Welcome to HSF's February wrap up which features our top picks for cyber-related news in the UK, EMEA and US.
Our short summaries and commentaries are aimed at pointing you to key developments and stories in the world of cyber, giving you the awareness and insights you need at a glance, while pointing you to longer form content if you would like to find out more. Below you will find:
- Developments in regulatory requirements and guidance;
- Wider cyber industry news; and
- Particularly noteworthy (reported) cyber incidents.
New Cybersecurity Rules for Federal Contractors
Lawfare – 1 February 2024
The US agency responsible for setting rules on how the government can make contracts with the private sector, the Federal Acquisition Regulation (FAR) Council, has proposed rules on incident reporting cybersecurity regulations that would require government contractors to report a detected incident to the Cybersecurity and Infrastructure Security Agency (CISA) within eight hours of discovery. The requirements have sparked controversy and the FAR Council is currently assessing the comments it received, following a public consultation on the proposed rules.
Blackbaud has reached a settlement with the U.S. Federal Trade Commission
Blackbaud – 2 February 2024
Software provider Blackbaud has announced that it has reached a settlement with the U.S. Federal Trade Commission (FTC) in connection with its 2020 cybersecurity incident. Blackbaud was criticised by the FTC in a statement, including for storing data that it did not reasonably need, and in respect of notifications it made to data subjects which the FTC found to have included false statements which were not corrected until much later. The FTC's enforcement action had alleged that these actions amounted to "unfair and deceptive" practices. Blackbaud's announcement, a day after the FTC issued a statement that it was beginning enforcement action, stated that Blackbaud had "neither admitted nor denied" the FTC's allegations and that it had not been fined by the FTC.
Pensions Regulator highlights cyber security lessons of Capita breach
Corporate Adviser – 2 February 2024
The Pensions Regulator (TPR) has published a report which sets out lessons learned following Capita's cyber security incident in Match 2023. Capita acted as pensions administrator for a large number of schemes. Notably, trustees are urged not to wait for investigations to conclude before contacting members if there is a reasonable chance that their data is at risk. The report sets out eight key steps trustees should take in the event of a cyber security incident, which include understanding whether there is likely to be any disruption to payment of benefits, retirement processing and bereavement services, directing members to NCSC guidance and warning them about pension scams.
TMHCC release list of top 10 worst and most significant cyber incidents from 2023
Tmhcc.com – 5 February 2024
The insurer Tokio Marine HCC has released a list of what it deems to be the top 10 cyber incidents of 2023 in terms of financial impact and reputational damage. Among incidents listed is the November 2023 ransomware attack on ICBC and the February 2023 ransomware attack on the UK's Royal Mail causing service damage and reputational damage with an initial ransom demand of 80M USD.
Concerns over the use of deepfakes and AI voice clones
Verdict – 6 February 2024
It is reported that an employee at an unnamed business in Hong Kong has been misled into transferring HK$200m (£20m) of their company's money by malicious actors posing as the company's senior executives in a deepfake video conference. The individual claims that the senior officers on the conference call looked like real people, and made a number of transactions as instructed on the call. The use of deepfakes has recently gained attention, including in the run up to the US election in November, raising concerns that generative AI and deepfake technology will be a gift to threat actors, such as in the areas of phishing, fraud attacks, and data theft.
Governments and Tech Giants Unite Against Commercial Spyware
Infosecurity Magazine – 7 February 2024
The UK and France have launched the Pall Mall Process, an initiative to tackle the proliferation of commercial cyber intrusion tools and services by developing better safeguards and oversight. The initiative was announced at an inaugural conference on 7 February during which the UK Deputy Prime Minister addressed attendees from over 35 states, as well as representatives from business and tech companies. The Pall Mall declaration was signed by the US, UK and France and 22 other nations, as well as academics and representatives from 14 business and tech companies (including Google, Microsoft, Apple and Meta).
EU adopts first cybersecurity scheme under the Cybersecurity Act
Practical Law – 8 February 2024
The European Commission has announced the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC), the first scheme adopted within the EU cybersecurity certification framework provided under the Cybersecurity Act. The certification scheme applies to information and communication technologies (ICT) products (e.g. laptops, TVs etc.) and seeks to set introduce a unified approach to cybersecurity standards for such products across the EU.
FCC gives telecom companies 7 days to alert authorities of discovered data breaches
NextGov – 9 February 2024
The US Federal Communications Commission (FCC) has published a rule that requires telecommunication providers to notify the FCC, FBI and US Secret Service of a data breach within seven days, as well as inform customers without unreasonable delay and within 30 days. The new rules expand the scope of data which amounts to a notifiable data breach to personally identifiable information (PII) in a move designed to harmonise the rules imposed on telecoms providers with newer federal and state data breach laws. Previously, telecoms providers only had to notify customers if customer proprietary network information, generally defined as subscription data, was exposed. The new rules come against the background of wider measures that have been introduced to mitigate the risk that adverse foreign threats use US telecommunications networks or consumer devices to obtain sensitive information, for example changes in equipment rules that could either restrict availability of commonly used products or require companies to identify new suppliers, potentially on short time frames.
Southern Water says hackers stole personal data of hundreds of thousands of customers
Tech Crunch – 14 February 2024
Southern Water has confirmed that it fell victim to a cyber attack affecting "5 to 10 percent" of its customer base, indicating that between 235,000 and 470,000 customers had data stolen. Although Southern Water has not published information about the type of data affected reports suggest that customers' dates of birth, national insurance numbers, bank account details and reference numbers have been impacted. The ransomware group Black Basta took responsibility for the attack.
International law enforcement takes down LockBit ransomware gang
Computer Weekly – 19 February 2024
The UK's National Crime Agency (NCA) has announced that it conducted a significant international operation against the LockBit ransomware group, which was behind some of the most significant cyber incidents in recent years, for example the January 2023 attack on Royal Mail. Dubbed Operation Cronos, the NCA worked with the FBI and agencies from Australia, Canada, Japan and Europol to track down the hackers. The LockBit group is said to have had a 25% share of the ransomware market, with the nearest rival BlackCat standing at 8.5%, signifying the importance of Operation Cronos. A notice was posted on LockBit's dark website which read that the site was under control of the NCA. Lockbit quickly set up a new website, but there are varying reports as to whether or not it has in fact been able to recover stolen data or systems.
Cybersecurity for satellites is a growing challenge, as threats to space-based infrastructure grow
The Conversation – 20 February 2024
Recent concerns from the White House around Russia's suspected development of anti-satellite systems have put the spotlight on possible cyber vulnerabilities of space-based infrastructure. Satellites are reliant on wireless communications that expose them to signal jamming, spoofing and interception of data. Whilst AI-driven security protocols and quantum encryption may be able to offer greater resistance to cyberattacks in the future, there are a number of unique challenges faced by satellite operators, including limited data sets for training. The 2022 attack on the KA-SAT satellite highlights the need for continued discussions to ensure cyber resilience of space-based infrastructure.
Biden to Sign Executive Order Raising Maritime Cybersecurity
InfoRisk today – 21 February 2024
The White House announced a new executive order to bolster cybersecurity of U.S. Ports. The order seeks to introduce cybersecurity standards (including cyber incident notification requirements) and delegate enhanced powers to the Coast Guard to inspect vessels that present a known or suspected cyber threat to U.S. maritime infrastructure. Ports and maritime infrastructure have increasingly fallen victim to cyber-attacks; the Australian port operator DP World was recently targeted leading to the loss of employee data.
NCSC to Offer Cyber Governance Guidance to Boards
Infosecurity Magazine – 26 February 2024
The National Cyber Security Centre (NCSC) has published an interactive online training pack for boards that will be rolled out in the coming year. The training pack seeks to help boards enhance their understanding of cyber security governance and complements the Department of Science, Technology, and Innovation's (DSIT) proposed Cyber Governance Code of Practice. The call for views on the Code of Practice is open until 19 March. Boards are also asked to consult the wealth of open source information on evolving threat landscape trends, and talk to their peers, partners and competitors to stay informed.
NIST Cybersecurity Framework 2.0 Officially Released
Security Week – 27 February
The National Institute of Standards and Technology (NIST) has published version 2.0 of the Cybersecurity Framework (CSF). The updated version serves a wider audience, previously from national infrastructure operators to now any organisation, irrespective of sector, size or degree of cybersecurity sophistication. The new governance focus places greater emphasis on the oversight of senior management over cybersecurity measures and the enhanced guidance on supply chain risk recommends the incorporation of cybersecurity into contracts. Finally, NIST released a range of resources to make the CSF more accessible, for example a function that allows users to search and export data from the CSF. As the NIST CSF is one of the most widely adopted cybersecurity frameworks, organisations should take note of the newest update, particularly the emphasis on board accountability in line with recent industry focus.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
