Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Securities and Exchange Commission. Show all posts
Tech Companies
APT29 cloud storage Data Breach Securities and Exchange Commission Tech Companies

Top Tech Firms Fined for Hiding SolarWinds Hack Impact

 



The US Securities and Exchange Commission fined four major technology companies-Unisys Corp, Avaya Holdings, Check Point Software, and Mimecast—for allegedly downplaying the severity of the cybersecurity risks they faced as a result of the notorious SolarWinds hack. The companies have been accused of giving misleading information to investors regarding the severity of breaches connected with the attack on SolarWinds Orion software in 2020.

Companies Made Deceptive Filings

 The companies that had engaged in either direct or indirect deception of the extent and effect of the attacks to the investors. Settlement has been reached by these companies and they will have to pay civil penalties that include $4 million to be paid by Unisys, $1 million by Avaya, Check Point Software with a $995,000 penalty and $990,000 is payable by Mimecast.

The SEC said the companies knew their systems were compromised due to unauthorised access after the SolarWinds hack but reportedly downplayed the impact in public statements. For example, Unisys reportedly described cybersecurity risks as "theoretical," even when it confirmed two data breaches tied to the SolarWinds hack which exfiltrated gigabytes of data. Equally, Avaya apparently downplayed the severity of the breach when it revealed limited access to its email messages while investigators found that at least 145 files in its cloud storage were compromised.

Particular Findings on Each Company

1. Unisys Corp: The SEC noted that Unisys failed to disclose fully the nature of its cybersecurity risks even after it had suffered massive data exfiltration. Apparently, the company's public disclosures tagged such risks as "theoretical".

2. Avaya Holdings: Avaya allegedly made false statements as it reported that the minimal amount of e-mail messages has been accessed when actually, there is abundant evidence that access is further extensive to some files held in the cloud.

3. Check Point Software: The SEC charges that Check Point was conscious of the hack and used ambiguous language in order to downplay the severity of the attack, conceivably, therefore leaving investors under informed of the actual degree of the hack.

4. Mimecast: The SEC found that Mimecast had made major omissions in its disclosure, including failure to disclose the specific code and number of encrypted credentials accessed by hackers.

Background on the SolarWinds Breach

Another notably recent cyberattack is attributed to the Russian-linked group APT29, also known as the SVR, behind the SolarWinds hack. In 2019, malicious actors gained unauthorised access to the SolarWinds Orion software platform, releasing malicious updates between March and June 2020, that installed malware, such as the Sunburst backdoor in "fewer than 18,000" customer instances, though fewer were targeted for deeper exploitation.

Subsequently, many U.S. government agencies and also huge companies confirmed that they were hacked into during this breach. These include Microsoft, cybersecurity company FireEye, the Department of State, the Department of Homeland Security, the Department of Energy, the National Institutes of Health, and the National Nuclear Security Administration.

SEC's Stance on Transparency

The charges and fines by the SEC also serve as a warning to public companies to become transparent concerning security incidents that have affected the trust of their investors. The four companies thus settle on not having done anything wrong, but they experience considerable penalties that indicate how hard the SEC will be in holding organisations responsible to provide fair information about cybersecurity risk issues and incident concerns.

It, therefore, calls for tech firms to provide better information on cybersecurity issues as both investors and consumers continue to face increasingly complex and pervasive cyber threats.


Read more »
Spear Phishing
Axios Data Breach Financial Loss Ransomware Attacks. Securities and Exchange Commission Sensitive Information Spear Phishing

Security Executives: Navigating Cyber Liability Risks

Businesses and organizations across all industries now prioritize cybersecurity as a top priority in an increasingly digital world. Following cyber threats and breaches, security executives are facing increasing liability issues, as reported in recent studies. In addition to highlighting the necessity of effective cybersecurity measures, the Securities and Exchange Commission (SEC) has been actively monitoring the activities of security leaders.

The SEC's recent complaint against a major corporation underscores the gravity of the situation. The complaint, filed in November 2023, alleges that the security executives failed to implement adequate measures to safeguard sensitive information, resulting in a significant data breach. The breach not only exposed sensitive customer data but also caused financial losses and reputational damage to the company. This case serves as a stark reminder that security executives can be held personally liable for lapses in cybersecurity.

As highlighted in the 2022 Axios report, boardroom cyber threats are becoming increasingly sophisticated, targeting high-level executives and their decision-making processes. Cybercriminals employ tactics such as social engineering, spear-phishing, and ransomware attacks to exploit vulnerabilities in organizational structures. This necessitates a comprehensive approach to cybersecurity that involves not only technological solutions but also robust policies, employee training, and incident response plans.

One invaluable resource for organizations striving to enhance their cybersecurity posture is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework provides a structured approach to managing and reducing cybersecurity risks. It outlines five key functions: Identify, Protect, Detect, Respond, and Recover. By following this framework, security executives can establish a clear roadmap for assessing and improving their organization's cybersecurity capabilities.

Security executives are dealing with an ever-growing amount of accountability in the field of cybersecurity. Reports and recent instances highlight the necessity of taking preventative action to reduce liability risks. An essential instrument for strengthening an organization's defenses against cyber threats is the implementation of the NIST Cybersecurity Framework. Organizations may better safeguard themselves, their stakeholders, and their reputations in an increasingly digital environment by implementing a comprehensive cybersecurity strategy.

Read more »
Securities and Exchange Commission
Cyber Security cyber theft Cyberattacks CyberCrime Securities and Exchange Commission

Demystifying the SEC's Enhanced Cybersecurity Disclosure Requirements

 


SEC (Securities and Exchange Commission) issued a regulation recently that imposes a greater level of transparency regarding cybersecurity risk management, governance, and incident reporting and response. There will be compliance requirements for public companies listed on U.S. stock exchanges starting mid-December 2023 (or early spring 2024 for small companies that meet the qualification criteria) regarding cyber risk management and incident disclosures under the rule. 

There will be an advantage to companies that proactively identify and fix vulnerabilities as a result of the new rule requiring companies to disclose features of their security programs to the public. By providing investors with information about public companies' cybersecurity risk management, the SEC aims to help them make informed investment decisions for their hard-earned money. 

A company's maturity in security can be used by investors as a market divider when it comes to its security as security becomes increasingly important to corporate governance. The regulatory authorities have taken a significant step towards improving cybersecurity disclosures for public companies by adopting new rules designed to give investors comprehensive and standardized information about how cybersecurity risks should be managed, strategies implemented, governance processes adopted, and incidents reported. 

The new rules were adopted in July 2023 following an extensive rule-making and public comment process that began back in January 2024. The rules represent an official recognition that cybersecurity threats are constantly present and impact investor decisions in several ways. 

It should be noted that the rules published by the US Securities and Exchange Commission apply only to American companies that are registrants of the SEC. The attack on the assets of US-registered companies is not restricted to assets located in the US - so incidental attacks that affect assets in other countries of SEC-registered companies are also included in the scope of this attack. 

The scope of this report excludes not only the government, but also non-SEC regulated companies (i.e. private companies who are not subject to SEC reporting requirements), and other types of organizations also. Various breach notification requirements will be implemented both within these categories as well as for others, to potentially harmonize and/or unified in some way with the SEC reporting requirements at some point in the future. 

To comply with the new rules, registrants will have to report any cybersecurity incident they determine to be material on Item 1.05 of Form 8-K and describe how the incident has materially affected the registrant and its material impact. They will also have to describe how the incident has materially affected the registrant, or whether it is reasonably likely to have materially affected the registrant.

When a registrant determines a cybersecurity incident as material, he or she will generally be required to file an Item 1.05 Form 8-K within four business days of determining that it is material. If the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety, and informs the Commission in writing, the disclosure may be delayed. 

In addition, Regulation S-K Item 106 has been added to the new rules, which requires that registrants explain their processes, if any, for assessing, identifying, and managing material risks resulting from cybersecurity threats, along with the material effects or reasonably likely material effects of risks resulting from cybersecurity threats and previous incidents affecting the company. 

A registrant's annual report on Form 10-K will also have to describe the board of directors' oversight of cybersecurity threats, as well as the management's role and expertise in assessing and managing material risks from cybersecurity threats. An annual report on Form 10-K will contain these disclosures, which will be required for all companies. 

Foreign private issuers are required to provide comparable disclosures for material cybersecurity incidents on Form 6-K and cyber risk management, strategy, and governance on Form 20-F by the regulations. It is always mandatory for the SEC to report material cybersecurity events that have occurred as part of general reporting requirements, however, it is only in the last few years that the timelines and nature of the reporting have become more so, and there is a ticking four-day clock on the reporting requirements. 

Taking a step back from all the rules, it is clear that the importance of visibility and continuous monitoring can’t be underestimated. Time to detection cannot be at the speed of your least experienced analyst. Platforms allow unified visibility instead of a wall of consoles. 

A robust array of telemetry must be available within the internal visibility system for breaches to be detected and stopped, as well as continuously monitored. It is clear from these new SEC rules that the risk of cyberattacks is a business risk for a great number of companies with operations outside of the US, and that means that visibility needs to extend beyond the US to other geographies as well. 

There are many ways in which companies can make proactive efforts to identify and mitigate security vulnerabilities, as well as bug bounties, that should encourage them to invest in proactive measures to ensure that vulnerabilities are identified and remedied as early as possible. 

It is documented that bug bounty can be a very effective means of preventing cyber incidents and demonstrating security maturity to investors when combined with comprehensive security safeguards. Companies that have placed a high priority on protecting their digital assets and sensitive data will stand out more and more as investors become more aware of cyber risks.
Read more »
Securities and Exchange Commission
ALPHV Beauty Brand Beauty Giant attacked BlackCat CLOP Clop Ransomware Gang Cyber Attacks Estée Lauder ransomware attacks Securities and Exchange Commission

Estée Lauder: Cosmetic Brand Amongst the new Victims of Ransomware Attack


On Tuesday, U.S.-based cosmetic brand Estée Lauder Cos. Inc. confirmed to have witnessed a ransomware attack, following which it compromised some of its data and took down some of its systems.

Apparently, ransomware gangs ALPHV/BlackCat claim to have executed the attacks, listing Estée Lauder to their illicit sites on the dark web along with an airline, comms regulator, hard drive storage provider, and others.

Among the attacked victims is the file transfer tool MoveIt, attacked by the massive Clop breach in late May. The data theft has caused disturbance to several entities that used MoveIt services and claim around 378 organizations and 20 million individuals as its victims.

However, it is still not clear if Estée Lauder is one of the victims. The company has not revealed the nature or scope of the data that is compromised, but some screenshots tweeted by Emsisoft threat analyst Brett Callow of posts from Black Cat and Clop claim that the compromised data include ‘customer data.’

Another message by Clop reveals that they have extracted 131 GB of data from the beauty giant. The ransomware gang also condemn the company stating it “doesn't care about its customers, it ignored their security!!!”

Adding to this, the ALPHV/Black Cat screen grab has threatened to expose more data that has been compromised, stating, “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe the data was worth a lot more.”

A statement from the beauty brand confirmed the attack, where its statement and disclosure with the Securities and Exchange Commission mentions an “unauthorized third party” that managed to “access to some of the company’s systems,” but it did not explain what the attackers hoped to gain or what they demanded if anything.

Estée Lauder added that “the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations.” The company is now focusing on “remediation.” It has taken down at least some of its systems and is working with law enforcement to investigate the matter.

In the recent series of ransomware attacks, Estée Lauder has thus joined list with other big names that were a victim, including Walmart, Ikea, McDonald’s, and many others.

Read more »
Subscribe to: Posts (Atom)