is regulatory ambiguity in terms of who should respond to breaches and investigate them. Industry experts told MediaNama that the entire regulatory system needs to be strengthened, business models need a rethink and that companies need to be made more accountable, whether through the courts or through internal governance practices.

1) CERT-IN is the primary agency for data breaches

According to legal experts, it is the Computer Emergency Response Team (CERT-In) — the nodal agency under MEITY for computer security incidents — that is the primary agency responsible to investigate data breaches and not the Reserve Bank of India (RBI)

According to Mathew Chacko, Partner at the law firm Spice Route Legal, any server compromise or breach needs to be disclosed to CERT-In (under the IT Act) regardless of the sensitivity of the data leak. “There are no two ways about reporting the incident to CERT-in,” Chacko said.

After reporting to CERT-in, it’s the company’s decision to report the incident to its customers and the public, he added. “Not all data breaches are significant enough to be reported to the public, but in some cases, companies take it for granted that the public need not know,” he said.

Advertisement. Scroll to continue reading.

The RBI only steps in when it comes to financial data, but data breaches fall within CERT-In’s ambit, NS Nappinai, a Supreme Court advocate and founder of Cyber Saathi said.

“Non-reporting of such data breaches carries heavy penalties for such incidents. But the issue is that organisations tend to be lax in…

Source…