Contents


    Executive Summary

    Cyber security (also known as information technology security) focuses on protecting computers, networks, programs, and data from unintended or unauthorized access, changes, or destruction. Liability issues can apply to websites or services that store private information. Causes of action can include negligence, violation of federal laws, breach of contract, and property damage. Most commercial general liability and property insurance policies exclude cyber coverage from their terms, leading to the emergence of cyber security insurance as a “stand alone” line of coverage. Cyber-attacks and digital spying are considered a top threat to national security, and cyber security is a rapidly growing market due to the potential implications a breach in security could have.

    Background

    Governments, military, corporations, financial institutions, hospitals, businesses, and individuals collect and store a great deal of private information on computers. Researchers estimate that there will be about 7.5 billion internet users by 2030 (i.e. roughly 90% of the projected world population of 8.5 billion). All of these internet users amass data, which can be transmitted across networks to other computers, but must be done securely in order to prevent data breaches.

    In the recent past, high profile data breaches resulted in a larger focus on cybersecurity policies. In 2013, Yahoo experienced a security breach, resulting in the release of personal information of 3 billion users, including birthdates, passwords, phone numbers, and security questions. However, Yahoo did not report this breach by hackers until three years later. As of 2023, the Yahoo data breach is still the largest data breach in history.

    In 2018, the Equifax Credit Bureau experienced a data breach that compromised the credit card information of approximately 143 million users. The Equifax breach was the largest credit card attack in history. With the growing volume and sophistication of cyberattacks, ongoing attention is required to protect sensitive business and personal information, as well as safeguard national security.

    In 2017, the WannaCry ransomware attack gained notoriety as one of the most extensive ransomware incidents ever. . The WannaCry ransomware infected roughly 200,000 computers in over 150 countries, including the UK’s National Health Service. WannaCry originated from a leaked version of tools used by the U.S. National Security Agency. Although Microsoft had issued an update to fix the entire WannaCry database, many organizations and individuals did not update their systems. The attack spread to multiple countries before finally being stopped when a 22-year-old security researcher in the UK discovered a “kill switch” in the program by accident. At the end of 2017 the United States and the United Kingdom blamed the North Korean government for the cyberattack. The attack had a significant impact on a numerous industries and cost nearly $4 billion to resolve.

    Cyber terrorism, data breaches, and ransomware are considered the biggest cyber security threats. Cyber terrorism is of particular concern because the politically motivated use of computers and information technology can cause severe disruption or widespread fear in society. Security experts highlight that cyber terrorism attacks can cripple the military, financial, and service sectors of advanced economies. Cybersecurity Ventures predicted that by 2025, cyberattacks will cost society $10.5 trillion every year.

    Injuries and Damages

    The lack of cyber security can cause serious damage to governmental or private entities. As such, injuries encompass a wide range of issues and awarded damages can be in the millions.

    Injuries can include:

    • Breach of contract
    • Property damage, including loss of intellectual property
    • Loss of personal data
    • Loss of financial data

    Causes of action can include:

    • Negligence
    • Violation of state and federal laws
    • Willful misconduct
    • Breach of fiduciary duty
    • False advertising

    Legislation and Regulation

    As of 2023, the US still lacks a principal federal law regulating cybersecurity and privacy. Last year, the American Data Privacy and Protection Act was expected to be the first federal privacy law passed in the United States. However, it died in Congress when California Democrats voiced concern that the bill would remove the strong protections the state has had since 2018. The bill has since become the template for a state-by-state approach to establishing restrictions on how American’s personal data can be mined and shared. According to the National Conference of State Legislatures, 40 states as well as D.C. and Puerto Rico have passed or are considering bills dealing with cybersecurity. Most of these bills address the following:

    • Requiring government agencies to implement response and preparedness procedures
    • Increasing consequences of computer crimes
    • Regulating cybersecurity insurance
    • Creating cybersecurity task forces
    • Implementing cybersecurity education programs
    • Mandating security practices related to elections
    • Providing funding for cybersecurity programs and practices in states agencies, local governments and schools

    Cybersecurity is a top concern for the current administration. In January 2021, a new agency called the Office of the National Cyber Director (ONCD) was established by Congress. ONCD is situated within the Executive Office of the President and is charged with developing “programs and policies intended to improve the cybersecurity posture of the United States,…”. ONCD was instrumental in the development of the recently released National Cybersecurity Strategy, issued by President Biden in March 2023. The strategy provides guidelines for how US companies should allocate roles, responsibilities, and resources related to cybersecurity. Additionally, in 2022, the Treasury Department’s Federal Insurance Office (FIO) solicited public comments on a potential Federal insurance response to catastrophic cyber incidents. After reviewing comments, FIO is continuing to work with stakeholders to assess the need for a potential Federal cyber backstop. 

    Federal Trade Commission Act (FTCA)

    The primary law governing cybersecurity in the US is the Federal Trade Commission Act (FTCA), specifically § 5(a). This law prohibits deceptive acts and practices in business, including those related to data security. The FTC has brought numerous enforcement actions against companies believed to have failed to implement reasonable security measures. The FTC also enforces the Gramm-Leach-Bliley Act (GLB), which requires companies to protect the customer data they collect.

    Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

    In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA requires “the Cybersecurity and Infrastructure Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.” Such reports are intended to allow CISA to efficiently deploy resources and provide assistance to attack victims. 

    Cybersecurity Information Sharing Act of 2015 (CISA)

    The Cybersecurity Information Sharing Act of 2015 (CISA) provides the tools necessary to strengthen the United States’ cyber security, particularly by making it easier for private companies to share cyber threat information with each other and with the government. Key observations about the act are listed below:

    • “Liability protections require sharing ‘in accordance’ with CISA [CISA provides private entities safe harbors from civil liability for certain information sharing activities, but to qualify for them, sharing must be ‘conducted in accordance’ with CISA’s provisions.]
    • Broad safe harbors from liability [Once triggered, CISA’s safe harbors from liability generally shield private entities sharing information from civil, regulatory, and anti-trust liability based on their sharing…CISA does not expressly exclude from its liability protections instances of either gross negligence or willful misconduct.]
    • Communications with regulatory authorities permitted [Though the availability of liability protection turns on using the DHS process, regulated entities can continue to communicate cybersecurity threats directly to their respective federal regulatory authorities without forfeiting CISA’s liability protection.]
    • These measures are intended to increase company accountability and communication of possible cyber threats to government authorities.

    Liability and Insurance

    Most commercial general liability and property insurance policies exclude cyber coverage from their terms, leading to the emergence of cyber security insurance as a “stand alone” line of coverage. In the event that business data is destroyed, stolen, hacked, extorted, or compromised, cyber security insurance helps companies heal from the attack.

    First-party cybersecurity insurance policies (also called cyber liability coverage) covers a company’s own damages from covered cyber losses and can help reduce the financial impact associated with a cybersecurity event by providing coverage for things such as business interruption, cyber extortion, consumer notification, credit monitoring and/or anti-fraud protection, and forensic investigations. Third-party cybersecurity insurance is more robust as it provides liability coverage for a business that is responsible for a client’s systems or networks. These policies may handle legal fees, settlement costs and other expenses related to cyber lawsuits.

    There are some situations that cyber insurance policies do not cover, such as:
    • Infrastructure exclusions (utility failure not directly controlled by the insured)
    • Nation-state attacks (an attack declared an act of war or claimed to have been conducted by a nation-state)
    • Voluntary shutdown coverage limitations
    • Computer operation limitations
    • System failure limitations

    Policies often do not cover potential long-term consequences, such as loss of customers, potential future lost profits, or loss of value due to theft of intellectual property. Even fewer policies provide coverage for a growing area of concern: the physical damage and bodily harm that could result from a successful cyber-attack.

    Many insurers have set coverage limits below the levels sought by their clients – the maximum is $500 million, though large companies have difficulty securing policies covering more than $300 million. 


    COVID-19

    Cyber insurance generally covers business liability for data breaches involving sensitive customer information and other risks relating to information technology infrastructure and activities. As more than a billion people across the world were forced to stay home, cyber criminals have become more active, exploiting the vulnerabilities of people working from home and attacking medical facilities. The FBI has reported that COVID-19 has spurred an increase in Zoom and other Video-Conferencing platforms being hijacked by disruptive hackers.

    In addition, as more employees have been asked to work remotely, cyber liability insurance claims may depend on the distinction between hardware owned by the insured company and the hardware owned and operated on by its employees. Cyber policies may exclude coverage for computer hardware not owned by the insured company. This may present risks to employers who ask employees to conduct company business from home on private and personal computers.

    Further, the increased use of personal equipment introduces new cybersecurity challenges that were nonexistent when cybersecurity insurance contracts were signed. As a result, cyber insurers are now requesting more details from insureds about cyberattack prevention and recovery policies. If companies do not provide this information, or do not adapt security policies in consideration with the security risks of working at home, there may be grounds for insurers to deny coverage.

    Litigation

    There are several examples of high profile cyber security violations, but little precedent for cyberattack mitigation based on cyber insurance policies.

    NotPetya

    In a consequential case involving pharmaceutical giant Merck and a group of insurers, a New Jersey appellate court recently upheld a prior ruling agreeing that the insurers could not use the war exclusion to deny coverage for losses stemming from the notorious 2017 NotPetya cyberattack. The Superior Court of New Jersey previously granted Merck a $1.4 billion payout after the company sued its insurers who had denied coverage for the attack. On appeal, eight insurers disputed nearly $700 million in coverage. Tens of thousands of computers in Merck’s global network were infected as a result of the attack leading to significant business interruption. The U.S. government eventually attributed the attack to Russia’s military intelligence operations and six Russian officers were charged in connection with the event. Accordingly, Merck’s insurers refused to cover the losses invoking the “hostile/warlike action” exclusion. But the judges rejected this contention saying the insurance companies “stretched the meaning of ‘hostile’ to its outer limit”, and further explained that the NotPetya attack “is not sufficiently linked to a military action or objective as it was a non-military cyberattack again an accounting software provider.” Recently, the New Jersey Supreme Court has agreed to review the case. 

    Twitter

    From June 2021 to January 2022, cybercriminals exploited a flaw in Twitter’s application programming interface (API) and stole the email addresses, usernames, passwords, and phone numbers tied to 235 million Twitter accounts. Following the breach, a class action lawsuit was filed in the US District Court for the Northern District of California. Plaintiffs allege the company neglected to adequately protect users’ personal identifiable information and failed to notify or contact users who were affected by the breach. The suit asserts claims for negligence, breach of contract, and violations of California’s Unfair Competition Law. 

    Uber

    In 2017, the Uber data breach saw hackers steal the names, email addresses and phone numbers of 57 million customers, and the license numbers of 600,000 of their drivers. But the company did not disclose the breach for over a year and chose to instead pay the hackers $100,000 to delete the data. Uber faced three separate class action lawsuits from consumers claiming the company was negligent in their failure to protect consumer data and in alerting customers of the breach. The attorneys general of New York, Missouri, Illinois, Massachusetts and Connecticut filed suit. This was not the first data breach Uber suffered. In 2014 a separate breach exposed the names and license identification numbers of 50,000 drivers. Uber avoided litigation over the 2014 breach after a judge dismissed a class action lawsuit brought by consumers in California.

    Yahoo

    The 2013 breach of Yahoo affected all 3 billion of its users, the breach was not revealed until Verizon attempted to purchase Yahoo in 2016. Upon this revelation the purchasing price for Yahoo dropped to $4.5 billion. In 2016 a judge in California allowed a lawsuit to go forward that alleged Yahoo was too slow in alerting customers to the exposure of their data. This was followed in 2018 by a $35 million fine from the SEC for failing to disclose the breach to investors, and another fine by the UK’s Information Commissioner’s Office for around $334,000. These fines and lawsuits have continued despite Yahoo only existing as a shell company holding onto Yahoo’s remaining assets.

    The results of the Yahoo settlement caused more data breach lawsuits against employers and companies. However, there is not substantial federal case law regarding cybersecurity insurance policies. In June 2021, the Supreme Court rendered a decision in one of its first cybersecurity cases, Van Buren v. United States. The central issue in the case was "whether a person authorized to access information on a computer for certain purposes violates the Computer Fraud and Abuse Act (CFAA) if he accesses the same information for an improper purpose.” The Court ultimately ruled in favor of Van Buren, holding that he did not violate the CFAA because he had authorized access to the database, even if he used the information for an improper purpose. The ruling provided clarification regarding the scope and interpretation of the CFAA.

    Future Outlook

    According to Statista Research Department, the global cybersecurity market is estimated to reach roughly $370 billion (USD) by 2026. As the cyber security market rapidly increases, the demand for cyber insurance is also experiencing rapid growth with direct written premiums for stand-alone cyber policies reaching $7.2 billion in 2022 according to AM Best. Already, 87% of businesses see cyberattack risks as one of the biggest threats in the near future. A strong cyber security insurance market could help reduce the number of successful cyber-attacks by promoting the adoption of preventative measures in return for more coverage.

    Currently, cybersecurity insurance only covers a small percent of losses that businesses incur after a cyberattack. Companies are advised to evaluate their cyber insurance policies and monitor the growth of the industry during the next few years. Particular areas of growth include cloud security, mobile security, and threat intelligence.

    In the News

    2024

    • Chinese hacking is biggest state cyber threat to Canada, spy agency says - Reuters (10/30/2024)
      An aggressive Chinese hacking campaign is the most active state cyber threat to Canada, the country's signals intelligence agency said on Wednesday, in the latest warning about clandestine activity by Beijing. In a new threat assessment, the Communications Security Establishment Canada also said Russia's cyber program was trying to confront and destabilize Canada and its allies and cited Iran as a threat.
    • Poor vulnerability management could indicate larger cyber governance issues, S&P says - David Jones, Cybersecurity Dive (10/29/2024)
      Poor management of software vulnerabilities at a company can be an indicator of overall poor cybersecurity governance practices, S&P Global Ratings said in a report released Monday. Companies that fail to identify and remediate vulnerabilities could be held accountable when they are assessed for their overall level of risk management and internal controls, according to S&P.
    • Gallagher Re study links cybersecurity gaps to higher insurance claims - Kenneth Araullo, Insurance Business Mag (10/23/2024)
      A recent study by Gallagher Re evaluated cybersecurity performance data from Bitsight, which covered 62,000 organizations across 67 countries, alongside Gallagher Re's own data on cybersecurity incidents and claims. The findings indicated that poor performance in key cybersecurity areas increases the likelihood of a cyber incident and subsequent insurance claim, while stronger performance correlates with reduced risk.
    • China hacked major U.S. telecom firms in apparent counterspy operation - Ellen Nakashima, The Washington Post (10/06/2024)
      Chinese hackers have breached at least three major U.S. telecommunications providers in what appears to be an audacious espionage operation likely aimed in part at discovering the Chinese targets of American surveillance, according to U.S. officials. 
    • The US and Microsoft disrupt a Russian hacking group targeting American officials and nonprofits - David Klepper, The Associated Press (10/03/2024)
      A hacking group tied to Russian intelligence tried to worm its way into the systems of dozens of Western think tanks, journalists and former military and intelligence officials, Microsoft and U.S. authorities said Thursday. The group, known as Star Blizzard to cyberespionage experts, targeted its victims with emails that appeared to come from a trusted source — a tactic known as spear phishing. In fact, the emails sought access to the victims’ internal systems, as a way to steal information and disrupt their activities.
    • Justice Department disrupts vast Chinese hacking operation that infected consumer devices - Eric Tucker, The Associated Press (09/18/2024)
      The FBI has disrupted a group of hackers working at the direction of the Chinese government who targeted universities, government agencies and other organizations, Director Chris Wray said Wednesday. The hacking campaign known as Flax Typhoon installed malicious software on more than 200,000 consumer devices, including cameras, video recorders and home and office routers, to create a massive botnet — a network of infected computers. The botnet was used to facilitate cyber crimes, such as the theft of sensitive information from victims’ networks.
    • Microsoft, working with security partners, pledges better deployment, testing collaboration - David Jones, Cybersecurity Dive (09/13/2024)
      Microsoft plans to boost collaboration on deployment practices, testing and other related issues with its security ecosystem partners following the historic July outage that crashed 8.5 million Windows devices, the company said in a Thursday blog post. The plan follows a summit the company held Tuesday with U.S. and European endpoint security partners and government officials to address ways to prevent another widespread outage, which was the result of a faulty software update on the CrowdStrike Falcon platform.
    • Key cyber insurance stakeholders urge government to help close $900B in uncovered risk - David Jones, Cybersecurity Dive (09/06/2024)
      Marsh McLennan and Zurich Insurance Group on Thursday issued a call for government intervention to help resolve the growing risk of catastrophic cyber events and a multibillion dollar gap in terms of what the current insurance market can absorb. The cyber insurance market has seen significant growth in recent years, and is expected to exceed $28 billion in gross written premiums in 2027, more than double the amount written in 2023, according to a whitepaper released by the firms Thursday.
    • Iran-linked actors ramping up cyberattacks on US critical infrastructure - David Jones, Cybersecurity Dive (09/03/2024)
      Critical infrastructure providers and other organizations in the U.S. are facing a heightened risk of malicious cyberattacks from Iran-linked actors, according to threat researchers and U.S. officials. The FBI and Cybersecurity and Infrastructure Security Agency last week issued a joint warning with the Department of Defense Cyber Crime Center about Iran collaborating with criminal ransomware groups to attack key industries in the U.S. and other foreign countries.
    • CISA launches cyber incident reporting portal to streamline breach disclosure - David Jones, Cybersecurity Dive (08/30/2024)
      The Cybersecurity and Infrastructure Security Agency introduced an online portal Thursday for organizations to voluntarily report malicious cyberattacks, vulnerabilities and data breaches. The CISA services portal is a secure platform that provides enhanced functionality and collaboration features, including the ability to save and update incident reports, share submitted reports with colleagues or clients and search for reports. Users can also have informal discussions with CISA through the portal.
    • Chinese government hackers penetrate U.S. internet providers to spy - Joseph Menn, The Washington Post (08/27/2024)
      Chinese government-backed hackers have penetrated deep into U.S. internet service providers in recent months to spy on their users, according to people familiar with the ongoing American response and private security researchers.
    • Halliburton responding to suspected cyber incident, some systems impacted - David Jones, Cybersecurity Dive (08/22/2024)
      Halliburton is responding to a cyber incident that has reportedly disrupted operations at the Houston company. Halliburton is one of the largest diversified energy services companies in the world, with more than 48,000 employees and annual revenue of $23 billion. “We are aware of an issue affecting certain company systems and are working diligently to assess the cause and potential impact,” a Halliburton spokesperson said Thursday via email.
    • Threat actors leverage cybersecurity gaps from M&A – new report - Grant Funtila, Insurance Business (08/14/2024)
      Threat actors have evolved their tactics in 2024 to exploit business and technology consolidation. According to Resilience's mid-year 2024 cyber risk report, the surge in mergers and acquisitions (M&A) and the increasing reliance on major software vendors has provided new opportunities for threat actors.
    • Iran uses fake news sites to interfere in U.S. election, Microsoft says - Joseph Menn, The Washington Post (08/09/2024)
      Iran has stepped up its efforts to interfere in the November election and amp up American polarization, including through hacking attempts and fake news sites aimed at the far left and far right, Microsoft researchers said Friday in a report.
    • SolarWinds legal ruling expected to narrow, but maintain SEC oversight on cyber transparency - David Jones, Cybersecurity Dive (07/29/2024)
      The ruling by a federal court judge to dismiss most of the civil fraud charges against SolarWinds could significantly impact how the Securities and Exchange Commission moves forward in regulating cyber risk disclosure.
    • Parametrix estimates CrowdStrike insured losses at between $540m and $1.08bn - Steve Evans, Artemis (07/24/2024)
      Parametrix, a specialist in parametric cloud downtime cyber insurance and reinsurance protection, has issued an estimate for the insurance industry loss caused by the CrowdStrike linked global IT outage, saying it anticipates insured losses falling in a range of $540 million to $1.08 billion.
    • CrowdStrike 'most important cyber accumulation event' since 'Notpetya': Aon - Jairo Ibarra, Insurance Insider (07/22/2024)
      The overall loss quantum of the CrowdStrike outage is currently uncertain and will depend on the prevalence of coverage for system failure and its duration, Aon reported.
    • Small businesses grapple with global tech outages created by CrowdStrike - Anne D'Innocenzio and Haleluya Hadero, The Associated Press (07/21/2024)
      An owner of a consumer insights research firm couldn’t pay her employees, make Friday’s deadline to sign a contract for a new business or send key research to a key client. A psychiatrist, who runs a virtual mental health practice in Maryland, saw his business hobbled as some of his virtual assistants and therapists couldn’t either make phone calls or log on to their computers. And a restaurant owner in New York City was worried about how he was going to pay his vendors and his workers.
    • Insurance groups ask CISA to consider exemption from upcoming mandatory incident reporting regime - Jacob Livesay, Inside Cybersecurity (07/12/2024)
      The Cybersecurity and Infrastructure Security Agency should exclude the insurance industry from its definition for a “covered entity” that will be required to report cyber incidents under the agency’s upcoming regime, according to a coalition of groups representing the insurance sector.
    • How did the auto dealer outage end? CDK almost certainly paid a $25 million ransom - Sean Lyngaas, CNN Business (07/11/2024)
      CDK Global, a software firm serving car dealerships across the US that was roiled by a cyberattack last month, appears to have paid a $25 million ransom to the hackers, multiple sources familiar with the matter told CNN.
    • Cyber's Sleeper Threat: Business Email Compromise - Guy Carpenter (07/09/2024)
      This report is the result of joint research between Guy Carpenter’s Cyber Center of Excellence and Marsh McLennan’s Cyber Risk Intelligence Center. It discusses the threats of business email compromise (BEC), how different types of businesses could be affected, and methods companies can adopt to mitigate the risk of this type of event.
    • Healthcare groups say cyber rule should explicitly name insurers, vendors - Emily Olsen, Healthcare Dive (07/08/2024)
      Healthcare and hospital groups say a federal cybersecurity reporting proposal should explicitly include insurers and third-party vendors, citing the impact of the major cyberattack against medical claims clearinghouse Change Healthcare.
    • Hackers broke into ChatGPT creator OpenAI, report claims - Andrew Griffin, The Independent (07/06/2024)
      A hacker broke into ChatGPT creator OpenAI’s systems, according to a new report. The cyber attackers were able to see internal chats and may have stolen details about the design of its artificial intelligence products, the report claimed.
    • Cybercrime groups restructuring after major takedowns: experts - Kilian Fichou, AFP (07/06/2024)
      Cybercrime gangs are looking to rebuild with new tactics after global police operations this year made a huge dent in their activities, experts have told AFP.
    • Markets/Coverages: Resilience Doubles Cyber Limits to $20M - Insurance Journal (07/01/2024)
      Resilience said it doubled the cyber insurance limits it can offer to clients in the U.S. to $20 million per client. This announcement follows the launch of new features and capabilities that enable enterprises to continuously manage the mitigation and transfer of cyber risk. The agreement to expand Resilience’s limit capability was brokered by Lockton Re and utilizes Resilience’s existing coverholder partnership with Lloyd’s.
    • Despite Declining Rates, Cyber Insurance Market Poised for Growth, Innovation - Risk & Insurance (07/01/2024)
      Cyber insurance rates are 15% lower in 2024 than the market’s peak in mid-2022, Howden reported. Rate competition is highest in remote risk layers, according to the report, which also noted that capacity is up and insurers are willing to increase limits, remove coverage restrictions and lower-retention levels.
    • 76% of companies enhance cyber defences to secure insurance: Sophos - Beth Musselwhite, Reinsurance News (07/01/2024)
      Sophos, a provider of cybersecurity solutions, released findings from its recent survey, showing that 76% of companies enhanced their cyber defences to qualify for cyber insurance. The report found that 97% of companies with a cyber insurance policy invested in improving their defences to help with insurance. Among these, 67% secured better pricing and 30% obtained improved policy terms.
    • US House Subcommittee examines critical infrastructure vulnerabilities, role of cyber insurance in resilience efforts - Industrial Cyber (06/28/2024)
      The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection convened a hearing to examine the vulnerabilities of the U.S. critical infrastructure. The hearing also focused on the role of cyber insurance in planning, response, and recovery efforts to ensure critical infrastructure resilience.
    • New malware threats are rising faster than ever — and all kinds of businesses are at risk - Sead Fadilpašić, Tech Radar (06/26/2024)
      New malware threats are rising faster than ever, and all kinds of businesses are at risk, a new report from BlackBerry has claimed. Based on the company’s initial telemetry for the first quarter of 2024, attacks based on new malware variants rose by 40% per minute.
    • Cyber Insurance Market ‘Stable’ With Potential for Growth, Says AM Best - Chad Hemenway, Insurance Journal (06/24/2024)
      According to industry rating agency AM Best, there are enough positive factors to give the cyber insurance market a ‘stable’ outlook despite a stall in premium growth. Analysts at AM Best issued a segment outlook and report Monday, and said the cyber market in 2023 was essentially flat following a tripling of the market’s premium growth from 2019-2022.
    • UN chief warns of perils of ‘weaponizing digital technologies’ and malicious activity in cyberspace - Edith M. Lederer, The Associated Press (06/20/2024)
      The United Nations chief warned Thursday that “the perils of weaponizing digital technologies are growing by the year” and malicious activity in cyberspace is on the rise by governments, non-government actors and criminals.
    • Biden bans US sales of Kaspersky software over Russia ties - Alexandra Alper, Reuters (06/20/2024)
      The Biden administration on Thursday announced plans to bar the sale of antivirus software made by Russia's Kaspersky Lab in the United States, with Commerce Secretary Gina Raimondo saying that Russia's influence over the company poses a significant security risk.
    • EU cybersecurity label should not discriminate against Big Tech, European groups say - Foo Yun Chee, Reuters (06/17/2024)
      A proposed cybersecurity certification scheme (EUCS) for cloud services should not discriminate against Amazon, Alphabet's Google and Microsoft, 26 industry groups across Europe warned on Monday. The European Commission, EU cybersecurity agency ENISA and EU countries will meet on Tuesday to discuss the scheme which has undergone several changes since ENISA unveiled a draft in 2020.
    • Cyber risk viewed as top concern by mid-market leaders: Marsh McLennan Agency - Beth Musselwhite, Reinsurance News (06/05/2024)
      Mid-market business leaders in the US view cyber, economic, and regulatory risks as the biggest threats to their operations in 2024, according to a new report by Marsh McLennan Agency. The report reveals that 75% of businesses are highly concerned about cybersecurity and data privacy risks, partly due to their increasing reliance on third-party data management vendors.
    • HHS says providers can tap Change to issue data breach notifications after cyberattack - Emily Olsen, Healthcare Dive (06/03/2024)
      The HHS said Change Healthcare can notify consumers whose health data may have been exposed after a major cyberattack on the UnitedHealth-owned technology firm earlier this year. The update, posted Friday by the HHS’ Office for Civil Rights, is a win for provider groups, who have urged the HHS to clarify who would be responsible for handling data breach reporting and notification requirements after the attack.
    • Ticketmaster, Live Nation sued: Millions of customers' personal data listed on black market, suit claims - Saleen Martin, USA Today (06/03/2024)
      A lawsuit was filed last week against Live Nation and Ticketmaster accusing the companies of negligence and allowing a third party company to gain access to private information belonging to 560 million customers. The information was then listed for sale for $500,000 on the dark web, the lawsuit alleges.
    • SEC fines NYSE’s parent $10M for failing to report cyberattack - Maura Webber Sadovi, Cybersecurity Dive (05/24/2024)
      The Intercontinental Exchange agreed to pay a $10 million fine to settle charges that it caused nine wholly-owned subsidiaries — including the New York Stock Exchange which it owns — to violate a rule which required them to notify the Securities and Exchange Commission of a “cyber intrusion” within 24 hours unless it was immediately determined that the act would have no or a “de minimis” impact on operations or market participants, the SEC announced Wednesday.
    • S&P: 2023 Marked Stall of Rapid Growth in US Cyber Insurance - Chad Hemenway, Insurance Journal (05/22/2024)
      S&P Global Market Intelligence weighed in on the U.S. cyber insurance marketplace, reporting that premium dipped in 2023 to end several years of rapid growth. The overall 0.7% decline in cyber insurance direct written premiums was driven by a 3.2% drop in standalone business to about $4.9 billion. Package cyber grew by 5.1%, S&P said in a new report.
    • Cybersecurity labeling for smart devices aims to help people choose items less likely to be hacked - The Associated Press (05/22/2024)
      Under the new U.S. Cyber Trust Mark Initiative, manufacturers can affix the label on their products if they meet federal cybersecurity standards. The types of devices eligible for labels include baby monitors, home security cameras, fitness trackers, refrigerators and other internet-connected appliances.
    • Providers urge HHS to clarify Change data breach reporting requirements - Emily Olsen, Healthcare Dive (05/21/2024)
      Providers are still looking for clarification on whether they’ll have to report or notify patients about data breaches stemming from the cyberattack against Change Healthcare earlier this year. In a letter sent to HHS Secretary Xavier Becerra Monday, more than 50 organizations — including the American Medical Association, the College of Healthcare Information Management Executives and the American Health Information Management Association— urged the federal government to publicly confirm that Change could manage data breach reporting and notification requirements, since the technology firm and major claims processor experienced the breach.
    • HHS Agency Launches Program to Improve Cyber Resiliency in Hospitals - Steve Alder, The HIPAA Journal (05/21/2024)
      A Department of Health and Human Services (HHS) agency, The Advanced Research Projects Agency for Health (ARPA-H), has established a new cybersecurity program that seeks to enhance and automate cybersecurity at U.S. hospitals to ensure the continuity of patient care. The UPGRADE Program aims to enhance and automate cybersecurity through the development of software tools that can be used to scan hospital environments for vulnerabilities that could potentially be exploited by hackers, and quickly develop and deploy mitigations to prevent the vulnerabilities from being exploited.
    • House panel advances resolution to roll back controversial SEC cyber disclosure rule - Sara Friedman, Inside Cybersecurity (05/20/2024)
      The House Financial Services Committee has approved along party lines a resolution from Rep. Andrew Garbarino (R-NY) to roll back a controversial Securities and Exchange Commission rulemaking that went into effect in December to require publicly traded companies to disclose cyber incidents.
    • US says cyberattacks against water supplies are rising, and utilities need to do more to stop them - Michael Phillis and Matthew Daly, The Associated Press (05/20/2024)
      Cyberattacks against water utilities across the country are becoming more frequent and more severe, the Environmental Protection Agency warned Monday as it issued an enforcement alert urging water systems to take immediate actions to protect the nation’s drinking water.
    • Firms must do more to combat threat of cyber attacks, data regulator warns - Martyn Landi, The Independent (05/10/2024)
      Organisations need to do more to boost their cybersecurity and protect the personal information they hold in the face of the growing threat of cyber attacks, the data protection regulator has said. The Information Commissioner’s Office (ICO) said its own data shows more firms than ever are experiencing cybersecurity breaches and it has published advice around common security mistakes.
    • White House to push cybersecurity standards on hospitals after Change Healthcare breach - Katrina Manson and Jake Bleiberg, Bloomberg News (05/09/2024)
      The Biden administration intends to require hospitals to meet minimum cybersecurity standards after a single hack exposed the data of 100 million Americans, according to a senior U.S. cybersecurity official. “We look to putting in place minimum cybersecurity standards for hospitals in the near term,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said in an interview at the Bloomberg Tech Summit in San Francisco on Thursday. Neuberger didn’t spell out the time line in which the administration plans to push out the rule.
    • Ascension — which has 14 hospitals in Illinois — postponing some elective surgeries, appointments after ‘cybersecurity incident’ - Lisa Schencker, Chicago Tribune (05/09/2024)
      Ascension is postponing some non-emergency elective surgeries, tests and appointments after a cyber security event at the health system, which has about 150 sites of care in Illinois, including 14 hospitals. Ascension’s Illinois hospitals were still providing all patient care services as of Thursday afternoon, though some medical procedures have had to be rescheduled and there have been several IT service interruptions, said Ascension Illinois spokeswoman Olga Solares, in an email.
    • Germany and allies accuse Russia of sweeping cyberattacks - Friederike Heine and Jan Lopatka, Reuters (05/03/2024)
      Germany accused Russia on Friday of launching cyberattacks on its defence and aerospace firms and ruling party, as well as targets in other countries, and warned there would be unspecified consequences. Russia's embassy in Berlin dismissed the accusations - that were echoed by the Czech Republic, the NATO defence alliance and the U.S. State Department - calling them "another unfriendly step aimed at inciting anti-Russian sentiments in Germany".
    • Lockton Re investigates resilience against hypothetical cyber threat - Mike Pangilinan, Insurance Business (04/24/2024)
      Lockton Re has released a report delving into the potential ramifications of a major cyber catastrophe. The report, called A Kaleidoscope of Possibilities: Preparing for Ivan Wiper, introduces a hypothetical scenario involving a “hypothetical self-propagating destructive malware” to assess the insurance industry’s readiness for such an event.
    • Why Lloyd's can't call victory too early - Mia Wallace, Insurance Business (04/22/2024)
      “The nat-cat models are more advanced than the cyber models, so there’s a bigger degree of uncertainty in the cyber market,” she said. “But when you put that into context, those sorts of data points give me way more comfort in the growth potential of cyber and our ability to allow cyber to continue to grow. “… If I went back 10 or so years ago, it probably wasn’t a massively complicated class. It is now one of the most complex classes to analyse. So, the focus that we have now is much more on capabilities and moving away from rules-based to capabilities-based."
    • U.S. Cyber Insurance Maintains Strong Profits; Premium Growth Slows - Fitch Ratings (04/16/2024)
      The U.S. cyber insurance line generated strong direct underwriting profits for the second straight year in 2023, but written premium volume has stalled amid renewed pricing pressure, Fitch Ratings says. A first look at data compiled from cyber insurance supplemental filings in statutory financial statements indicates that for standalone cyber coverage the direct incurred loss and defense and cost containment (DCC) expenses ratio held relatively steady at 44% in 2023 versus 43% in 2022. Despite two poor/performing years in 2020 and 2021, this ratio has averaged a highly profitable 48% over the nine years that cyber supplemental data is available.
    • Change asks to consolidate dozens of cyberattack class-action lawsuits - Emily Olsen, Healthcare Dive (04/08/2024)
      Change Healthcare wants to consolidate 24 class-action lawsuits it faces in the wake of a cyberattack that’s caused disruptions across the industry, according to a Wednesday court filing. The UnitedHealth Group subsidiary asked a judicial panel to combine the suits and centralize them in the federal U.S. District Court for the Middle District of Tennessee — where Change is headquartered — arguing the cases share factual and legal claims and are in early stages of litigation.
    • Cyber Insurance Risks and Trends 2024 - Munich Re (04/04/2024)
      The cyber insurance market has further matured. Looking to the future, the focus remains to meet increasing demand and manage dynamic risk exposures, while focusing on the sustainable insurability of cyber risks and market functionality.
    • Omni Hotels says widespread outages caused by cyberattack - Jonathan Greig, The Record (04/04/2024)
      Omni Hotels & Resorts confirmed on Wednesday evening that recent technology outages were caused by a cyberattack that was first discovered last Friday. The U.S.-based chain — which operates 50 hotels and resorts across North America — has been dealing with technological issues all week making it difficult for guests to check in and make new reservations.
    • Scathing federal report rips Microsoft for shoddy security, insincerity in response to Chinese hack - Frank Bajak, The Associated Press (04/03/2024)
      In a scathing indictment of Microsoft corporate security and transparency, a Biden administration-appointed review board issued a report Tuesday saying “a cascade of errors” by the tech giant let state-backed Chinese cyber operators break into email accounts of senior U.S. officials including Commerce Secretary Gina Raimondo.
    • U.S. Publishes Draft Federal Rules for Cyber Incident Reporting - James Rundle, The Wall Street Journal (03/27/2024)
      The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday published long-awaited draft rules on how critical-infrastructure companies must report cyberattacks to the government. CISA developed the rules after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law on March 15, 2022.
    • China Says Issued 'Strong' Complaint Over Western Hacking Claims - Matthew Walsh, Stuart Graham, and Ryland James, AFP (03/26/2024)
      China said it had issued a "strong" rebuke to the United States on Tuesday after Washington and two key allies accused Beijing of being behind a series of hacks into lawmakers and key democratic institutions. In rare and detailed public accusations against China -- the United States, Britain and New Zealand described a series of cyber breaches over the last decade or more in what appeared to be a concerted effort to hold Beijing accountable.
    • Google, Meta and others face tough questions in Australia over cyber extremism threats - Keiran Smith, The Associated Press (03/18/2024)
      Australia’s online safety regulator has put social media giants on notice, requiring them to explain what they are doing to to protect people from violent extremists and terrorists. The country’s eSafety regulator announced Tuesday that it had issued legal notices to Google, Meta, X, WhatsApp, Telegram and Reddit requiring each company to report on steps they are taking to protect Australian users of their platforms from extremist material online.
    • New SEC cyber rules draw ‘question-begging’ breach disclosures - Alexei Alexis, CFO Dive (03/12/2024)
      Cybersecurity rules that recently went into effect at the Securities and Exchange Commission have so far resulted in several breach disclosures from publicly traded companies, including Microsoft and Hewlett Packard Enterprise.
    • Switzerland’s cybersecurity experts still can’t Xplain how federal documents made it to the dark web - Luke Hughes, Tech Radar (03/08/2024)
      Though a ransomware attack on Xplain, a Swiss software developer contracted by the country’s federal government, became known almost as it happened in late May 2023, a new report from the country’s National Cyber Security Centre (NCSC) has shed additional, disconcerting light on the extent of the incident.
    • This simple, straightforward car insurance phishing scam is so basic, it's actually working really well - Sead Fadilpašić, Tech Radar (03/08/2024)
      Cybersecurity researchers have recently discovered an incredibly simple phishing campaign that seems to be performing exceptionally well. In a blog post, experts from Cofense described a newly found phishing campaign in which threat actors impersonate a car insurance company. The body of the emails is short and to the point, and doesn’t distribute anything particularly malicious. In fact, in many cases, it carried a Google Ad link, which is probably why it managed to bypass secure email gateways (SEG) and land in people’s inboxes in the first place.
    • US defense sector under attack by China-backed hackers, with NSA confirming Ivanti VPN exploits are to blame - Benedict Collins, Tech Radar (03/04/2024)
      The Ivanti enterprise VPN application is being exploited by hackers to target the US defense sector, the US National Security Agency has confirmed. The US defense sector provides equipment and technology for the US military, which makes a potential compromise by China-backed groups significantly concerning.
    • There is diversification to be found within cyber cat bonds and ILS: CyberCube - Steve Evans, Artemis (02/29/2024)
      CyberCube, a specialist modelling firm for cyber risks and exposures, has analysed the four 144A cyber catastrophe bonds that have been issued to date and found that there is diversification between them, which it says means these first deals provide a solid base for future innovation.
    • Biden acts to better protect Americans’ personal data such as health records and finances - Will Weissert and Barbara Ortutay, The Associated Press (02/28/2024)
      President Joe Biden is signing an executive order aimed at better protecting Americans’ personal data on everything from biometrics and health records to finances and geolocation from foreign adversaries like China and Russia.
    • White House urges software developers to use memory-safe programming languages - David DiMolfetta, Nextgov/FCW (02/26/2024)
      The White House is pushing hardware and software makers to build their products using programming languages with internally-engineered guardrails that prevent hackers from peering into the inner workings of sensitive systems, according to a report out Monday.
    • Cyber MGA Coalition Predicts Common Vulnerabilities to Increase 25% in 2024 - Insurance Journal (02/22/2024)
      Cyber insurance provider Coalition said it expects the total number of common vulnerabilities and exposures (CVEs) to increase by 25% in 2024 to 34,888 vulnerabilities, or roughly 2,900 per month.
    • An online dump of Chinese hacking documents offers a rare window into pervasive state surveillance - Frank Bajak and Dake Kang, The Associated Press (02/21/2024)
      Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation’s top policing agency and other parts of its government — a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners.
    • This wireless charger cyberattack could literally set your phone on fire - Luke Hughes, Tech Radar (02/21/2024)
      New research published by researchers at the University of Florida and Web3 security audit company CertiK has revealed a new form of cyberattack that could set your smartphone on fire via its wireless charger. The terrifying academic paper claims to have uncovered vulnerabilities in the way wireless chargers are manufactured, exposing them to ‘intentional electromagnetic interference’ (IEMI) from threat actors.
    • Biden signs executive order to boost cybersecurity at US ports - CBS News (02/21/2024)
      President Joe Biden on Wednesday signed an executive order and created a federal rule aimed at better securing the nation's ports from potential cyberattacks. The administration is outlining a set of cybersecurity regulations that port operators must comply with across the country, not unlike standardized safety regulations that seek to prevent injury or damage to people and infrastructure.
    • National cyber director urges private sector collaboration to counter nation-state cyber threat - David Jones, Cybersecurity Dive (02/09/2024)
      National Cyber Director Harry Coker this week reiterated prior warnings that hackers linked to the People’s Republic of China are actively working to gain access to critical infrastructure in the U.S. to potentially launch malicious attacks.
    • UN experts investigating 58 suspected North Korean cyberattacks valued at about $3 billion - Edith M. Lederer, The Associated Press (02/09/2024)
      U.N. experts say they are investigating 58 suspected North Korean cyberattacks between 2017 and 2023 valued at approximately $3 billion, with the money reportedly being used to help fund its development of weapons of mass destruction.
    • Multiple threats to election systems prompt US cybersecurity agency to boost cooperation with states - Christina A. Cassidy, The Associated Press (02/08/2024)
      The nation’s cybersecurity agency on Thursday launched a program aimed at boosting election security in the states, shoring up support for local offices and hoping to provide reassurance to voters that this year’s presidential elections will be safe and accurate. Officials with the U.S. Cybersecurity and Infrastructure Security Agency are introducing the program this week to the National Association of State Election Directors and National Association of Secretaries of State, which are meeting in the nation’s capital.
    • Don't expect buyers' market for cyber insurance to last – RPS - Ryan Smith, Insurance Business (02/02/2024)
      While 2023 saw a buyers’ market for cyber insurance, that trend is likely unsustainable due to rising claims, according to a report by Risk Placement Services (RPS). Agents should prepare themselves for stabilization or even rate increases, RPS warned.
    • US says it disrupted a China cyber threat, but warns hackers could still wreak havoc for Americans - Didi Tang, Eric Tucker, and Frank Bajak, The Associated Press (01/31/2024)
      U.S. officials said Wednesday they disrupted a state-backed Chinese effort to plant malware that could be used to damage civilian infrastructure, as the head of the FBI warned that Beijing is positioning itself to disrupt the daily lives of Americans if the United States and China ever go to war.
    • Georgia county at centre of Trump case targeted by cyberattack - Gustaf Kilander, The Independent (01/31/2024)
      The Georgia county where former president Donald Trump is being prosecuted for election interference has been targeted in a wide-ranging cyberattack. The Fulton County IT department said in a statement that its internet-based phone system has been disabled, as have computers which are storing court documents.
    • More companies expected to disclose email hacks by Russian intelligence - Joseph Menn, The Washington Post (01/26/2024)
      Security experts expect many more companies to disclose that they’ve been hacked by Russian intelligence agents who stole emails from executives following disclosures by Microsoft and Hewlett-Packard Enterprise in the past week.
    • New McAfee Global Small Business Study Reveals Concerns, Knowledge and Vulnerabilities of Small Businesses in Today’s Cyber Landscape - Business Wire (01/17/2024)
      The study, conducted in collaboration with Dell Technologies, reveals cybersecurity is one of the greatest concerns of small businesses globally, with 73% of organizations saying it is one of their biggest risks or vulnerabilities. And these fears are justified. The data shows that cyberattacks are on the rise, as 44% of small businesses have experienced a cyberattack, and 17% have experienced more than one. For 67% of the organizations that experienced a cyberattack, the incident occurred in the last two years, indicating that the threat of cybercrime has become more prevalent.
    • Hackers discover way to access Google accounts without a password - Anthony Cuthbertson, The Independent (01/08/2024)
      Security researchers have uncovered a hack that allows cyber criminals to gain access to people’s Google accounts without needing their passwords. Analysis from security firm CloudSEK found that a dangerous form of malware uses third-party cookies to gain unauthorised access to people’s private data, and is already being actively tested by hacking groups.
    • Hackers are targeting a WordPress security flaw that was supposed to have been fixed - Sead Fadilpašić, Tech Radar (01/08/2024)
      Researchers recently observed a known, and apparently fixed vulnerability, being abused in the wild to steal login credentials for WordPress websites. Cybersecurity researchers from Plugin Vulnerabilities, an organization that monitors flaws in WordPress plugins, reported a hacker trying to exploit an arbitrary file viewing vulnerability in the WP Compress plugin.
    • Lebanon airport screens display anti-Hezbollah message after being hacked - The Associated Press (01/07/2024)
      The information display screens at Beirut’s international airport were hacked by domestic anti-Hezbollah groups Sunday, as clashes between the Lebanese militant group and the Israeli military continue to intensify along the border.
    • Merck Settles Coverage Dispute With Insurers Over War Exclusion in NotPetya Attack - Insurance Journal (01/05/2024)
      Merck & Co. Inc. has reportedly reached a deal with insurers over a closely-watched coverage dispute related to a massive cyberattack in 2017. The New Jersey Supreme Court in July 2023 agreed to hear the case after a state appeals court ruled months prior against eight insurers, finding that a hostile/warlike action exclusion in an all risks property insurance policy did not apply to a Russian-linked cyberattack known as “NotPetya” on the pharmaceutical firm.
    • ECB to Test Banks' Cyberattack Response - Nina Kienle, Dow Jones (01/03/2024)
      The European Central Bank said it will conduct stress tests on banks' cyberattack response and recovery this year. The Frankfurt-based institution said on Wednesday that the test will assess 109 directly supervised banks on their ability to recover from a cyberattack rather than the ability to prevent it.

    2023

    • RAND report evaluates cyber-specific needs in addressing supply chain risk management - Sara Friedman, Inside Defense (12/29/2023)
      A recent report commissioned by the Air Force Research Laboratory dives into how addressing cyber risks differs from other supply chain risk management issues and provides recommendations on how to take a "comprehensive approach" in addressing their needs together.
    • iPhone researchers find one of the most sophisticated attacks ever - Andrew Griffin, The Independent (12/29/2023)
      Security researchers looking at the iPhone have found the “most sophisticated attack chain we have ever seen”, they have warned. Hackers were using a complex and detailed series of hacks to break into phones and load them with software that can be used to spy on their users, the researchers from cyber security company Kaspersky warned.
    • Cyber risk strategies in hot seat as SEC rules go live - David Jones, Cybersecurity Dive (12/20/2023)
      The Securities and Exchange Commission has officially reached the implementation dates for its historic cyber incident reporting requirements. The rules, which require companies to report material cyber incidents within four business days of determination, are leading to significant changes in how companies prepare for and implement cyber risk strategies at the highest levels of publicly traded companies that operate in the U.S.
    • What the SEC weighed in finalizing the cyber disclosure rules - David Jones, Cybersecurity Dive (12/18/2023)
      The leader of the Securities and Exchange Commission’s Division of Corporate Finance downplayed concerns that the agency’s new cybersecurity rules will provide a roadmap to threat groups about their attacks or place an undue burden on security executives.
    • Decades-old computer law 'hampering UK's battle against cyber attacks' - Ben Glaze, Mirror (12/18/2023)
      Cyber experts bidding to bolster Britain’s web protections are being hampered by outdated laws, campaigners warned today. They feared the UK was “bleeding cyber expertise”, with thousands of professionals quitting the country to work elsewhere. The CyberUp Campaign urged the Government to “recognise the risk of inaction” and accelerate an overhaul of legislation.
    • Europe agrees on rules to protect smart devices from cyber threats - Foo Yun Chee, Reuters (11/30/2023)
      EU countries and EU lawmakers on Thursday agreed to rules to protect laptops, fridges, mobile apps and smart devices connected to the internet from cyber threats following a spate of such attacks and ransom demands in recent years around the world.
    • Axis completes cyber catastrophe bond - Matthew Lerner, Business Insurance (11/29/2023)
      Axis Capital Holdings Ltd. on Tuesday said it has completed a series 144A cyber catastrophe bond to provide several of its subsidiaries with $75 million of fully collateralized indemnity reinsurance protection for systemic cyber events on a per occurrence basis.
    • GAO report highlights cyber grant opportunities for state, local governments - Jacob Livesay, Inside Cybersecurity (11/27/2023)
      A report from the Government Accountability Office highlights several sources of grant funding used for state, local, tribal, and territorial government cybersecurity efforts and actions taken by “relevant federal agencies” to monitor grants that are related to cybersecurity.
    • Remarks by Assistant Secretary Graham Steele at the Federal Insurance Office and NYU Stern Volatility and Risk Institute Conference on Catastrophic Cyber Risk and a Potential Federal Insurance Response - U.S. Department of the Treasury (11/17/2023)
      The conclusion regarding scope is that because we see that the private market for insurance against attritional cyber risk from losses other than those related to major catastrophes is dynamic and growing, we anticipate that our assessment of a potential federal insurance response will remain sharply focused on catastrophic cyber risk.
    • New York Plans Cyber Rules for Hospitals - James Rundle, The Wall Street Journal (11/13/2023)
      New York regulators Monday announced plans to issue cybersecurity regulations for hospitals, after a series of attacks crippled operations at medical facilities.
    • Coalition launches active insurance products in Australia - Jonalyn Cueto, Insurance Business (11/07/2023)
      Cyber Insurance provider Coalition has launched in Australia its suite of active insurance products with the backing from Allianz Australia. Active cyber insurance is a type of insurance that serves as a protection for the digital economy.
    • New York Adds Stiffer Requirements to Cybersecurity Rules - James Rundle, The Wall Street Journal (11/01/2023)
      New York’s financial watchdog published significant updates to its cybersecurity regulations Wednesday, adding strict provisions around board oversight and ransom payments that go further than recent federal rules.
    • Cisco routers abused by China-linked hackers against US, Japan companies - David Jones, Cybersecurity Dive (10/28/2023)
      BlackTech has been actively attacking companies that support the defense industry in both countries since 2010. The hackers have historically targeted firmware located at international subsidiaries of U.S. and Japanese companies, using custom malware to abuse Cisco routers in order to evade detection.
    • Detection and response tools increasingly important as cyber claims surge: Allianz - Allianz (10/25/2023)
      Following two years of high but stable loss activity, 2023 has seen a worrying resurgence in ransomware and extortion claims as the cyber threat landscape continues to evolve, Allianz Commercial warns in a new report.
    • The Hanover's 2023 Report Finds Businesses Lack Protection and Recovery Plans Against Cyber Attacks - PR Newswire (10/23/2023)
      The Hanover Insurance Group, Inc. (NYSE: THG), a leading provider of insurance for individuals, families and businesses, today released its 2023 Cyber Resiliency Report which highlights a lack of preparedness by businesses for cyber-related attacks.

       

    • The Race to Save Our Secrets From the Computers of the Future - Zach Montague, The New York Times (10/22/2023)
      They call it Q-Day: the day when a quantum computer, one more powerful than any yet built, could shatter the world of privacy and security as we know it.
    • Rep. Garbarino considers potential legislation to overturn controversial SEC rule - Jacob Livesay, Inside Cybersecurity (10/20/2023)
      House Homeland Security cyber subcommittee Chair Andrew Garbarino (R-NY) is looking into opportunities to introduce legislation that would block the U.S. Securities and Exchange Commission from moving forward with a controversial final rule that will require publicly traded companies to report cyber incidents.
    • Cyberattack on major payment system could cause $3.5T loss, Lloyd's says - Steve Hallo, Property Casualty 360 (10/16/2023)
      A cyberattack on a major financial services payment system could result in widespread business disruption and potentially result in $3.5 trillion in global economic losses over a five-year period, according to research from Lloyd’s of London and the Cambridge Centre for Risk Studies.
    • Supply chain, email attacks against healthcare groups frequently threatening patient care, report finds - Dave Muoio, Fierce Healthcare (10/11/2023)
      Supply chain and business email compromise (BEC) attacks against healthcare organizations are among the leading threats to patients’ care and outcomes, according to a new survey report from cybersecurity firm Proofpoint and IT security research group Ponemon Institute.
    • Hiscox research finds increased prevalence of cyber attacks on businesses for fourth consecutive year - Hiscox (10/10/2023)
      Over half (53%) of businesses suffered at least one cyber attack over the last 12 months – a five-point increase on the previous year (48%) according to new data from the latest Hiscox Cyber Readiness Report.
    • UK businesses are facing burnout as cyber threats rise - Amber Jackson, Cyber Magazine (10/05/2023)
      According to a new report conducted by iomart and Oxford Economics, which surveyed 500 executives from UK businesses, the report found that 30% of cybersecurity staff that are currently battling rising cyber threats are facing burnout.
    • Threats in cloud top list of executive cyber concerns, PwC finds - Matt Ashare, CIO Dive (10/03/2023)
      Cloud-related threats are the top cyber concern for organizations that have adopted the technology, according to a PwC report published Tuesday. The accounting and consulting firm surveyed 3,876 senior business and technology executives.
    • C-suite leaders to boost cybersecurity compliance amid SEC disclosure rule: Deloitte - David Jones, Cybersecurity Dive (10/02/2023)
      Almost two-thirds of executives at publicly traded companies will strengthen their cybersecurity programs following the new Securities and Exchange Commission rule that requires companies to report material incidents within four business days, according to a Deloitte poll released Tuesday.
    • Cybersecurity Budgets Grow, But at a Slower Pace - James Rundle, The Wall Street Journal (09/29/2023)
      Cybersecurity budgets have largely been protected from the worst consequences of economic uncertainty, but have hardly been untouched by wider trims to company spending.
    • Tech giants ramp up cloud security under pressure from Washington - Joseph Menn, The Washington Post (09/28/2023)
      After a recent theft of emails from top U.S. officials raised alarms about the country’s increasing dependence on the biggest cloud computing companies, Amazon, Google and Microsoft have begun to explain more of the work they do to secure the data of tens of millions of online customers.
    • Chinese hackers stole 60,000 emails from senior State Department officials in May - Sean Lyngaas, CNN (09/28/2023)
      The Chinese hackers who breached multiple US government agencies in May stole some 60,000 emails from senior State Department officials, including information on officials’ travel itineraries, a Senate staffer briefed on the matter told CNN.
    • Chubb and SentinelOne partner to enhance cybersecurity for U.S. businesses - Akankshita Mukhopadhyay, Reinsurance News (09/27/2023)
      In a strategic move aimed at bolstering cybersecurity practices for American businesses, Chubb, the world’s largest publicly traded property & casualty insurance company, has embarked on a collaboration with SentinelOne, a renowned leader in the field of cybersecurity.
    • Bermuda premier says ‘sophisticated and deliberate’ cyberattack hobbles government services - The Associated Press (09/25/2023)
      A major cyberattack has hobbled government operations in Bermuda, with officials struggling to restore service. Premier David Burt said Monday that the government is trying to identify what happened and how, adding that he could not provide details because it was a matter of national security.
    • Boards Still Lack Cybersecurity Expertise - James Rundle, The Wall Street Journal (09/25/2023)
      An analysis of board composition in companies in the S&P 500 index found that 88% have no cybersecurity expert as a director. Only seven companies had a current or former chief information security officer on their board, the research found, and in two cases, that was the same person.
    • Why automakers are worried your car is the next target for cyber attacks - Guy Taylor, City AM (09/17/2023)
      Automakers are ramping up efforts to battle the fast-growing threat of cyber attacks, as experts warn the industry is facing an “inflection point” on cybersecurity. Internet-enabled cars and advanced technological developments are increasing risks to consumer privacy and even safety as the number of attacks rises “rapidly” year-on-year, according to a report from cybersecurity firm Kaspersky.
    • White House mulls rating system to boost cybersecurity for critical infrastructure - David Jones, Cybersecurity Dive (09/11/2023)
      The White House is looking to add oversight capabilities to strengthen cybersecurity for critical infrastructure. The administration has been working with various cabinet agencies to bolster cybersecurity in water, rail, aviation, energy and other sectors.
    • Russian cyber-attacks ‘relentless’ as threat of WW3 grows, expert warns - Joseph Draper, The Independent (09/04/2023)
      Cyberattacks by the UK’s enemies are becoming “relentless” as we enter a “new era” of global conflict, an expert has warned. It comes after Russian hackers allegedly acquired top-secret security information on some of the country’s most sensitive military sites, including the HMNB Clyde nuclear submarine base on the west coast of Scotland and the Porton Down chemical weapon lab.
    • Moscow will help cybercriminals operate with 'near impunity': federal report predicts - Jim Bronskill, Canada's National Observer (08/29/2023)
      Russian intelligence services and police will help cybercriminals operate with "near impunity" against their targets — including Canadians — in coming months, a new federal report predicts.
    • London’s Metropolitan Police force ups security after a supplier’s IT system is hacked - The Associated Press (08/27/2023)
      London’s Metropolitan Police force says it has stepped up security after a company that holds details of its officers and staff was hacked. The force said late Saturday that there had been “unauthorized access to the IT system” of one of its suppliers.

       

    • More Cyber Companies Announce Layoffs - Catherine Stupp and James Rundle, The Wall Street Journal (08/16/2023)
      A trio of cybersecurity companies said this month that they plan to lay off hundreds of employees, adding to concerns of further squeezes on an industry that has already been rocked by changing economic conditions.
    • Clorox says certain business operations disrupted in cyber attack - Reuters (08/14/2023)
      Clorox said on Monday it had taken certain systems offline after unauthorized activity disrupted some business operations.
    • U.S. Issues Draft Cybersecurity Guidelines for EV Charging Networks - Catherine Stupp, The Wall Street Journal (08/14/2023)
      While the Biden administration pushes carmakers to electrify their products to help address the climate crisis, the main U.S. agency for technology and competition is pressing for cybersecurity guidelines for the industry to guard against domestic and international hacking.
    • Connecticut school district lost more than $6 million in cyber attack, so far gotten about half back - The Associated Press (08/10/2023)
      The city of New Haven lost more than $6 million in multiple cyberattacks on its public school district earlier this summer and has so far managed to recoup about half of the money, officials announced Thursday.
    • New SEC rule requires public companies to disclose cybersecurity breaches in 4 days - The Associated Press (07/26/2023)
      The Securities and Exchange Commission adopted rules Wednesday to require public companies to disclose within four days all cybersecurity breaches that could affect their bottom lines. Delays will be permitted if immediate disclosure poses serious national security or public safety risks.
    • Regulators warn hospitals and telehealth companies about privacy risks of Meta, Google tracking tech - Heather Landi, Fierce Healthcare (07/21/2023)
      Federal regulators are warning hospital systems and telehealth providers about the data privacy risks of using third-party tracking technologies. These services, like Meta Pixel or Google Analytics, could violate the Health Insurance Portability and Accountability Act (HIPAA) or Federal Trade Commission (FTC) data security rules, officials said.
    • Many businesses don't even know they've been hit by a security breach - Sead Fadilpašić, Tech Radar (07/19/2023)
      Many businesses don’t know if they have suffered a data breach, and probably wouldn’t be able to spot such an event at all, due to the ever-expanding threat landscape, and notification fatigue among IT staff, new research has claimed.
    • Cybersecurity labeling for smart devices aims to help people choose those less vulnerable to hacking - The Associated Press (07/18/2023)
      The Biden administration and major consumer technology players on Tuesday launched an effort to put a nationwide cybersecurity certification and labeling program in place to help consumers choose smart devices that are less vulnerable to hacking.
    • FCC chair proposes $200M investment to boost K-12 cybersecurity - Anna Merod, K-12 Dive (07/13/2023)
      Federal Communications Commission Chairwoman Jessica Rosenworcel announced a proposal Wednesday to invest up to $200 million over three years to boost school and library cybersecurity. The move follows urgent calls for the FCC to update its E-rate program to cover advanced firewalls and other network security measures.
    • New York City Schools Had Warnings Before Cyber Attack - Cayla Bamberger, Government Technology (07/10/2023)
      Just weeks before hackers breached tens of thousands of NYC children’s personal information in a global cyber attack, the New York State Comptroller warned education officials to get serious about protecting student data.
    • Hackers using TrueBot malware for phishing attacks in US, Canada, officials warn - David Jones, Cybersecurity Dive (07/07/2023)
      Federal authorities are warning that hackers are leveraging TrueBot malware, also known as Silence Downloader, in phishing attacks against U.S. and Canadian targets, officials including the FBI and Cybersecurity and Infrastructure Security Agency said Thursday.
    • Suncor cyberattack likely to cost energy firm millions of dollars: expert - The Canadian Press (06/27/2023)
      A cybersecurity expert says a systems breach at Suncor Energy Inc. will likely cost the company millions of dollars before the issue is resolved. Jon Ferguson of the Canadian Internet Registration Authority says the type and scale of the cyberattack currently affecting the Calgary-based oil and gas company remains unknown.
    • This hacking group has been attacking thousands of organizations worldwide - Sead Fadilpašić, Tech Radar (06/09/2023)
      Cybersecurity researchers from ESET recently discovered a relatively new hacking group that’s been very successful in targeting organizations worldwide. The group is called Asylum Ambuscade, and its endgame remains a mystery to the researchers. According to BleepingComputer, it has been active all over the world, but mostly in the West, for the last three years.
    • Cyber Models Put 1:200-Year Loss Event at Up to $33.4B: Guy Carpenter - Advisen (06/09/2023)
      A 1 in 200-year cyber event could cost the global cyber insurance industry between $15.6 billion and $33.4 billion while a 1:50-year event could cause losses between $5.5 billion to $24.4 billion, according to a new analysis from reinsurance broker Guy Carpenter.
    • Russia Accuses U.S. Intelligence of Hacking Thousands of iPhones - Insurance Journal (06/05/2023)
      Russia’s main security service accused a US intelligence agency of hacking several thousand iPhones, including devices belonging to Russian nationals and others linked to diplomatic missions and embassies in the country.
    • Intangic MGA calls for a new approach to managing nation-state cyber attacks - Kane Wells, Reinsurance News (05/26/2023)
      Intangic MGA has called for a new approach to managing nation-state cyber attacks that moves away from the focus on catastrophic ‘Cyber Armageddon’ toward the higher frequency events happening every day.
    • Shifting tactics fuel surge in business email compromise - Microsoft Security (05/19/2023)
      Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated.
    • Organizations reporting cyber resilience are hardly resilient: Study - Shweta Sharma, CSO (05/18/2023)
      While most organizations have a cyber resilience program in place, more than half of them lack a comprehensive approach to assessing resilience, according to a study by Immersive Labs.
    • CISA director wary of technology industry repeating its mistakes with AI - Naomi Eide, Cybersecurity Dive (05/11/2023)
      The multibillion-dollar cybersecurity industry is the result of misaligned incentives, where the technology industry prioritized speed to market over security, said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, at a Hack the Capitol event Wednesday.
    • Young Cyber Companies Face Uncertain Economy - James Rundle, The Wall Street Journal (05/10/2023)
      Newer cybersecurity companies are grappling with uncertain economic conditions as they find it harder to raise capital, continue to trim their workforces and refocus on profits after long periods of chasing growth.
    • Cyberattacks on governments saw a huge increase in the first few months of 2023 - Sead Fadilpašić, TechRadar (05/09/2023)
      In a recently published paper, the company analyzed 924 significant cyber-incidents that took place between 2006, and Q1 2023 (including the first three months of this year). The analysis has shown that in that time, at least 722 cyberattacks were targeting government agencies.
    • US Says Disabled Russian Spyware Used For Two Decades - Paul Handley, AFP News (05/09/2023)
      The US Justice Department said Tuesday that it had disabled a "sophisticated" malware network used by Russia's FSB intelligence agency for two decades to spy in 50 countries including a NATO ally.
    • Economic & cyber hailed as biggest risks surrounding D&O: WTW & Clyde & Co - Jack Willard, Reinsurance News (04/25/2023)
      According to a new survey from brokerage WTW and global law firm Clyde & Co, economic and cyber risks, particularly those associated with data loss and ransomware, are causing increasing concern for Directors and Officers (D&O).
    • Howden: Cyber will “prove that the industry is capable of innovating” - The Insurer (04/20/2023)
      Cyber as a peril presents a unique opportunity for the insurance industry to demonstrate its relevance to the wider economy through product innovation and risk transfer solutions that address issues around aggregation and systemic risk, according to David Howden.
    • Insurers Wary of Longer-Term Costs of Cyberattacks - James Rundle, The Wall Street Journal (04/17/2023)
      Privacy laws and regulatory action extend the cost of incidents for years beyond an attack, insurers say, which could result in higher costs and stiffer policy requirements for companies.
    • Air National Guardsman Arrested as F.B.I. Searches His Home - Aric Toler, Michael Schwirtz, Haley Willis, Riley Mellen, Christiaan Triebert, Malachy Browne, Thomas Gibbons-Neff and Julian E. Barnes, The New York Times (04/14/2023)
      Federal investigators on Thursday arrested a 21-year-old air national guardsman who they believe is linked to a trove of leaked classified U.S. intelligence documents, which have upended relations with American allies and exposed weaknesses in the Ukrainian military.
    • US Cyber Insurers See Favorable Premium Growth, Results in 2023 - Fitch Wire (04/13/2023)
      The US cyber insurance market is anticipated to maintain favorable premium growth and underwriting results through 2023; however, pricing will likely moderate further this year in response to recent profits and competitive factors, Fitch Ratings says.
    • US launches multi-agency search to find source of huge Ukraine document leak - Stuti Mishra, The Independent (04/10/2023)
      The United States has launched a multi-agency investigation after highly classified military and intelligence documents containing sensitive information on topics including Ukraine’s defence were leaked online. The documents included information about a range of topics relating to the war in Ukraine, China, the Middle East, and Africa, with many officials suspecting that they may have been leaked by an American, rather than an ally.
    • ‘Network disruption’ probed at California sheriff’s office - The Associated Press (04/09/2023)
      Southern California’s San Bernardino County Sheriff’s Department said it experienced a “network disruption” to its electronic systems last week and has referred the problem to the FBI and Department of Homeland Security.
    • Groundbreaking Research from Marsh McLennan Reveals Direct Link between Key Cybersecurity Controls and Reduced Cyber Risk - Business Wire (04/06/2023)
      Marsh McLennan, the world’s leading professional services firm in the areas of risk, strategy and people, today released a report from its Cyber Risk Analytics Center that directly links key cybersecurity controls commonly required by cyber insurers to a reduced chance of a cyber incident. By assessing the relative effectiveness of each control, organizations are now able to allocate resources towards those that provide the best protection, better position their risk with insurers, and build their cyber resiliency more confidently.
    • Global takedown of cybercriminals behind malware operation - Eric Tucker and Frank Bajak, The Associated Press (04/05/2023)
      Law enforcement agencies in the United States and Europe said Wednesday that they have taken down a major online marketplace for stolen login credentials that had given cybercriminals access to millions of compromised accounts since its 2018 launch. Officials seized 11 domain names tied to the Genesis Market and arrested about 120 users across the world, including some in the U.S., according to the FBI and Justice Department, which participated in the operation.
    • Exxon’s Climate Opponents Were Infiltrated by Massive Hacking-for-Hire Operation - Christopher M. Matthews, The Wall Street Journal (03/29/2023)
      In the midst of perpetrating what federal prosecutors say was a massive corporate hacking campaign, Israeli private detective Aviram Azari in 2017 received welcome news. A group of hackers in India wrote him to say they had successfully infiltrated the email and social-media accounts of a group of environmental activists campaigning against Exxon Mobil Corp.
    • Russia intensifies cyberattacks on Ukraine allies - Al Jazeera (03/29/2023)
      Russia’s cyberwar on Ukraine has largely failed and Moscow is increasingly targeting Kyiv’s European allies, according to US and French analysts. French defence firm Thales said in a report on Wednesday that Russia was hitting Poland and Nordic and Baltic countries with an arsenal of cyberweapons aiming to sow divisions and promote anti-war messages.
    • Marsh unveils cybersecurity program for small, midsize businesses - Claire Wilkinson, Business Insurance (03/28/2023)
      Marsh LLC on Tuesday launched a cybersecurity and insurance program for small and midsize businesses in the U.S., backed by Beazley PLC, Chubb Ltd., Coalition Inc. and Resilience. The program, known as Marsh Cyber Pathway, is designed to help smaller businesses better understand what cybersecurity controls they need to implement to obtain coverage.
    • Biden Restricts Use of Commercial Hacking Tools by U.S. Agencies - Dustin Volz, The Wall Street Journal (03/27/2023)
      President Biden restricted the use of commercial hacking tools throughout the federal government as officials said they believed high-powered spyware had compromised devices belonging to at least 50 U.S. personnel working overseas.
    • Ukraine War Shows Difficulty of Large-Scale Cyberattacks, NSA Director Says - Niharika Mandhana, The Wall Street Journal (03/24/2023)
      U.S. adversaries have become more capable of carrying out sophisticated cyberattacks, but the Ukraine war shows how difficult it is to conduct large-scale operations against critical infrastructure, said National Security Agency Director Gen. Paul Nakasone.
    • As CISA chief notes lack of Russian cyberattacks against US, experts focus on enhancing nuclear reactor security - Robert Walton, Utility Dive (03/23/2023)
      The United States was prepared for “potential blowback” related to its response to Russia’s invasion of Ukraine, and was on the lookout for an onslaught of related cyberattacks even before the war began, but those attacks did not materialize, U.S. Cybersecurity and Infrastructure Security Agency Executive Director Brandon Wales said Wednesday.
    • Electric-Vehicle Growth Expands GM Cyber Chief’s Concerns to Charging Stations - James Rundle, The Wall Street Journal (03/23/2023)
      Electric vehicles are taking General Motors Co. ’s cyber chief into new territory. Kevin Tierney, the auto maker’s chief cybersecurity officer, often finds himself monitoring risks across information-technology systems, autonomous vehicles and manufacturing plants. Now, he’s adding power-grid security to his day-to-day work.
    • Wisconsin's statewide court system slowed by denial-of-service cyberattack - Drew Dawson, Milwaukee Journal Setinel (03/23/2023)
      An attempted cyberattack on the Wisconsin court system's computer network caused intermittent delays and slower response times earlier this week. In a press release, Director of State Courts Randy Koschnick said that a denial-of-service attack required counter measures by the court system. While the network was temporarily slowed, there was no breach of any court data. No courtrooms across the state were disrupted by the cyberattack.
    • Intangic MGA Launches Cyber Parametric Policy With Backing From AXA XL - Insurance Journal (03/16/2023)
      Intangic MGA, a London-based cyber managing general agent (MGA), has been launched with capacity backing from AXA XL, offering new cyber insurance cover for large public corporations headquartered in the UK.
    • Cyberattacks on school districts — like recent one on MPS — are on the rise - Mara Klecker, Star Tribune (Minneapolis) (03/10/2023)
      Cyberattacks like the one that paralyzed the Minneapolis Public Schools' computer systems in late February are becoming a growing threat to school districts, prompting a dramatic rise in cyber liability insurance premiums and a scramble to figure out what can be done to secure student and staff data.
    • Ukrainians Work Through Blackouts, Internet Outages as Russia Targets Power Grid - Stephanie Stamm, The Wall Street Journal (03/06/2023)
      With flashlights ready and devices charged, Ukrainians have acclimated to rolling power outages as Russia targets Ukraine’s energy grid with missiles and drones. But the damage caused by the attacks has made working and communicating online increasingly difficult.
    • Cybersecurity Trends & Statistics For 2023; What You Need To Know - Chuck Brooks, Forbes (03/05/2023)
      For 2023 and beyond the focus needs to be on the cyber-attack surface and vectors to determine what can be done to mitigate threats and enhance resiliency and recovery. As the interest greatly expands in users, so do the threats, As the Metaverse comes more online it will serve as a new vector for exploitation.
    • EPA mandates states report on cyber threats to water systems - Suman Naishadham, The Associated Press (03/03/2023)
      The Biden administration on Friday said it would require states to report on cybersecurity threats in their audits of public water systems, a day after it released a broader plan to protect critical infrastructure against cyberattacks. The Environmental Protection Agency said public water systems are increasingly at risk from cyberattacks that amount to a threat to public health.
    • Mounting Cyber Threats Mean Financial Firms Urgently Need Better Safeguards - Tobias Adrian and Caio Ferreira, International Monetary Fund (03/02/2023)
      Cyber attackers continue to target the financial sector. What will happen when an attack takes down a bank or other critical platform, locking users out of their accounts?
    • Senate bill aims to improve consumer understanding of cyber insurance coverage, address ‘ambiguities’ - Charlie Mitchell, Inside Cybersecurity (02/22/2023)
      A new bill by Sens. John Hickenlooper (D-CO) and Shelley Moore Capito (R-WV) would establish a Commerce Department working group to “improve communication over cybersecurity insurance coverage levels,” addressing potential confusion over what’s actually covered in cyber insurance policies and tracking with a Cyberspace Solarium Commission recommendation.
    • Lockton Re: Now is the time for cyber insurance-linked securities - Roxanne Libatique, Insurance Business America (02/21/2023)
      The cyber insurance market continues to grow dramatically, with data and understanding of the peril developing in recent years. Among the current cyber trends, Lockton Re's latest report – released in partnership with CyberCube Analytics and Envelop Risk – claims that now is the right time for cyber insurance-linked securities (ILS) to succeed.
    • Health care center hit by cyberattack - Courtney Harrison, WNEP (02/20/2023)
      The Lehigh Valley Health Network has been hit with a cybersecurity attack. Officials with the health care network say they found unauthorized activity in their system on February 6. Officials say the ransomware gang known as BlackCat launched the attack on the network supporting the Delta Medix practice in Scranton.

       

    • Stealthy malware that opens a backdoor into Windows web servers discovered - Alfonso Maruccia, TechSpot (02/17/2023)
      Backdoor.Frebniis, or simply Frebniis, is a stealthy new malware discovered by Symantec researchers that leverages a vulnerability in IIS to put a backdoor into Windows web servers. Unknown cyber-criminals have actively exploited targets in Taiwan. To infect a system, hackers first need access to an IIS server. Symantec analysts have yet to find out how the attackers gained initial access.

       

    • Privacy Regulators Step Up Oversight of AI Use in Europe - Catherine Stupp, The Wall Street Journal (02/16/2023)
      European privacy regulators are intensifying their scrutiny of companies’ use of artificial intelligence, hiring experts and opening new units to crack down on data violations.

       

    • Russian cyberattacks on NATO spiked in 2022: Google - AFP, AFP (02/16/2023)
      Russian cyberattacks in NATO countries quadrupled last year compared to 2020 and more than tripled in Ukraine over the same period, Google said Thursday. The spike in attacks -- which coincided with Moscow's invasion of pro-Western Ukraine on February 24, 2022 -- was a sign of how cyber warfare would become increasingly prevalent in future conflicts, the US tech giant said in a new report.

       

    • Almost 60% of GAO's Privacy Recommendations Since 2010 Are Unresolved - Edward Graham, Nextgov (02/15/2023)
      Federal officials have failed to implement almost 60% of the privacy and data security recommendations issued by the Government Accountability Office since 2010, according to a Tuesday report from the watchdog, potentially limiting their ability to adequately safeguard Americans’ collected personal information.

       

    • Medical-Device Makers Face Push to Protect Their Wares From Hacks - James Rundle, The Wall Street Journal (02/13/2023)
      Mounting cyberattacks against hospitals and clinics and a regulatory push are increasing the pressure on medical-device manufacturers to improve the security of their products.

       

    • Top Risks in Cybersecurity 2023 - Tom Romanoff, Sabine Neschke, Danielle Draper, Jamil Farshchi , Ben Lord, Ahmad Douglas, Bipartisan Policy Center (02/12/2023)
      he Bipartisan Policy Center (BPC) convened a working group of leaders to strengthen America’s cybersecurity. The group’s approach was to identify the nation’s top cybersecurity risks to raise awareness so policymakers and businesses can take pragmatic action and invest in countermeasures.

       

    • Liberty Mutual Announces Creation of Global Cyber Office and Appointments of Key Leaders - PR Newswire, PR Newswire (02/10/2023)
      Liberty Mutual Insurance today announced the formation of a Global Risk Solutions (GRS) Global Cyber Office and the appointment of respected experts to key leadership roles.

       

    • Reddit confirms it was hacked after employee was victim of phishing attack - Martyn Landi, The Independent (02/10/2023)
      Popular internet forum website Reddit has confirmed it was the victim of a cyber attack, with hackers using a phishing attack on employees to steal login details and access the platform’s internal systems.

       

    • Treasury warns cloud financial services need more cybersecurity, transparency - Doug Cunningham, UPI (02/08/2023)
      A U.S. Treasury Department issued a report on Wednesday warning that more work is needed to mitigate the risks associated with financial services moving to the cloud.

       

    • GAO's Critical Infrastructure Cyber Recommendations Go Largely Unaddressed - Edward Graham, Nextgov (02/08/2023)
      More than half of the Government Accountability Office’s recommendations for protecting critical infrastructure services from cyber threats have not been implemented since 2010, potentially jeopardizing the security of the nation’s power grid and other vital services, according to a report issued by the watchdog Tuesday.

       

    • Insurers Say Cyberattack That Hit Merck Was Warlike Act, Not Covered - Richard Vanderford, The Wall Street Journal (02/08/2023)
      The costly NotPetya cyberattack, which the U.S. blamed on Russia, should be considered a “cyber nuclear attack,” insurers argued as they urged judges to overturn a legal win by Merck & Co. in a dispute that could have broad ramifications for business insurance.

       

    • Corporate boards struggle to understand cybersecurity and digital transformation - David Jones, Cybersecurity Dive (02/06/2023)
      Corporate board directors are struggling to oversee the rapidly evolving threat of cyberattacks, according to a report from Diligent Institute, which specializes in corporate governance issues. They consider cyber and data security as their most challenging issue.

       

    • EU Tightens Oversight of Data-Privacy Regulators to Speed Up Decisions - Catherine Stupp, The Wall Street Journal (02/01/2023)
      European officials are introducing a new oversight process to monitor major data-privacy investigations following criticism of the glacial pace of enforcement, particularly against multinational tech firms.

       

    • Dutch, European Hospitals 'Hit By Pro-Russian Hackers' - Agence France-Presse, Agence France-Presse (02/01/2023)
      Dutch cyber authorities said Wednesday that several hospital websites in the Netherlands and Europe were likely targeted by a pro-Kremlin hacking group because of their countries' support for Ukraine.

       

    • Coalition Releases First-Ever Cyber Threat Index for 2023 - Coalition, Business Wire (02/01/2023)
      Coalition, the world's first Active Insurance provider designed to prevent digital risk before it strikes, today published its first-ever Coalition Cyber Threat Index, detailing insights on cybersecurity trends from 2022 and what emerging cyber threats are on the horizon to better prepare businesses for 2023.

       

    • Markets/Coverages: WTW Launches Cyber Facility, Providing Excess Capacity Globally - Insurance Journal, Insurance Journal (01/30/2023)
      A new excess layer cyber facility, called CyXS, was launched by WTW, providing excess layer cyber capacity for global clients.

       

    • JD Sports says 10 million customers hit by cyber-attack - Michael Race, BBC News (01/30/2023)
      Sportswear chain JD Sports has said stored data relating to 10 million customers might be at risk after it was hit by a cyber-attack.

       

    • Infrastructure Companies Say Suppliers Pose a Growing Cyber Threat - James Rundle, The Wall Street Journal (01/27/2023)
      Companies in critical infrastructure sectors say weak cyber defenses at suppliers are becoming a significant threat to their business, and that rules to boost security down the supply chain might be needed.

       

    • U.S. Intelligence Wants to Use Psychology to Avert Cyberattacks - Catherine Stupp, The Wall Street Journal (01/25/2023)
      The main research organization of the U.S. intelligence community is hunting for ways to use psychological theories to thwart cyberattacks. Scientists at IARPA are studying how to understand and predict hackers’ behavior to be more effective in stopping cyber incidents.

       

    • Cygnvs Emerges From Stealth Mode With Incident Response Platform - Ionut Arghire, Security Week (01/24/2023)
      Cygnvs, a California-based startup offering a secure communication and collaboration platform for cyber incident response, has emerged from stealth mode.

       

    • Maryland IG Finds Baltimore Schools Partially At Fault For Hack - Lillian Reed, Sabrina LeBoeuf, Baltimore Sun (01/24/2023)
      Maryland’s inspector general for education says the Baltimore County school system failed to provide adequate security for its computer network servers, despite several warnings from the state in the years preceding a devastating ransomware attack in 2020.

       

    • Ticketmaster blames cyberattack for Taylor Swift tour debacle - Frankie Taggart, Agence France-Presse (01/24/2023)
      US concert booking website Ticketmaster was hit by a cyberattack last year that led to it botching sales for Taylor Swift's US tour, it told lawmakers on Tuesday as it apologized to the pop superstar and her fans.

       

    • Constangy Expands Cybersecurity & Data Privacy Practice With 44-Member Team, Opens Six New Offices - Constangy, PR Newswire (01/19/2023)
      National labor and employment law firm Constangy, Brooks, Smith & Prophete, LLP is pleased to welcome a 44-member team, including 32 experienced attorneys, in a significant expansion of the firm's Cybersecurity & Data Privacy practice.

       

    • SecurityScorecard Research Finds 48% of Global Critical Manufacturing At Significant Risk of Breach - Business Wire, Business Wire (01/18/2023)
      SecurityScorecard, the global leader in cybersecurity ratings, today announced the results of its new report, Addressing the Trust Deficit In Critical Infrastructure, which revealed 48% of critical manufacturing organizations ranked “C,” “D,” or “F” on SecurityScorecard’s security ratings platform.

       

    • At-Bay Launches New Admitted Cyber Insurance Product for Small Businesses - Business Wire, Business Wire (01/17/2023)
      At-Bay, the leading insurance provider for the digital age, today announced the launch of a new admitted cyber insurance product. Approved in 47 states, At-Bay’s admitted policies will be sold exclusively through its growing partner network and will help cater to the insurance and security needs of today’s small businesses.

       

    • Private-Equity Firms Tighten Focus on Cyber Defenses at Portfolio Companies - James Rundle and Kim S. Nash, The Wall Street Journal (01/16/2023)
      Private-equity companies are taking a closer look at how their portfolio companies manage their cybersecurity, often before a deal is signed. A combination of market forces and investor pressure is forcing even the youngest companies to beef up their cybersecurity, as would-be acquirers step up their scrutiny of digital weaknesses.

       

    • Cyberattack keeps Iowa’s largest school district closed - Scott McFetridge, The Associated Press (01/11/2023)
      An apparent cyberattack on Iowa’s largest school district has led officials to cancel classes for 30,000 students for a second day as technicians scramble to protect data and restore the computer system, the district’s leader said Tuesday afternoon.

       

    • Beazley launches market's first cyber catastrophe bond - Ryan Smith, Insurance Business America (01/10/2023)
      Specialist insurer Beazley has announced the launch of the market’s first cyber catastrophe bond. The $45 million private Section 4(2) bond marks the first time that a liquid insurance-linked securities (ILS) instrument has been created for cyber catastrophe risks, Beazley said.

       

    • NJ governor bans TikTok on state devices - Stephen Neukam, The Hill (01/09/2023)
      New Jersey is the latest state to ban the use of TikTok, the popular video-based social media platform, on state government devices, Gov. Phil Murphy (D) announced on Monday.

       

    • Justices turn away Israeli spyware maker in WhatsApp suit - The Associated Press, The Associated Press (01/09/2023)
      The Supreme Court on Monday rejected an Israeli spyware maker’s bid to derail a high-profile lawsuit filed by the WhatsApp messaging service. The justices left in place lower court rulings against the Israeli firm, NSO Group. WhatsApp claims that NSO targeted some 1,400 users of the encrypted messaging service with highly sophisticated spyware.

       

    • China, a Pioneer in Regulating Algorithms, Turns Its Focus to Deepfakes - Karen Hao, The Wall Street Journal (01/08/2023)
      China is implementing new rules to restrict the production of ‘deepfakes,’ media generated or edited by artificial-intelligence software that can make people appear to say and do things they never did.

       

    • Russian cyberattacks on Ukraine halved with help from Amazon and Microsoft - Gareth Corfield, The Telegraph (01/07/2023)
      Frontline support from Silicon Valley giants has helped halve the number of Russian cyber attacks on Ukraine, new figures show. Millions of dollars-worth of cyber security help given by Microsoft and Amazon to Kyiv has dramatically reduced the number of cyberattacks by making it harder for Moscow to mount digital offensives.

       

    • Exclusive: Russian hackers targeted U.S. nuclear scientists - James Pearson and Christopher Bing, Reuters (01/06/2023)
      A Russian hacking team known as Cold River targeted three nuclear research laboratories in the United States this past summer, according to internet records reviewed by Reuters and five cyber security experts.

       

    • Ransomware attacks on health care systems are increasing in frequency, sophistication: research - Gianna Melillo, The Hill (01/06/2023)
      The annual number of ransomware attacks against U.S. hospitals, clinics and other care delivery organizations more than doubled from 43 to 91 between 2016 and 2021, new research shows. The security breaches exposed personal health information of an estimated 42 million patients.

       

    • U.S. national cyber strategy to stress Biden push on regulation - Ellen Nakashima and Tim Starks, The Washington Post (01/05/2023)
      The Biden administration is set to unveil a national strategy that for the first time calls for comprehensive cybersecurity regulation of the nation’s critical infrastructure, explicitly recognizing that years of a voluntary approach have failed to secure the nation against cyberattacks, according to senior administration officials.

       

    • NATO tests AI’s ability to protect critical infrastructure against cyberattacks - Michael Hill, CSO (01/05/2023)
      Autonomous intelligence, artificial intelligence (AI) that can act without human intervention, can help identify critical infrastructure cyberattack patterns and network activity, and detect malware to enable enhanced decision-making about defensive responses.

       

    • Ukraine War and Upcoming SEC Rules Push Boards to Sharpen Cyber Oversight - Catherine Stupp and Kim S. Nash, The Wall Street Journal (01/03/2023)
      Corporate boards and cybersecurity leaders are expected to collaborate more closely in the coming year to comply with new regulations and relentless attacks from hackers looking to steal data and disrupt business operations.

       

    • Cyber Insurance Themes to Look Out for in 2023 - Oliver Brew, Insurance Journal (01/03/2023)
      The below are some of the key themes to look for in 2023 for the direction of travel of the cyber insurance industry – some trends are already underway and will accelerate, whilst others are new.

       

    • LA housing agency is hit with cyberattack and is given a deadline to respond - The Los Angeles Daily News, The Los Angeles Daily News (01/03/2023)
      The Housing Authority of the City of Los Angeles announced today, Jan. 3, that it has been hit by an apparent cyberattack that has disrupted its systems and a leading tech industry website reports that the attackers have given the agency a deadline to respond.

       

    • Business owners policy doesn’t cover ransomware attack - Judy Greenwald, Business Insurance (01/03/2023)
      An insurer does not have to provide coverage under a business owners policy for a ransomware attack because there was no physical damage, the Ohio Supreme Court ruled in overturning a lower court decision.

       

    2022

    • Suffolk County, N.Y., Leaders Blame Clerk’s Office for Cyberattack - James Rundle, The Wall Street Journal (12/21/2022)
      A series of technical blunders, delayed security upgrades, unsuitable management structures and obstructive behavior from a senior official resulted in a September cyberattack on New York’s Suffolk County that has so far cost over $5 million to fix, County Executive Steve Bellone said Wednesday.

       

    • US consumers seriously concerned over their personal data - Jon Gold, CSO Online (12/19/2022)
      A report released today by Big Four accounting firm KPMG found that large majorities of the American public are highly concerned about the security of their personal data, and that US companies aren’t helping matters by ramping up their collection of that data.

       

    • US agencies warn of hackers using BEC tactics to steal large shipments of food products, ingredients - Anna Ribeiro, Industrial Cyber (12/16/2022)
      Organizations in the food and agriculture sector have been warned of recently observed incidents of criminal hackers using business email compromise (BEC) to steal shipments of food products and ingredients valued at hundreds of thousands of dollars. On Thursday, U.S. agencies released a joint cybersecurity advisory (CSA) that identifies the emergence of the BEC tactic as ‘one of the most financially damaging’ online crimes.
    • Bright Horizons Family Reports Ransomware Cyber-Incident - Meghan Genovese, Bloomberg Law (12/15/2022)
      Bright Horizons Family Solutions said on Dec. 12 it determined that a ransomware cyber-incident had “impacted and disrupted a number of the company’s operational and information technology systems,” according to a regulatory filing today.

       

    • Hacker claims breach of FBI’s critical-infrastructure portal - Frank Bajak, The Associated Press (12/14/2022)
      A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of InfraGard, an FBI-run outreach program that shares sensitive information on national security and cybersecurity threats with public officials and private sector actors who run U.S. critical infrastructure.

       

    • U.K. Quantum Cybersecurity Firm Discloses SEC Investigation Over Merger - Eliot Brown, Dustin Volz, and Byron Tau, The Wall Street Journal (12/14/2022)
      British cybersecurity company Arqit Quantum Inc. is facing an investigation from the U.S. Securities and Exchange Commission over its merger with a special-purpose acquisition company last year, the company disclosed Wednesday.

       

    • Ethical hackers discovered 65,000 software vulnerabilities this year - Tim Keary, Venture Beat (12/12/2022)
      Vulnerabilities are everywhere. Every device, application and API presents new entry points for attackers to exploit and gain access to privileged information. However, more and more organizations are turning to ethical hackers to help keep up with potential exploits. In fact, according to HackerOne’s 2022 Hacker-Powered Security Report released today, ethical hackers discovered more than 65,000 software vulnerabilities in 2022, an increase of 21% since 2021.

       

    • Most startups have cyber insurance but are uncertain about how much risk is covered - Help Net Security, Help Net Security (12/12/2022)
      Despite the significant economic headwinds startups currently face – from a challenging fundraising landscape to inflation woes and difficult operational decisions – company founders remain pointedly focused on advancing their cybersecurity protections now and moving forward, according to Embroker.

       

    • Knox College president addresses ransomware incident as notorious group claims credit - Samuel Lisec, The Register-Mail (12/09/2022)
      Hive Ransomware Group, a FBI-identified criminal organization, has claimed credit for ongoing "disruptions" to Knox College’s computer systems. In an email sent to a number of Knox students on Wednesday, a group claiming to be Hive says it has encrypted “critical infrastructure and data,” compromised the college’s backup servers and mined sensitive personal information like medical records and social security numbers.

       

    • Google: North Korea used Seoul Halloween tragedy to launch cyberattacks - Thomas Maresca, UPI (12/08/2022)
      North Korean state-backed hackers created official-looking documents referencing the Seoul Halloween crowd crush tragedy in an attempt to send malware to users in South Korea, Google's Threat Analysis Group said in a new report.

       

    • HHS bulletin clarifies when pixel tracker use may violate HIPAA - Paige Minemyer, Fierce Healthcare (12/02/2022)
      The Biden administration has issued a bulletin warning that pixel trackers may come up against federal privacy law.

       

    • IKEA confirms it was hit in significant cyberattack - Sead Fadilpašić, Tech Radar (12/01/2022)
      Swedish furniture powerhouse Ikea has confirmed some of its shops in North Africa and the Middle East fell victim to a ransomware attack by the ransomware gang Vice Society.

       

    • Suspected Cyberattack Hits Vatican Website - AFP - Agence France Presse, Barron's (11/30/2022)
      The Vatican website was inaccessible Wednesday evening, the Holy See press service said, in a suspected cyberattack that the Ukrainian ambassador blamed on Russia. "Technical investigations were ongoing (at the end of the day) because of abnormal attempts to access the website," Vatican spokesman Matteo Bruni said.

       

    • Lawsuit alleges Google broke Louisiana law in capturing residents' biometric data - Anthony Mcauley, NOLA (11/30/2022)
      Google Inc. is being sued in Louisiana over allegations that the online-search giant has been capturing and selling biometric data from residents in violation of the state's consumer protection and privacy law.

       

    • WSJ Pro Research Survey: Perceptions of Ransomware & Threats - Rob Sloan, The Wall Street Journal (11/29/2022)
      Data from the latest WSJ Pro Research cybersecurity survey reveals the most concerning threats and how businesses are dealing with ransomware attacks.

       

    • As CIOs tighten tech spend, demand for cybersecurity services grows - Suman Bhattacharyya, CIO Dive (11/28/2022)
      Companies looking to fend off cybercriminals are turning to third-party firms to help thwart an expanding network of threat actors. Cybersecurity spending, which encompasses services and products, is expected to grow by 10% to 15% over the next 12 to 18 months, but product spending over the same period will decline 10% to 15%, said Doug Saylors, a partner at research and advisory firm ISG.

       

    • US bans sale of Chinese tech from Huawei and ZTE due to ‘unacceptable’ national security risk - Arpan Rai, The Independent (11/27/2022)
      The US has outlawed the sale of Chinese-origin communications equipment made by Huawei and ZTE, prohibiting the use of some China-made surveillance systems due to an “unacceptable risk” to national security, in a fresh set of restrictions imposed on Beijing on Friday.

       

    • RIMS urges federal backstop for catastrophic cyber incidents - Matthew Lerner, Business Insurance (11/21/2022)
      The Risk & Insurance Management Society Inc. Monday said it had sent a comment letter to the Federal Insurance Office supporting legislative efforts regarding a federal backstop for large-scale catastrophic cyber incidents that impact infrastructure.
    • Twitter had to assure employees that Elon Musk's infamous late-night email about his 'hardcore' vision for the company wasn't a phishing attack, report says - Kate Duffy, Business Insider (11/18/2022)
      Twitter had to assure employees that Elon Musk's infamous late-night email asking them to commit to his "hardcore" vision for the company wasn't a phishing attack.

       

    • This phishing kit is punishing unaware shoppers this Black Friday - Sead Fadilpašić, Tech Radar (11/18/2022)
      Cybersecurity researchers from Akamai have spotted a new phishing campaign that targets consumers in the United States with fake holiday offers. The goal of the campaign is to steal sensitive identity credentials like credit card information, and ultimately their money.

       

    • Hive ransomware actors have extorted over $100M from victims, says FBI - Carly Page, Tech Crunch (11/18/2022)
      The U.S. government has warned of ongoing malicious activity by the notorious Hive ransomware gang, which has extorted more than $100 million from its growing list of victims.

       

    • The feds warn that hackers could hold Midwestern harvests hostage with ransomware - Elizabeth Rembert, Harvest Public Media (11/17/2022)
      American farming increasingly relies on software to keep the U.S. the world’s top food producer. But all that reliance on code-driven machinery has drawn ransomware attacks that could prove particularly devastating during harvest.

       

    • The FBI alleges TikTok poses national security concerns - Rachel Treisman, NPR (11/17/2022)
      The head of the FBI says the bureau has "national security concerns" about the U.S. operations of TikTok, warning that the Chinese government could potentially use the popular video-sharing app to influence American users or control their devices.

       

    • Iran-linked threat actors exploiting Log4Shell via unpatched VMware, feds warn - David Jones, Cybersecurity Dive (11/16/2022)
      State-backed Iranian threat actors are exploiting a Log4Shell vulnerability inside an unpatched VMware server at a federal civilian agency, the Cybersecurity and Infrastructure Security Agency warned in a joint advisory with the FBI Wednesday.

       

    • Beazley’s $417m capital raise for 10% stake a ‘proactive’ move in hardening market - Intelligent Insurer, Intelligent Insurer (11/16/2022)
      London-listed insurer Beazley has completed a £350 million (approximately $417 million) equity raise to provide growth capital to fund “attractive underwriting opportunities” in the hardening market, especially cyber, specialty and property business. Analysts believe the capital raise is “proactive move” by the insurer in view of the bullish pricing outlook, and also to reduce its reinsurance protection.

       

    • K-12 improving cybersecurity, lags behind other sectors - Judy Greenwald, Business Insurance (11/15/2022)
      The K-12 education sector is improving its cybersecurity capabilities over time, but it lags behind other sectors in terms of cybersecurity program maturity, says a study issued Monday.

       

    • HHS cybersecurity center warns of new ransomware threat - Susan Kelly, Healthcare Dive (11/14/2022)
      The HHS’ Health Sector Cybersecurity Coordination Center is cautioning the healthcare industry that Venus ransomware operators are targeting remote desktop services to encrypt Windows devices. At least one health organization in the United States has been a victim, according to the cybersecurity center, also known as HC3.

       

    • Hacking fears after $650m vanishes from collapsed crypto firm - Gareth Corfield and Matt Oliver, The Telegraph (11/12/2022)
      Cryptocurrency exchange FTX is facing fresh controversy after observers noticed “unusual” withdrawals totalling around $650m from the collapsed website’s funds on Saturday. The collapse of FTX, one of the world’s biggest exchanges, has wiped $150bn (£126bn) off the cryptocurrency market’s value, amid fears that the crisis could yet deepen.

       

    • Attacks on critical infrastructure doubled in the past year, Microsoft says - Steve Zurier, SC Media (11/07/2022)
      In the Microsoft Digital Defense Report 2022, the software maker said cyberattacks targeting critical infrastructure around the world jumped from 20% of all nation-state attacks Microsoft detected to 40%.
    • New era of cyber risks calls for a novel approach to insurance - Swiss Re Ltd Publication, Market Screener (11/07/2022)
      The cyber risk landscape is rapidly evolving, with cyberattacks increasing in severity and sophistication. Hackers now use triple extortion techniques and ransomware-as-a-service has lowered entry barriers for cybercriminals. In addition, increased digitalisation of critical infrastructure has made it more vulnerable to cyber threats – with the potential for systemic fallout should a cyberattack interrupt the provision of clean water, energy or internet services for an extended period of time. This new risk era requires a different approach to cyber insurance, a new Swiss Re Institute study suggests.

       

    • S&P reports discuss cyber risk management, threats to chemical companies and national governments - Charlie Mitchell, Inside Cybersecurity (11/03/2022)
      A trio of reports from S&P Global Ratings address the cyber risks faced by chemical companies and by national governments, or sovereigns, as well as the nexus between cyber and credit risk management.

       

    • Corvus Insurance Enters Continental European Market Through Multi-Year Cyber Insurance Partnership with Travelers - Business Wire, Business Wire (11/03/2022)
      Corvus Insurance, the market-leading specialty insurance MGA offering Smart Commercial Insurance™ products powered by AI-driven risk data, today announced it has partnered with The Travelers Companies, Inc., an industry leader in personal, business, and specialty insurance, to back its Smart Cyber Insurance™ offering.

       

    • Mondelez and Zurich’s NotPetya cyber-attack insurance settlement leaves behind no legal precedent - Christopher Burgess, CSO Online (11/03/2022)
      Mondelez International and Zurich American Insurance settled a keenly watched lawsuit over how cyberattack insurance applies to intrusions from nation states during wartime. A private agreement, its resolution sheds no light on how the issue will be play out.

       

    • EU Expands Cyber Rules for Airline Flight Safety - Catherine Stupp, The Wall Street Journal (11/02/2022)
      New cybersecurity rules in Europe will for the first time require a swath of aviation suppliers to identify and defend against hacking risks to flight safety.

       

    • Banks detected a record $886 million in ransomware payments in 2021 - Carter Pape, American Banker (11/02/2022)
      Ransomware attackers threatened to extort $866 million from U.S. bank customers last year in a record-breaking scourge primarily perpetrated by threat actors affiliated with Russia.

       

    • White House invites dozens of nations for ransomware summit - Associated Press, Associated Press (10/31/2022)
      The White House is bringing together three dozen nations, the European Union and a slew of private-sector companies for a two-day summit starting Monday that looks at how best to combat ransomware attacks.

       

    • Industrial providers ramp up cyber risk posture as OT threats evolve - David Jones, Cybersecurity Dive (10/31/2022)
      Industrial organizations have strengthened their cybersecurity postures in the past year as nearly two-thirds have faced high or severe threats to their operational technology environments, according to a SANS Institute report commissioned by Nozomi Networks.

       

    • FTC Brings Action Against Ed Tech Provider Chegg for Careless Security that Exposed Personal Data of Millions of Customers - Federal Trade Comission, FTC Press Release (10/31/2022)
      The Federal Trade Commission is taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses and passwords.

       

    • Interpol says metaverse opens up new world of cybercrime - Dina Kartit and Elizabeth Howcroft, Reuters (10/27/2022)
      Global police agency Interpol said it was preparing for the risk that online immersive environments - the "metaverse" - could create new kinds of cybercrime and allow existing crime to take place on a larger scale.

       

    • Global Insurance Rates Continue Rising at Slower Levels; Cyber Outpaces Other Lines - Insurance Journal, Insurance Journal (10/27/2022)
      Global insurance pricing continued to rise, although at a slower pace, during the third quarter, which saw commercial insurance premiums increase an average of 6%, down from 9% in Q2, according to Marsh’s Global Insurance Market Index. The biggest increases were seen in cyber insurance, but pricing also followed the moderation theme.

       

    • Ransomware remains a top cyber risk for businesses, but new threats emerging - Allianz, Allianz Global Corporate & Specialty Press Release (10/26/2022)
      Ransomware remains a top cyber risk for organizations globally while business email compromise incidents are on the rise and will increase further in the ‘deep fake’ era. At the same time, the war in Ukraine and wider geopolitical tensions are a major concern as hostilities could spill over into cyber space and cause targeted attacks against companies, infrastructure or supply chains, according to a new report from Allianz Global Corporate & Specialty.

       

    • Help wanted for 3.4M jobs: Cyber workforce shortage is an acute, worldwide problem - David Jones, Cybersecurity Dive (10/24/2022)
      An ongoing shortage of qualified workers in the information security space is becoming even more acute, as a new report from (ICS)2 shows the industry needs to grow by about 3.4 million workers to close the global workforce gap.

       

    • Ukraine war cuts ransomware as Kremlin co-opts hackers - Gareth Corfield, The Telegraph (10/23/2022)
      The Ukraine war has helped reduce global ransomware attacks by 10pc in the last few months, a British cybersecurity company has said.

       

    • NAIC Report Shows Premiums Grew 61% as Cyberthreats Rose in 2021 - NAIC, NAIC (10/21/2022)
      The National Association of Insurance Commissioners (NAIC) released its Cyber Insurance report, utilizing data found within the Cyber Supplement, as well as alien surplus lines data collected through the NAIC’s International Insurance Department. The 2021 data shows a cybersecurity insurance market of roughly $6.5 billion, reflecting an increase of 61% from the prior year.

       

    • Cyber M&A Expected to Remain Robust Into 2023 - James Rundle, The Wall Street Journal (10/19/2022)
      The cybersecurity industry is poised to enter a period of rapid consolidation, analysts say, as private-equity firms and established companies seek to offer one-stop shops for cyber chiefs, compliance requirements drive spending and company valuations moderate from last year’s highs.

       

    • Privacy Executives Hope Trans-Atlantic Deal Withstands Court Challenges - Catherine Stupp, The Wall Street Journal (10/19/2022)
      Corporate executives focused on privacy are cautious but hopeful that new legal safeguards on American surveillance practices affecting European Union citizens will make it easier to do business in the EU, following two years of regulatory challenges to trans-Atlantic data transfers.

       

    • TSA rolls out long-anticipated cyber directive for freight, passenger rail systems - David Jones, Cybersecurity Dive (10/19/2022)
      The Transportation Security Administration issued long-awaited directives Tuesday designed to enhance the cyber resilience of the nation’s freight and passenger rail systems. The measures are part of a wider effort by the Biden administration to protect critical infrastructure against malicious hacks.

       

    • Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate - Steven Rosenbush, The Wall Street Journal (10/17/2022)
      Chief information officers say cybersecurity once again will be their top investment priority in 2023, a sign of how companies are racing to manage the business risk posed by escalating threats.

       

    • Cyber liability claims skyrocketing – Acuity - Ryan Smith, Insurance Business America (10/17/2022)
      Wisconsin-based Acuity Insurance has reported an increased need for cyber liability insurance among both personal and business policyholders as cybercrime continues to grow.

       

    • U.S. Election Officials Are on Alert for Cyber, Physical Attacks - David Uberti, The Wall Street Journal (10/13/2022)
      The array of potential threats to the 2022 midterms is “more complex than it has ever been,” a top U.S. official said Thursday, but Washington has yet to see specific or credible attempts by foreign governments to disrupt the Nov. 8 vote.

       

    • Cyber MGA Coalition and BDT Capital Partners Launch Bermuda Reinsurer Ferian Re - Insurance Journal, Insurance Journal (10/13/2022)
      Coalition, the San Francisco-based cyber insurer and cyber-security firm, announced the formation of Ferian Re, an independent Bermuda-based Class 3B reinsurer that will provide capacity across Coalition’s cyber programs.

       

    • Swell of Class Action Suits Alleging Wiretapping Violations Target Companies That Track User Activity of Their Websites - J. Colin Knisely, Michael Zullo and Gerald Maatman, Jr., Mondaq (10/11/2022)
      A new wave of class action lawsuits filed in California, Pennsylvania and Florida target companies that use technologies to track user activity on their websites, alleging such practices, when done without obtaining a user's consent, violate electronic interception provisions of various state laws.

       

    • German Cybersecurity Chief Faces Sack Over Alleged Russia Ties: Sources - Jürgen Petzold, AFP News (10/10/2022)
      Germany's cyber security agency chief is facing the sack over alleged ties with Russian intelligence services, government sources told AFP on Monday, amid heightened vigilance over potential sabotage activities by Moscow.

       

    • U.S. Rewrites Digital Privacy Rules for Europeans to Keep Data Flowing - Sam Schechner, Catherine Stupp and Ken Thomas, The Wall Street Journal (10/07/2022)
      The U.S. is starting to implement a deal with the European Union aimed at allowing information about Europeans to continue to be stored on U.S. soil, reducing a looming threat to thousands of companies with trans-Atlantic operations.

       

    • Lloyd's of London investigates possible cyber attack - Carolyn Cohn, Reuters (10/05/2022)
      Lloyd's of London is investigating a possible cyber attack, the commercial insurance market said on Wednesday, with companies on high alert for intrusions as a result of the conflict between Russia and Ukraine.

       

    • Hospital chain says ‘IT security issue’ disrupts operations - Associated Press, Associated Press (10/05/2022)
      A major nonprofit health system with 140 hospitals in 21 states, CommonSpirit Health, is reporting an “IT security issue” that has disrupted operations in multiple states.

       

    • NetDiligence Publishes Twelfth Annual Cyber Claim Study - PR Newswire, PR Newswire (10/03/2022)
      NetDiligence®, a leading provider of cyber risk readiness and response services, announced today it has published its twelfth annual Cyber Claims Study, a study of actual losses for data breaches and other cyber-related events covered by leading cyber insurance carriers. Sponsoring the study are RSM, Experian, Guidewire, and The Beckage Firm.

       

    • Insider Q&A: Privacy advocate sees growing public alarm - Marcy Gordon, The Associated Press (10/03/2022)
      Jeffrey Chester, executive director of the Center for Digital Democracy, has advocated in Washington for privacy protection for 25 years, warning about threats to online privacy. The Associated Press spoke recently with Chester about growing public concern and official action.
    • National Cyber Insurance Mulled by Treasury Amid Risk Concern - Daphne Zhang, Bloomberg Law (09/29/2022)
      The Treasury Department is seeking feedback on creating a national cyber insurance program to counter catastrophic cyber attacks, concerned that private insurance may not be sufficient. The department’s Federal Insurance Office said Thursday that it is looking for public comments on cyber security issues concerning cross-sector cyber attacks and whether currently available cyber insurance is affordable for businesses. The public has until Nov. 14 to submit feedback.

       

    • Travelers Risk Index Shows Cyber Threats Remain Top Overall Business Concern - Business Wire, Business Wire (09/26/2022)

      The Travelers Companies, Inc. today released its 2022 Travelers Risk Index results, and for the third time in four years, the survey found that cyber threats were the top overall concern for business decision makers. Of the 1,200 survey participants, more feel that today’s business environment is riskier compared to a year ago, and more than half (57%) think a future cyber attack on their company or organization is inevitable.

       

    • Alleged Teenage ‘TeaPot’ Uber Hacker Arrested In England - Brian Bushard, Forbes (09/23/2022)
      The 17-year-old believed to be “TeaPot,” who hacked Uber and is believed to be behind another hack of Rockstar Games this month, was arrested in England on Friday, accused of infiltrating the companies’ internal messaging boards and exposing corporate weaknesses to hacks.

       

    • Cybersecurity Becomes Hot Button Issue During Water Infrastructure Hearing - Jose Rascon, MeriTalk (09/22/2022)
      Members of Congress voiced their concerns on the need for more cybersecurity to protect the water infrastructure of the United States at a Homeland Security Committee hearing on Sept. 21.

       

    • Cyberattack steals passenger data from Portuguese airline - The Associated Press, The Associated Press (09/22/2022)
      Portugal’s national airline TAP Air Portugal says hackers obtained the personal data of some of its customers and have published the information on the dark web.

       

    • Companies Should Treat Cyber Threats as Core Business Risk, U.S. Cyber Official Says - Catherine Stupp, The Wall Street Journal (09/20/2022)
      Corporate boards need to propel companies’ investment in cyber defenses and push management to treat hacking threats as a core business risk, according to a top official of the U.S. Cybersecurity and Infrastructure Security Agency.

       

    • Secret UK and Albania talks on illegal migrants exposed by Iranian hack - Charles Hymas, The Telegraph (09/19/2022)
      Cyber-attack reveals confidential negotiations on an ‘integrated approach’ to tackle Albanian organised crime and drug networks reaching UK.

       

    • The University of Michigan announced Friday it had finalized its $490 million settlement with victims of Dr. Robert Anderson, the late physician who allegedly sexually abused more than 1,000 people in his nearly 40 years working at the school. - Edward Graham, Next Gov (09/16/2022)
      The Biden administration on Friday announced the launch of a $1 billion cybersecurity grant program to help state, local and territorial governments better defend against cyber threats and strengthen the security of their critical infrastructure.

       

    • U.S. indicts Iranian hackers for attacks on critical infrastructure - Maggie Miller & Ry Rivard, Politico (09/14/2022)
      The Justice Department on Wednesday announced charges against three Iranian individuals alleged to have launched cyberattacks against U.S. and global critical infrastructure.

       

    • Cyberattacks against U.S. hospitals mean higher mortality rates, study finds - Kevin Collier, NBC News (09/08/2022)
      Cyberattacks against health care facilities, a near-constant occurrence in the U.S., often lead to increased patient mortality rates, a new study has found.

       

    • One of the world's biggest hotel chains hit by cyberattack - Craig Hale, Tech Radar Pro (09/07/2022)
      Intercontinental Hotels Group (IHG), the parent company of brands including Holiday Inn, Crowne Plaza, and Regent hotels, has confirmed that it has been subject to a cyberattack.

       

    • Albania cuts diplomatic ties with Iran over July cyberattack - Llazar Semini, The Associated Press (09/07/2022)
      Albania cut diplomatic ties with Iran and expelled the country’s embassy staff over a major cyberattack nearly two months ago that was allegedly carried out by Tehran on Albanian government websites, the prime minister said Wednesday.

       

    • CISA to Hold Meetings to Flesh Out Cyber-Incident Reporting Rules - James Rundle, The Wall Street Journal (09/07/2022)
      The Cybersecurity and Infrastructure Security Agency will launch 11 consultations with critical-infrastructure operators over the coming weeks in an effort to flesh out cybersecurity reporting rules that Congress passed earlier this year.

       

    • One of the world's biggest hotel chains hit by cyberattack - Craig Hale, Tech Radar Pro (09/07/2022)
      Intercontinental Hotels Group (IHG), the parent company of brands including Holiday Inn, Crowne Plaza, and Regent hotels, has confirmed that it has been subject to a cyberattack.

       

    • Twitter Whistleblower Peiter Zatko Has Warned of Cyber Disasters for Decades - Robert McMillan, The Wall Street Journal (08/24/2022)
      In November 2020, Twitter Inc. co-founder Jack Dorsey picked a famed ex-hacker, Peiter Zatko, to solve some of his social-media company’s most pernicious problems: protecting user privacy and the security of its computer systems.

       

    • Microsoft warns cryptojacking is still a major threat, despite crypto winter - Sead Fadilpašić , Tech Radar (08/22/2022)
      Cryptocurrencies may be losing value against the dollar right now, but they are still a very desirable asset for cybercriminals everywhere.

       

    • CISA + MS-ISAC Alert: Threat Actors Exploiting Zimbra Collaboration Suite - Linn Freedman, JD Supra (08/22/2022)
      On August 16, 2022, CISA (the Cybersecurity and Infrastructure Security Agency) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) issued an Alert outlining multiple Common Vulnerabilities and Exposures (CVEs) that threat actors are actively exploiting against Zimbra Collaboration Suite, which is “an enterprise cloud-hosted collaboration software and email platform.”

       

    • Google says it has blocked another huge DDoS attack - Sead Fadilpašić , Tech Radar (08/19/2022)
      Google claims to have stopped on of the largest Distributed Denial of Service (DDoS) attacks ever seen. In a blog post(opens in new tab), the company's Senior Product Manager for Cloud Armor, Emil Kiner, and Technical Lead Satya Konduru, said its tool stopped a Layer 7 HTTPS DDoS attack that peaked at 46 million requests per second (rps), making it 76% larger compared to the previous record-holder.

       

    • Expert: Ransom paid after cyberattack on Cedar Rapids schools likely necessary - Grace King, The Gazette (08/15/2022)
      The Cedar Rapids school district may never tell the public how much it paid in ransom to a criminal group that this summer attacked it computers — a payment that likely was “absolutely necessary,” a local security expert said.

       

    • NHS cyber attacks hit record levels in four in five trusts after Russian invasion - Joe Pinkstone & Lizzie Roberts, The Telegraph (08/14/2022)
      Four in five NHS trusts have faced record levels of cyber attacks following the Russian invasion of Ukraine, data show.

       

    • State Dept. offers $10 million for information on Russian hackers - Ines Kagubare, The Hill (08/11/2022)
      The State Department announced on Thursday that it was offering a reward of up to $10 million for information leading to the identity and location of five individuals believed to be tied to the Conti ransomware group.

       

    • Cisco Systems Faced Cyberattack From Hacked Employee's Google Account - RTT News, Nasdaq (08/11/2022)
      Cisco Systems revealed on Wednesday details of a May hack by the Yanluowang ransomware group, which leveraged a compromised employee's Google account. The networking giant is calling the attack a "potential compromise" in a post by the company's own Cisco Talos threat research arm.

       

    • US firm: Likely Iranian threat actor in Albania cyberattack - Llazar Semini, The Associated Press (08/04/2022)
      A cyberattack that temporarily shut down numerous Albanian government digital services and websites in mid-July was likely the work of pro-Iranian hackers seeking to disrupt an Iranian opposition group’s conference in Albania, a leading U.S. cybersecurity firm said Thursday.

       

    • Code Dark: Children’s Hospital Strives to Minimize Impact of Hacks - James Rundle, The Wall Street Journal (08/03/2022)
      In healthcare, code blue signifies an emergency with an adult patient. Code red warns of fire. At Children’s National Hospital in Washington, D.C., staff have added another: code dark, for a cyberattack.

       

    • Log4j software flaw ‘endemic,’ new cyber safety panel says - Alan Suderman, The Associated Press (07/14/2022)
      A computer vulnerability discovered last year in a ubiquitous piece of software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.

       

    • Twitter sues Elon Musk for backing out of $44 billion deal to buy company - Terry Collins et al, USA Today (07/12/2022)
      Twitter filed a lawsuit Tuesday against Elon Musk after the billionaire backed out of a $44 billion agreement to buy the embattled social media company.

       

    • Cyberattack disrupts unemployment benefits in some states - Jonathan Mattise & Alan Suderman, The Associated Press (06/30/2022)
      A cyberattack on a software company has disrupted unemployment benefits and job seeking assistance for thousands of people in several states.

       

    • Russian Space Agency Targeted in Cyberattack - Mauro Orru, The Wall Street Journal (06/29/2022)
      The website of Russia’s space agency was hit by a cyberattack after it posted satellite imagery and coordinates of the White House, the Pentagon and other Western decision-making bodies, the agency’s press service said.

    • Congresswoman Promotes Cyber Insurance Amid Shifting Policy Landscape - Mariam Baksh, Next Government (06/28/2022)
      The jury is still out on how using insurance policies to pay ransoms and re-establish systems after a cyberattack affects critical infrastructure organizations’ individual and collective resilience.

       

    • Pro-Russia hackers claim responsibility for 'intense, ongoing' cyberattack against Lithuanian websites - Sean Lyngaas, CNN (06/27/2022)
      An "intense, ongoing" cyberattack has hit the websites of government agencies and private firms in Lithuania, the Baltic country's defense ministry said Monday.

       

    • Cyberattack forces Iran steel company to halt production - Isabel Debre, The Associated Press (06/27/2022)
      One of Iran’s major steel companies said Monday it was forced to halt production after being hit by a cyberattack that also targeted two other plants, apparently marking one of the biggest such assaults on the country’s strategic industrial sector in recent memory.

       

    • A security breach of Fitness app Strava allowed unidentified operatives to spy on Israeli military's movements, report says - Joshua Zitser, Business Insider (06/26/2022)
      An alleged security breach on Strava, the fitness-tracking app for runners and cyclists, allowed unidentified operatives to spy on members of Israel's military, according to an Israeli watchdog group.

       

    • Apple and Android phones hacked by Italian spyware, Google says - Zeba Siddiqul, Reuters (06/23/2022)
      An Italian company's hacking tools were used to spy on Apple Inc and Android smartphones in Italy and Kazakhstan, Alphabet Inc's Google said in a report on Thursday.

       

    • Russia Increased Cyber Espionage Against Countries Supporting Ukraine, Microsoft Says - Dustin Volz, The Wall Street Journal (06/22/2022)
      Russian intelligence agencies have increased the pace of cyberattacks against nations that have provided aid to Ukraine, according to new research published Wednesday by Microsoft Corp. , which said it had observed Moscow-backed hacking attempts in over 40 countries.

       

    • U.S., EU Plan Joint Foreign Aid for Cybersecurity to Counter China - Catherine Stupp, The Wall Street Journal (06/15/2022)
      The U.S. and the European Union plan to introduce joint funding of secure digital infrastructure in developing countries, according to officials involved in the talks.

       

    • Cybersecurity courses ramp up amid shortage of professionals - Tamara Chuang, The Associated Press (06/11/2022)
      The pressure was on. Someone, somewhere, was attacking computer systems so customers couldn’t reach certain websites. In a windowless room in Denver, Zack Privette had worked all morning with his security team to figure out what the cyber strangers were up to.

       

    • Russian ministry website appears hacked; RIA reports users data protected - Reuters, Reuters (06/05/2022)
      The website of Russia's Ministry of Construction, Housing and Utilities appeared to have been hacked, with an internet search for the site leading to a "Glory to Ukraine" sign in Ukrainian.

       

    • HHS unit works to curb cyberattacks - Eric Geller et al, Politico (06/01/2022)
      As health care companies face a brutal one-two punch of pandemic chaos and ransomware attacks, a small unit inside HHS is helping them fight back. The department’s Health Sector Cybersecurity Coordination Center is a one-stop shop for information about hackers’ activities and ways to avoid being hacked. It distributes threat advisories, vulnerability announcements and other warnings to give executives and IT employees at health care firms a sense of how to spend their limited time and resources. HC3, as it’s known, has spent almost four years building up its capacity, and HHS’ partners in the industry say the center’s help has never been more critical.

       

    • FBI Chief Blames Iran for Cyberattack on Boston Children’s Hospital - Dustin Volz, The Wall Street Journal (06/01/2022)
      Hackers working for the Iranian government last summer attempted to break into and damage computer systems at Boston Children’s Hospital, Federal Bureau of Investigation Director Christopher Wray said Wednesday.

       

    • Cyber Insurance Policies May Not Cover Phishing Attack Funds Diversion - Kelly Melchiondo, JD Supra (05/24/2022)
      The Eleventh Circuit Court of Appeals is considering an appeal from the United States District Court for the Middle District of Florida , in which the District Court ruled that a cyber insurance policy did not cover diversion of funds for a real estate closing. In Star Title Partners of Palm Harbor, LLC v. Illinois Union Insurance Co., District Court Case No. 8:20-CV-02155, Star Title Partners mistakenly wired funds related to a Florida real estate transaction to a fraudster who posed as a Texas mortgage company. Star Title’s employees purportedly failed to authenticate the perpetrator’s wire instructions. Upon learning that the fraudster had diverted the funds, Star Title tendered a wire fraud claim to its cyber insurance carrier, which denied coverage.

       

    • U.S. Narrows Approach to Anti-Hacking Law to Shield ‘Good-Faith’ Research - David Uberti, The Wall Street Journal (05/19/2022)
      The Justice Department on Thursday urged prosecutors to narrow their enforcement of the nation’s main anti-hacking law in a bid to protect legitimate researchers who probe technology for security flaws.

       

    • Cyberattacks quietly launched by Russia before its invasion of Ukraine may have been more damaging than intended - Stavros Atlamazoglou , Business Insider (05/18/2022)
      Russia is known for its potent cyber-warfare capabilities. So it is no surprise that Moscow launched cyberattacks against Ukrainian targets in the lead up to its invasion in late February.

       

    • The EU extends sanctions for massive cyber attacks until 2025 - Darryl S. Slawson, Europe & World News (05/16/2022)
      The European Union extends until 2025 sanctions for massive cyberattacks against member states, affecting eight people and four entities.

       

    • Eurovision 2022 was targeted by Russian hackers - Mike Moore, Tech Radar Pro (05/16/2022)
      Pro-Russian cybercriminals attempted to attack a number of targets during the recent Eurovision Song Contest 2022, including the show itself, organizers have confirmed.

       

    • They Fled Ukraine to Keep Their Cyber Startup Alive. Now, They’re Hacking Back. - David Uberti, The Wall Street Journal (05/12/2022)
      Dozens of employees at Ukrainian cybersecurity startup Hacken fled their war-torn country and found refuge about 2,000 miles away in Portugal. Since then, they have managed to keep their business alive and are now supporting cyber operations against Russia.

       

    • Britain must upgrade cyber defences 'or be hit by 9/11-style attack' - Will Bolton, The Telegraph (05/11/2022)
      The UK could be hit by a “9/11”-style cyber attack if security services underestimate the “magnitude of the threat” they face, a senior US intelligence chief has said.


       

    • Businesses Seek to Soften SEC Cyber Rules - David Uberti & James Rundle, The Wall Street Journal (05/11/2022)
      Companies including Chevron Corp., Quest Diagnostics Inc. and Ernst & Young LLP are pushing to narrow proposed cybersecurity rules from the Securities and Exchange Commission in the private sector’s latest attempt to shape a growing array of regulations by Washington.

       

    • Hackers hit web hosting provider linked to Oregon elections - Andrew Selsky, The Associated Press (05/10/2022)
      A week before Oregon’s primary election, the secretary of state’s office is moving to protect the integrity of its online system where campaign finance records are published after a web hosting provider was hit by a ransomware attack.

       

    • US offers $15m reward for info on Conti group behind HSE cyberattack - Vish Gain, Silicon Republic (05/09/2022)
      The US Department of State is offering up to $15m as a reward for information on the group behind the Conti ransomware that was used to target Ireland’s national health service last year.

       

    • US Cyber Command team helps Lithuania protect its networks - The Associated Press, The Associated Press (05/05/2022)
      The Pentagon’s cyber arm says a team spent months working with officials in Lithuania to help protect government networks there from cyberattacks.

       

    • A lone-wolf researcher has turned the table on the hackers - Sead Fadilpašić , Tech Radar (05/05/2022)
      A researcher going by the name hyp3rlinx has discovered that some of the most popular ransomware strains, such as Conti, REvil, LockBit, including many others, carry a flaw that makes them vulnerable to DLL hijacking.

       

    • Business email attacks are now a multi-billion dollar industry - Sead Fadilpašić, Tech Radar (05/05/2022)
      Business Email Compromise (BEC) attacks have grown into a $43 billion industry, the FBI has warned, urging companies to be on their guard.

       

    • The teenage hackers paid millions to expose corporations’ weak spots - Gareth Corfield, The Telegraph (05/02/2022)
      The 19-year-old sat at his desk, eyes hooked on the screen. Displayed on it was a corporate-looking website. At a casual glance it was just another nondescript web page, perhaps a little sparser than the colourful social media platforms he might be expected to browse.

       

    • Coca-Cola Investigates Hacking Claim - James Rundle, The Wall Street Journal (04/28/2022)
      Coca-Cola Co. said it was investigating a possible data breach after hackers posted data for sale they asserted they stole from the beverage giant’s systems.

       

    • FBI sounds the alarm over virulent new ransomware strain - Sead Fadilpašić , Tech Radar Pro (04/25/2022)
      In a Flash report, published late last week, the intelligence agency said that BlackCat, a known ransomware-as-a-service actor, compromised these organizations using a strain written in RUST.

       

    • US, allies say new intel suggests coming Russian cyberattack - The Straits Times, The Straits Times (04/21/2022)
      Five allied countries including the United States warned Wednesday (April 20) that "evolving intelligence" indicated Russia was poised to launch powerful cyberattacks against rivals supporting Ukraine.

       

    • U.S. Taps Industrial and Cyber Firms for Help Amid Warnings of Russian Hacks - David Uberti, The Wall Street Journal (04/20/2022)
      The Department of Homeland Security on Wednesday added several industrial and cybersecurity firms to a program aimed at thwarting hacks amid fresh warnings of Russian attempts to disrupt critical infrastructure.

       

    • Americans are drowning in spam - Margaret Hardin McGill & Sara Fischer, Axios (04/18/2022)
      You're not imagining it: The flood of spam calls, texts, emails and social media posts into your life is getting a lot bigger.

       

    • NATO Cyber Game Tests Defenses Amid War in Ukraine - Catherine Stupp, The Wall Street Journal (04/18/2022)
      NATO’s large, multiday cyber defense exercise is set to bring together technical experts from alliance countries and Ukraine nearly two months after Russia’s invasion.

       

    • Neurodiverse Candidates Find Niche in Remote Cybersecurity Jobs - Nicolle Liu, The Wall Street Journal (04/13/2022)
      Cat Contillo remembers how uncomfortable she felt during an office internship a few years ago because of reactions to her masculine outfits and her inability to understand sarcasm.

       

    • Finland hit by cyberattack, airspace breach - Lexi Lonas, The Hill (04/08/2022)
      Finland was hit with cyberattacks and an airspace breach on Friday while Ukrainian President Volodymyr Zelensky was speaking to the Finnish Parliament.

       

    • Microsoft says it disrupted Russian cyberattacks targeting Ukraine, West - Chloe Folmar, The Hill (04/07/2022)
      Microsoft announced Thursday that it had disrupted Russian cyberattacks targeting Ukraine and organizations in the United States and European Union.

       

    • Ascot to back Coalition’s surplus lines cyber program - Judy Greenwald, Business Insurance (04/06/2022)
      Insurtech Coalition Inc., which writes cyber and technical errors and omissions coverages as a managing general agency, said Wednesday that Ascot Group will back its U.S. primary surplus lines cyber program through Ascot Specialty Insurance Co.

       

    • You Need Two-Factor Authentication, but Some Types Are Safer Than Others - Nicole Nguyen, The Wall Street Journal (04/03/2022)
      Cybercrime is way up and a strong password isn’t enough to protect your money, your work and your family. To protect your accounts from increasingly active evildoers, you need a second factor.

       

    • Some Russian oligarchs are using U.K. data privacy law to sue - Reed Albergotti, The Washington Post (03/31/2022)
      The law, intended to prevent ads from tracking consumers too closely around the Internet, is now being used to sue anyone holding undesirable information on their devices

       

    • Satellite modems nexus of worst cyberattack of Ukraine war - Frank Bajak, The Associated Press (03/31/2022)
      A malicious software command that immediately crippled tens of thousands of modems across Europe anchored the cyberattack on a satellite network used by Ukraine’s government and military just as Russia invaded, the satellite owner disclosed Wednesday.

       

    • UK spy chief warns Russia looking for cyber targets - The Associated Press, The Associated Press (03/30/2022)
      A U.K. intelligence chief warned that the Kremlin is hunting for cyber targets and bringing in mercenaries to shore up its stalled military campaign in Ukraine.

       

    • Secret World of Pro-Russia Hacking Group Exposed in Leak - Robert McMillan et al, The Wall Street Journal (03/28/2022)
      In a secret chat room run by a group of Russian-affiliated cybercriminals, a hacker expressed excitement about a plan to attack and disable more than 400 U.S. hospitals. “There will be panic,” the hacker wrote, in Russian.

       

    • US charges four Russian spies for hacking Saudi oil facility and US nuclear power plant - Carly Page, Tech Crunch (03/25/2022)
      The U.S. Department of Justice has announced charges against four Russian government employees for a years-long hacking campaign targeting critical infrastructure, including a U.S. nuclear power operator and a Saudi petrochemical facility.

       

    • Lapsus$ hacker mastermind suspected to be UK teen living with mom - Thomas Barrabi, The New York Post (03/24/2022)
      Cybersecurity sleuths have reportedly uncovered the suspected mastermind of the notorious Lapsus$ hacker group – a 16-year-old whiz kid living with his mother in Oxford, England.

       

    • Okta Says Hundreds of Its Customers May Have Been Caught In Hack - Dan Strumpf, The Wall Street Journal (03/24/2022)
      Okta Inc., one of the world’s leading providers of digital identity verification, said that a January data breach revealed by hackers this week may have affected hundreds of customers that rely on its software to manage secure access to their internal computer networks.

       

    • The U.S. warns companies to stay on guard for possible Russian cyberattacks - James Doubek, NPR (03/21/2022)
      The White House is warning companies that Russia could be planning to launch cyberattacks against critical U.S. infrastructure.

       

    • Why Small Cybersecurity Decisions Can Expose Companies to Cyberattacks - Stuart Madnick, The Wall Street Journal (03/19/2022)
      In the aftermath of a major cyberattack, we usually hear a lot about “what” happened, some about “how” it happened (say, hackers exploited a system vulnerability) but almost nothing about “why” it happened (that is, what gave rise to the vulnerability in the first place).

       

    • Bombs And Hackers Are Battering Ukraine’s Internet Providers. ‘Hidden Heroes’ Risk Their Lives To Keep Their Country Online - Thomas Brewster, Forbes (03/15/2022)
      On the nervous streets of Kyiv, down the bombarded thoroughfares of Kharkiv, in the rubble-strewn ruins of Mariupol, in bomb shelters and basements and at blown-out base stations, Ukraine’s internet technicians are busy. Their employers—whether giants serving half the country’s 40 million population like telecom company Kyivstar or smaller players such as Triolan, which provides service to about a million people—have seen digital infrastructure targeted by both rockets and hackers, flatlining equipment in the early days of Russia’s invasion and threatening connectivity throughout the following days and weeks.

       

    • Cyberspace making Canadian secrets more vulnerable, spy service official warns - The Canadian Press, Jim Bronskill, The National Post (03/11/2022)
      The expansion of cyberspace is making it easier for foreign adversaries to pilfer valuable secrets, says a senior official at Canada’s spy service.

       

    • As Russia Invaded, Hackers Broke Into A Ukrainian Internet Provider. Then Did It Again As Bombs Rained Down - Thomas Brewster, Forbes (03/09/2022)
      In the last 24 hours, with Russia continuing its heavy bombardment across Ukraine, parts of the country have seen severe internet outages. One cause appears to be a cyberattack on telecoms provider Triolan, which serves a substantial number of users across the country.

       

    • SEC Proposes Requiring Firms to Report Cyberattacks Within Four Days - Paul Kiernan, The Wall Street Journal (03/09/2022)
      Federal regulators are considering a requirement that publicly traded companies disclose data breaches and other significant cybersecurity incidents within four days, as they seek to strengthen financial markets’ resilience to online attacks.

       

    • Cyber firm: At least 6 US state governments hacked by China - Eric Tucker, The Associated Press (03/08/2022)
      Hackers working on behalf of the Chinese government broke into the computer networks of at least six state governments in the United States in the last year, according to a report released Tuesday by a private cybersecurity firm.

       

    • Samsung Says Hackers Stole Galaxy Smartphone Data - Joseph De Avila, The Wall Street Journal (03/07/2022)
      Samsung Electronics Co. said hackers breached its security system and accessed company data relating to its Galaxy devices.

       

    • The Russia-Ukraine Cyberwar Could Outlast the Shooting War - Christopher Mims, The Wall Street Journal (03/05/2022)
      Alongside the physical violence of the Russian assault on Ukraine, a parallel cyberwar is under way that has little, if any, precedent.

       

    • Senate Passes Cyber Package That Would Require Firms to Report Hacks - David Uberti, The Wall Street Journal (03/02/2022)
      The Senate Tuesday passed a cybersecurity package that would require companies to report damaging hacks and ransomware payments to the government, bringing closer to reality rules the Biden administration sees as key to protecting U.S. critical infrastructure.

       

    • Insurers Back Off Policies Tied to Russia - Julie Steinberg & Leslie Scism, The Wall Street Journal (03/02/2022)
      Insurers worldwide have stopped issuing some crucial types of insurance for companies with operations or trading partners in Russia.

       

    • Hackers Target Key Russian Websites - David Uberti, The Wall Street Journal (02/28/2022)
      Websites for the Russian Foreign Ministry as well as the country’s largest stock exchange and a key state-owned bank were offline Monday, as loosely organized groups of volunteer hackers pledged to retaliate against the Kremlin for its invasion of Ukraine.

       

    • Toyota shuts down Japanese factories after possible cyber attack on supplier - Tim Levin, Business Insider (02/28/2022)
      Toyota on Monday said it will halt operations at domestic factories after one of its key suppliers was hit by a potential cyber attack.

       

    • Toyota suspends domestic factory operations after suspected cyber attack - Reuters, Reuters (02/28/2022)
      Toyota Motor Corp said it will suspend domestic factory operations on Tuesday, losing around 13,000 cars of output, after a supplier of plastic parts and electronic components was hit by a suspected cyber attack.

       

    • Judge OKs $10M Octapharma fingerprint class action deal; $800+ per class member, $3.3M for lawyers - Jonathan Bilyk, Cook County Record (02/24/2022)
      People who donated blood plasma at clinics operated by Octapharma in Illinois may soon see a bit of cash headed their way, under a $10 million settlement approved by a Chicago federal judge to end a class action lawsuit over donor fingerprint scans.

       

    • Justice Department shutters China Initiative, launches broader strategy to counter nation-state threats - Ellen Nakashima, The Washington Post (02/23/2022)
      The Justice Department is shuttering its controversial China Initiative and replacing it with a broader strategy aimed at countering espionage, cyberattacks and other threats posed by a range of countries, a top official said Wednesday.

       

    • Expeditors International Shuts Down Computer Systems After Cyberattack - Nicolle Liu, The Wall Street Journal (02/22/2022)
      Seattle-based logistics giant Expeditors International of Washington Inc. said it had shut down most of its operating systems in response to a cyberattack disclosed Sunday, raising fears of further stress on already fragile global supply chains.

       

    • Ukraine warns of cyberattacks on banks and state agencies - Reuters, Reuters (02/21/2022)
      Ukrainian authorities said they had seen online warnings that hackers were preparing to launch major attacks on government agencies, banks and the defence sector on Tuesday.

       

    • At Olympics, cybersecurity worries linger in background - Kelvin Chan, The Associated Press (02/21/2022)
      Warnings to use disposable “burner” phones and laptops. Privacy-protecting software. Concerns about a security flaw in an official Games smartphone app. Such precautions fueled unease about data privacy for competitors and attendees at the Winter Olympics in Beijing. Not everyone heeded them.

    • A series of cyberattacks on Tuesday knocked the websites of the Ukrainian army, the defense ministry and major banks offline, Ukrainian authorities said, as tensions persisted over the threat of a possible Russian invasion. - Josh Meyer, USA Today (02/17/2022)
      Fresh off its largest financial seizure ever, the Justice Department said Thursday it is doubling down on U.S. efforts to combat the sharp rise in ransomware attacks worldwide and will now prioritize disrupting cybercriminals before they act.

       

    • Cyberattacks knock out sites of Ukrainian army, major banks - Yuras Kurmanau & Frank Bajak, The Associated Press (02/15/2022)
      A series of cyberattacks on Tuesday knocked the websites of the Ukrainian army, the defense ministry and major banks offline, Ukrainian authorities said, as tensions persisted over the threat of a possible Russian invasion.

       

    • Quad to strengthen cyber-terrorism cooperation- Australia's Payne - Reuters, Reuters (02/11/2022)
      Countries in the Quad grouping will strengthen cooperation on cyber- and counter-terrorism, including on ransomware attacks, Australian Foreign Minister Marise Payne said after meeting her counterparts from India, Japan and the United States.

       

    • European, U.S. regulators tell banks to prepare for Russian cyberattack threat - John O'Donnell & Huw Jones, Reuters (02/09/2022)
      The European Central Bank is preparing banks for a possible Russian-sponsored cyber attack as tensions with Ukraine mount, two people with knowledge of the matter said, as the region braces for the financial fallout of any conflict.

       

    • Hackers tied to China are suspected of spying on News Corp. journalists - Jenna McLaughlin, NPR (02/05/2022)
      News Corp. — which owns the publishers of The Wall Street Journal and the New York Post — announced the discovery of a "persistent cyberattack" targeting a limited number of employees. An official with a cybersecurity firm working with the mass media conglomerate said the attack has links to China.

       

    • DHS announces new cybersecurity review board - Chloe Folmar, The Hill (02/04/2022)
      The U.S. Department of Homeland Security on Thursday announced a new cybersecurity review board in response to President Biden’s executive order on improving the nation’s cybersecurity.

       

    • Ukraine Considers International Cyber Help - Catherine Stupp, The Wall Street Journal (02/04/2022)
      Ukraine has requested technology from officials in other countries to secure its networks against potential Russian cyberattacks. The country is also seeking support from other nations in tracing the origins of a Jan. 14 attack on 90 Ukrainian websites.

       

    • FBI chief: Threat from China 'more brazen' than ever - Joseph Choi, The Hill (02/01/2022)
      FBI Director Christopher Wray said on Monday that the threat from the Chinese government against the West is “more brazen” than ever.

       

    • White House to add water sector to cybersecurity initiative - Clyde Hughes, UPI News (01/27/2022)
      The White House said Thursday it plans to improve cybersecurity in the nation's water sector by extending the Industrial Control Systems Cybersecurity Initiative to bulk up protections for such utilities.

       

    • Ukraine Hacks Signal Broad Risks of Cyberwar Even as Limited Scope Confounds Experts - Robert McMillan & Dustin Volz, The Wall Street Journal (01/20/2022)
      A recent cyberattack in Ukraine has heightened concerns in Kyiv that Moscow is plotting to support a land invasion with destructive hacks, although some experts remain puzzled about the Kremlin’s intentions.

       

    • Cyberattack on Red Cross compromised sensitive data on over 515,000 vulnerable people - Jenna McLaughlin, NPR (01/20/2022)
      The International Committee of the Red Cross has revealed that hackers have stolen data on over 515,000 "highly vulnerable people," recipients of aid and services from at least 60 affiliates of the charitable organization worldwide.

       

    • Russia arrests hacker in Colonial Pipeline attack, U.S. says - Maggie Miller, Politico (01/14/2022)
      Russian authorities on Friday arrested an individual tied to the crippling ransomware attack that snarled much of the U.S. gasoline supply last year, the Biden administration confirmed Friday.

       

    • Four New Cyber War Exclusions from Lloyd's Market Association - Heather Howell Wright and Andrew Tuggle, The National Law Review (01/10/2022)
      The Lloyd’s Market Association (the “LMA”) recently released four model clauses to exclude coverage for “war” from cyber insurance policies. The exclusions align with the requirement that all insurance policies written at Lloyd’s must exclude losses caused by war. Given the insurance industry’s weakening appetite for cyber risks, the issue for insureds is the extent to which the broad definition of “war” in these exclusions could give insurers wide latitude for denial of coverage beyond the traditional concept of “war” between sovereign states.

       

    • Russian national named in $82M hacking scheme denied bail - Mark Pratt, The Associated Press (01/05/2022)
      A Russian millionaire who U.S. authorities allege participated in a scheme to steal information on computer networks and use it for insider trading, illegally bringing in tens of millions of dollars, was denied bail Wednesday.

    • Companies Face Stricter Cyber Rules in 2022 - James Rundle, The Wall Street Journal (01/03/2022)
      Attacks against critical infrastructure operators, government agencies and private companies spurred President Joe Biden’s administration to significant action on cybersecurity in 2021. This year, security chiefs face further cyber reforms, a workforce shortage, and ongoing threats from ransomware groups.

       

    • Opinion: The cybersecurity risk to our water supply is real. We need to prepare. - Mark Montgomery & Samantha F. Ravich, The Washington Post (01/03/2022)
      It’s rare that four government agencies issue a joint advisory on a potential threat to the basic health and welfare of the entire U.S. population. But that’s what happened in October when the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA) and Environmental Protection Agency warned that U.S. water and wastewater systems are being targeted by “known and unknown” malicious actors.

       

    • Cyber-attack on UK’s Defence Academy caused ‘significant’ damage - PA Media, The Guardian (01/02/2022)
      A cyber-attack on the UK’s Defence Academy caused “significant” damage, a retired high-ranking officer has revealed.

       

    2021

    • Chinese Spies Accused of Using Huawei in Secret Australia Telecom Hack - Jordan Robertson & Jamie Tarabay, Bloomberg (12/16/2021)
      The U.S. government has warned for years that products from China’s Huawei Technologies Co., the world’s biggest maker of telecommunications equipment, pose a national security risk for any countries that use them. As Washington has waged a global campaign to block the company from supplying state-of-the-art 5G wireless networks, Huawei and its supporters have dismissed the claims as lacking evidence.

       

    • Facebook, Other Researchers Step Up Fight Against Cyberspying for Hire - Justin Scheck, The Wall Street Journal (12/16/2021)
      Big tech companies are escalating their fight against spies for hire.

      On Thursday, Meta Platforms Inc. said it removed about 1,500 accounts from Facebook and Instagram that it linked to groups it called “cyber mercenaries” that hack and spy for profit. Facebook researchers tied the accounts to seven entities around the world that appear to sell their services to government and private clients.

       

    • ‘The internet’s on fire’ as techs race to fix software flaw - Frank Bajak, The Associated Press (12/10/2021)
      A critical vulnerability in a widely used software tool — one quickly exploited in the online game Minecraft — is rapidly emerging as a major threat to organizations around the world.

       

    • Why Companies Shouldn’t Shame Employees Who Fall for Hacking Scams - Karen Renaud, The Wall Street Journal (12/06/2021)
      Cybercriminals send many emails to an organization's employees, hoping to deceive them into clicking on a link or opening an attachment. Sometimes, an employee will do just that.
    • Israeli spyware was used against US diplomats in Uganda - Ellen Ioanes, Vox (12/04/2021)
      The advanced spyware Pegasus, created by Israeli firm NSO Group and used by governments like Saudi Arabia to gather intelligence on those it deems terrorists or criminals, has reportedly been detected on at least 11 iPhones used by US officials in Uganda or conducting business related to the country, as well as locals working for the embassy.

    • TSA requires rail and airports to strengthen cybersecurity - Alan Suderman, The Associated Press (12/02/2021)
      The Transportation Security Administration is issuing new directives and recommendations aimed at strengthening the cybersecurity defenses of U.S. rail and airport operators.

       

    • Feds charge two Iranians with interference in U.S. election - Ken Dilanian, NBC News (11/18/2021)
      The Justice Department announced charges Thursday against two Iranians who are accused of helping to orchestrate a cyber-enabled campaign to intimidate and influence American voters in the 2020 election.

       

    • U.S. charges Iranians for alleged cyber plot to meddle in 2020 presidential election - Mark Hosenball & Sarah N. Lynch, Reuters (11/18/2021)
      The United States announced criminal charges on Thursday against two Iranians it accuses of launching a cyber disinformation campaign to meddle in the 2020 U.S. presidential election that targeted voters as well as elected members of Congress and a U.S. media company.

       

    • United States Indicts Iranian Hackers in Voter Intimidation Effort - David E. Sanger & Julian E. Barnes, The New York Times (11/18/2021)
      The Justice Department indicted two Iranian hackers on Thursday for seeking to influence the 2020 election with a clumsy effort to intimidate voters, just a day after the nation’s cyberdefense authorities warned of an escalating Iranian effort to insert malicious code into the computer networks of hospitals and other critical infrastructure.

       

    • Cheese prices have been tumbling after a cyberattack interrupted production at one of America's largest cheese producers - Dominick Reuter, Business Insider (11/17/2021)
      Beef burgers may have gotten more expensive in recent weeks, but the cheese on top may have actually gotten cheaper.

       

    • President von der Leyen announces the EU will join the Paris Call for Trust and Security in Cyberspace - European Commission, Eureporter (11/15/2021)
      Commission President Ursula von der Leyen addressed the Paris Peace Forum, and the president announced that the European Union and its 27 member states will join the Paris Call for Trust and Security in Cyberspace, alongside the United States. The President highlighted that “citizens must feel empowered, protected and respected online, just as they are offline”. In her speech, the President drew parallels between the European Commission's initiatives and the objectives of the Paris Call, on cyber-resilience, artificial intelligence (AI) and responsibility of platforms.

       

    • Hackers compromise FBI email system, send thousands of messages - Reuters, Reuters (11/14/2021)
      Hackers compromised a Federal Bureau of Investigation email system on Saturday and sent tens of thousands of messages warning of a possible cyberattack, according to the agency and security specialists.

       

    • Europol: Pandemic sees criminals target online shoppers - The Star, The Star (11/12/2021)
      The coronavirus pandemic has sparked a sharp rise in online shopping fraud, Europe’s policing agency warned on Nov 11, saying criminals continued to prey on victims working from home.

       

    • Cyber attack turns off the taps at Barcelona's Damm brewery - Reuters, Reuters (11/12/2021)
      Spain's second biggest beer maker Damm halted output at its main brewery outside Barcelona after a cyber attack hit its computer systems earlier this week, a spokesperson said on Friday.

       

    • FTC Revises The Safeguards Rule And Proposes Mandatory Reporting Of Cybersecurity Events - Kathleen Benway et al., Mondaq (11/03/2021)
      On October 27, 2021, the FTC released its much-anticipated final revisions to the Gramm-Leach-Bliley Safeguards Rule (Safeguards Rule or Final Rule), following a 3-2 vote along party lines and also released a notice of proposed rulemaking that would require reporting to the FTC of certain cybersecurity events.

       

    • A ransomware gang shut down after Cybercom hijacked its site and it discovered it had been hacked - Ellen Nakashima & Dalton Bennett, The Washington Post (11/03/2021)
      A major overseas ransomware group shut down last month after a pair of operations by U.S. Cyber Command and a foreign government targeting the criminals’ servers left its leaders too frightened of identification and arrest to stay in business, according to several U.S. officials familiar with the matter.

       

    • Biden Administration Orders Federal Agencies to Fix Hundreds of Cyber Flaws - Dustin Volz, The Wall Street Journal (11/03/2021)
      The Biden administration on Wednesday issued a sweeping new order mandating that nearly all federal agencies patch hundreds of cybersecurity vulnerabilities that are considered major risks for damaging intrusions into government computer systems.

       

    • CNA cyberattack in March exposed personal information of more than 75,000 people, filings reveal - Robert Channick, The Chicago Tribune (11/02/2021)
      A March cyberattack that shut down systems at Chicago-based insurance giant CNA exposed the personal information of thousands of employees, contractors and policyholders, the company revealed in a Securities and Exchange Commission filing Monday.

       

    • Feds: Hacker illegally streaming games tried to extort MLB - The Associated Press, The Associated Press (10/28/2021)
      A Minnesota man was charged Thursday with trying to extort $150,000 from the MLB as he illegally streamed copyrighted content from major professional sports leagues online.

       

    • Biden’s new cyber czar is pushing for collective defense inside government and out - Ellen Nakashima, The Washington Post (10/28/2021)
      The Office of the National Cyber Director wants to bring cohesion to efforts to strengthen computer defenses across a sprawling set of more than 100 civilian agencies even as it seeks to drive more robust cybersecurity in the private sector.

       

    • Hillicon Valley — Blinken unveils new cyber bureau at State - Rebecca Klar et al, The Hill (10/27/2021)
      Secretary of State Antony Blinken on Wednesday outlined a swath of measures designed to bring the State Department into the 21st century, including establishing a new cybersecurity bureau organized in a way that prioritizes cyber diplomacy at the agency.

       

    • Iran blames foreign country for cyberattack on petrol stations - BBC News, BBC News (10/27/2021)
      A group called itself Predatory Sparrow claimed it carried out the hack, but Iran's top internet policy-making body blamed an unnamed "state actor".

       

    • SolarWinds Hackers Target Another Weak Point in Tech Supply Chain - David Uberti, The Wall Street Journal (10/26/2021)
      A new focus for the hackers behind the SolarWinds Corp. breach shows businesses the dangers of allowing vendors broad access to their computer networks.

       

    • Iran says cyberattack closes gas stations across country - Jon Gambrell, The Associated Press (10/26/2021)
      A cyberattack crippled gas stations across Iran on Tuesday, leaving angry motorists stranded in long lines. No group immediately claimed responsibility for the attack, which rendered useless the government-issued electronic cards that many Iranians use to buy subsidized fuel at the pump.

       

    • US intel warns China could dominate advanced technologies - Nomaan Merchant, The Associated Press (10/22/2021)
      U.S. officials issued new warnings Friday about China’s ambitions in artificial intelligence and a range of advanced technologies that could eventually give Beijing a decisive military edge and possible dominance over health care and other essential sectors in America.

       

    • Tokyo 2020 Olympics suffered half a billion attempted cyberattacks - Sead Fadilpasic, Tech Radar (10/22/2021)
      Whilst the Olympic Games were taking place in Tokyo earlier this year, another, huge competition was also taking place behind the curtain - between the organization’s 200-people strong cybersecurity team, and countless hackers, criminal groups and other malicious actors.

       

    • Ireland: Record Fine Issued Under The GDPR By The Data Protection Commission - Deirdre Crowley & Laura James, Mondaq (10/08/2021)
      On 2 September 2021, the Data Protection Commission (“DPC”) issued a 266-page ruling in which it levied its largest fine since its establishment, and the second largest fine ever issued under the General Data Protection Regulation 2016/679 (“GDPR”).

       

    • Microsoft: Russia behind 58% of detected state-backed hacks - Frank Bajak, The Associated Press (10/07/2021)
      Russia accounted for most state-sponsored hacking detected by Microsoft over the past year, with a 58% share, mostly targeting government agencies and think tanks in the United States, followed by Ukraine, Britain and European NATO members, the company said.

       

    • Australia wants Facebook held liable for anonymous comments - Rod McGuirk, The Associated Press (10/07/2021)
      Australia’s prime minister on Thursday described social media as a “coward’s palace” and warned that digital platforms including Facebook should be held liable for defamatory comments posted anonymously.

       

    • US poised to sue contractors who don’t report cyber breaches - Eric Tucker, The Associated Press (10/07/2021)
      The Justice Department is poised to sue government contractors and other companies who receive U.S. government grants if they fail to report breaches of their computer systems or misrepresent their cybersecurity practices, the department’s No. 2 official said Wednesday.

       

    • Facebook blames outage on error during routine maintenance - The Associated Press, The Associated Press (10/06/2021)
      The global outage that knocked Facebook and its other platforms offline for hours was caused by an error during routine maintenance, the company said.

       

    • Biden Administration to Impose Cyber Requirements on ‘High-Risk’ Rail-Transit Systems - Dustin Volz, The Wall Street Journal (10/06/2021)
      The Biden administration will impose new cybersecurity requirements on some railroad and other surface-transit systems, the latest effort by the federal government to compel certain private industries to boost their cyber defenses in the face of proliferating ransomware attacks and other disruptive threats, officials said.

       

    • Colonial Pipeline: How Hackers Exploited A Password Policy Problem - Romaine C. Marshall & Lucas Amodio, Mondaq (10/03/2021)
      A single password on an old, unprotected account – that's all it took for hackers to paralyze the largest fuel pipeline in the United States.

       

    • Britain to carry out ‘offensive’ cyber attacks from new £5bn digital warfare centre - Edward Malnick, The Telegraph (10/02/2021)
      Britain will launch “offensive” cyber attacks in response to similar assaults or disinformation campaigns by “hostile states” such as Russia, the Defence Secretary has said, as he unveiled plans for a £5bn digital warfare centre in the heart of the red wall....

       

    • Suit blames baby’s death on cyberattack at Alabama hospital - The Associated Press, The Associated Press (10/01/2021)
      An Alabama woman whose 9-month-old daughter died has filed suit against the hospital where she was born claiming it did not disclose that its computer systems had been crippled by a cyberattack, which resulted in diminished care that resulted in the baby’s death.

       

    • Apple Pay users vulnerable to security hack due to ‘dangerous flaw,’ experts warn - Sean Morrison, The Evening Standard (09/30/2021)
      Researchers have urged iPhone users to remove Visa as a transport card via ApplePay after uncovering a flaw which they say fraudsters could use to bypass security and make unlimited contactless payments.

       

    • U.S. Deports High-Profile Hacker to Russia Before End of Prison Sentence - Dustin Volz & Aruna Viswanatha, The Wall Street Journal (09/29/2021)
      The U.S. released a high-profile Russian cybercriminal from its custody this week, at least a year before his prison sentence was expected to finish, handing him over to Russian authorities despite long resisting Moscow’s efforts to retrieve him.

       

    • Second MoD data breach compromising safety of Afghan interpreters emerges - Rory Sullivan, The Independent (09/24/2021)
      A second data breach at the Ministry of Defence (MoD) could have compromised the safety of dozens more Afghans, it has emerged.

       

    • EU warns Russia over cyberattacks ahead of German elections - Lorne Cook, The Associated Press (09/24/2021)
      The European Union on Friday warned Russia against allowing hackers to attack data bases or spread disinformation in some of the 27 member countries just as Germans were preparing to go the polls for weekend parliamentary elections.

       

    • U.S. Officials Call for Fines Against Companies That Don’t Report Hacks - David Uberti , The Wall Street Journal (09/24/2021)
      Top U.S. cyber officials on Thursday urged Congress to add more teeth to any legislation forcing firms that operate critical infrastructure to disclose hacks, calling for a narrow reporting window after a breach and fines against companies that don’t comply.

       

    • Port of Houston target of suspected nation-state hack - Alan Suderman, The Associated Press (09/23/2021)
      A major U.S. port was the target last month of suspected nation-state hackers, according to officials.

       

    • Iowa Grain Cooperative Hit by Cyberattack Linked to Ransomware Group - David Uberti, The Wall Street Journal (09/20/2021)
      An Iowa grain co-op said it was hit with a cyberattack that security researchers are linking to newly launched ransomware group BlackMatter, which the researchers said demanded $5.9 million to unlock the organization’s data.

       

    • Ex-U.S. intel operatives admit hacking American networks for UAE - Joel Schectman & Christopher Bing, Reuters (09/15/2021)
      Three former U.S. intelligence operatives who worked as cyber spies for the United Arab Emirates admitted to violating U.S. hacking laws and prohibitions on selling sensitive military technology, under a deal to avoid prosecution announced on Tuesday.

       

    • Apple fixes security hole reportedly used to hack an iPhone - Frank Bajak, The Associated Press (09/13/2021)
      Apple released a critical software patch to fix a security vulnerability that researchers said could allow hackers to directly infect iPhones and other Apple devices without any user action.

       

    • Exclusive: Wide-ranging SolarWinds probe sparks fear in Corporate America - Christopher Bing et al., Reuters (09/10/2021)
      A U.S. Securities and Exchange Commission investigation into the SolarWinds Russian hacking operation has dozens of corporate executives fearful information unearthed in the expanding probe will expose them to liability, according to six people familiar with the inquiry.

       

    • Apple pays hackers six figures to find bugs in its software. Then it sits on their findings. - Reed Albergotti, The Washington Post (09/09/2021)
      Hoping to discover hidden weaknesses, Apple for five years now has invited hackers to break into its services and its iconic phones and laptops, offering up to $1 million to learn of its most serious security flaws.

       

    • Once-in-a-century solar superstorm could plunge the world into ‘internet apocalypse’, study says - Vishwam Sankaran, The Independent (09/08/2021)
      A severe solar storm, which happens once in approximately 100 years, could catastrophically impact various human technologies on Earth, and plunge the world into an “internet apocalypse,” a new study says.

       

    • Why Hackers Love Smart Buildings - Suman Bhattacharyya, The Wall Street Journal (09/08/2021)
      Buildings are getting smarter, and that opens them up to a host of new cybersecurity risks.

       

    • The Latest Cybersecurity Threat: Pay Us or We Release the Data - Catherine Stupp, The Wall Street Journal (09/07/2021)
      As if companies and organizations didn’t have enough to worry about with cybersecurity, add a new type of ransomware attack to the list: cybercriminals who steal sensitive data and threaten to publish it online unless the victim pays a large ransom.

       

    • How Hackers Use Our Brains Against Us - Heidi Mitchell, The Wall Street Journal (09/07/2021)
      Cybercriminals take advantage of the unconscious processes that we all use to make decision making more efficient. Blame it on our ‘lizard brains.’

       

    • City of LeClaire paid $222,373 to email scammers posing as vendors - Sarah Watson, The Gazette (09/03/2021)
      The Scott County city of LeClaire is working to recover $102,000 from scammers who posed as three city vendors. In total, $222,373 in city funds were directed to three fraudulent accounts through “cleverly disguised and modified emails that resembled legitimate emails from legitimate vendors,” interim City Administrator Ed Choate wrote in an email to the Quad-City Times.
    • Lawsuits say Siri and Google are listening, even when they’re not supposed to - Rachel Lerman, The Washington Post (09/02/2021)
      Tech companies have long encouraged putting listening devices in homes and pockets, attempting to convince consumers to rely on their voice assistants for any little need that pops up. But some are growing concerned that these devices are recording even when they’re not supposed to — and they’re taking their fears to the courts.

    • Meat Buyers Scramble After Cyberattack Hobbles JBS - Jacob Bunge, The Wall Street Journal (06/02/2021)
      Meatpacker JBS was hit by a ransomware attack that took a big chunk of U.S. beef-and-pork processing offline, sending buyers scrambling for alternatives and raising pressure on meat supplies.
    • U.S. pipelines ordered to increase cyber defenses after hack - Ben Fox, PBS (05/27/2021)
      U.S. pipeline operators will be required for the first time to conduct a cybersecurity assessment under a Biden administration directive in response to the ransomware hack that disrupted gas supplies in several states this month.
    • Hackers targeted SolarWinds earlier than previously known - Eric Tucker, The Associated Press (05/20/2021)
      The hackers who carried out the massive SolarWinds intrusion were in the software company’s system as early as January 2019, months earlier than previously known, the company’s top official said Wednesday.

       

    • Colonial Pipeline Ransomware Attack Exposes Severity of Cyber Threats - Burns & Wilcox, Burns & Wilcox (05/19/2021)
      The ransomware attack that shut down one of the largest fuel pipelines in the U.S. and set off gas shortages and panic-buying is indicative of the growing cyber risk threatening American infrastructure, experts said in a recent USA Today report. Colonial Pipeline Co., which moves 2.5 million barrels of petroleum each day, was forced to discontinue operations May 7 after the hacker gang DarkSide reportedly targeted the pipeline operator’s financial computer networks. The company began resuming services on May 12 after unconfirmed reports that a $5 million ransom was paid to the hackers.

       

    • U.S. government denies disrupting Russian ransomware ring that hacked Colonial Pipeline - Ellen Nakashima, The Washington Post (05/19/2021)
      The U.S. government was not behind the disruption last week of a Russian hacker ring’s computer network in the wake of the devastating cyberattack on a major U.S. fuel pipeline, four U.S. officials said, while experts said the group’s disappearance could be a ploy.

       

    • Irish health system struggling to recover from cyberattack - Sylvia Hui et al., The Associated Press (05/18/2021)
      Ireland’s health system struggled to restore computers and treat patients Tuesday, four days after it shut down its entire information technology system in response to a ransomware attack.

       

    • Colonial Pipeline hacker DarkSide claims it will cease operations - Thomas Barrabi, Fox Business (05/14/2021)
      The ransomware group deemed responsible for the dayslong shutdown of the Colonial Pipeline said it would cease operations, cybersecurity experts said Friday.

       

    • Software Industry Awaits Details on Biden’s Order to Report Hacks - David Uberti & Catherine Stupp, The Wall Street Journal (05/14/2021)
      President Biden’s executive order on Wednesday to shore up U.S. cybersecurity will force many companies selling software to the government to report attacks on their systems, sharing information that officials and cyber experts say is increasingly important to U.S. security.

       

    • The Colonial Pipeline Hackers Are One Of The Savviest Criminal Startups In A $370 Million Ransomware Game - Thomas Brewster, Forbes (05/12/2021)

      When Colonial Pipeline took its gasoline lines down following a successful cyberattack last week, it became the most high-profile victim of a hacking group called DarkSide.

       

    • Biden Signs Executive Order to Bolster Federal Government’s Cybersecurity - David E. Sanger & Julian E. Barnes, The New York Times (05/12/2021)
      As the East Coast suffered from the effects of a ransomware attack on a major petroleum pipeline, President Biden signed an executive order on Wednesday that placed strict new standards on the cybersecurity of any software sold to the federal government.

       

    • SmileDirectClub Shares Fall After Company Reports Cybersecurity Incident - Stephen Nakrosis, The Wall Street Journal (05/03/2021)
      SmileDirectClub Inc. said a cyberattack last month disrupted the company’s operations and will hurt its sales this quarter. The disclosure sent shares lower in after-hours trading.

       

    • Illinois attorney general’s office was warned about weak cybersecurity before ransomware attack - Dan Petrella, Yahoo News (04/30/2021)
      A state audit released earlier this year warned that Illinois Attorney General Kwame Raoul’s office had a “weaknesses in cybersecurity” that potentially left sensitive information on the agency’s computer network “susceptible to cyberattacks and unauthorized disclosure.”

       

    • Hackers claim to have infiltrated internal D.C. police files - Peter Hermann, The Washington Post (04/27/2021)
      Hackers who claim to have infiltrated the D.C. police department’s computer network are threatening to publicize confidential files that could reveal names of suspected gang members and intelligence from crime briefings, according to online posts reviewed by cybersecurity experts.

       

    • Sextortion, cyber-crimes and cyberstalking are on the rise - The Associated Press, Frank Green (04/24/2021)
      Text messages began arriving in K.C.’s cellphone, some with nude photos of the high school senior, on a Friday the 13th three years ago.

       

    • Researchers Uncover Advertising Scam Targeting Streaming-TV Apps - Patience Haggin, Jeff Horwitz, The Wall Street Journal (04/21/2021)
      Fraudsters infected nearly one million mobile devices with software that mimicked streaming-TV apps and collected revenue from unsuspecting advertisers, according to cybersecurity company Human Security Inc., exposing vulnerabilities in a fast-growing corner of the digital ad market.

       

    • Chinese hackers compromise dozens of government agencies, defense contractors - Ellen Nakashima, Aaron Schaffer, The Washington Post (04/21/2021)
      Sophisticated Chinese government hackers are believed to have compromised dozens of U.S. government agencies, defense contractors, financial institutions and other critical sectors, according to a private cybersecurity firm working with the federal government.

       

    • Facebook says Palestinian spies behind hacking campaign - Elizabeth Culliford, Raphael Satter, Reuters (04/21/2021)
      Facebook says it has disrupted a long-running cyberespionage campaign run by Palestinian intelligence which features spies posing as journalists and the deployment of a booby-trapped app for submitting human rights stories.

       

    • In Punishing Russia for SolarWinds, Biden Upends U.S. Convention on Cyber Espionage - Dustin Volz, The Wall Street Journal (04/17/2021)
      President Biden’s decision this week to punish Russia for the SolarWinds hack broke with years of U.S. foreign policy that has tolerated cyber espionage as an acceptable form of 21st century spycraft, analysts and former officials said.

       

    • School computer systems at risk, technology leader says - Scott Travis, South Florida Sun Sentinel (04/15/2021)
      A ransomware attack by hackers demanding $40 million could lead the Broward School District to spend more than $20 million to help protect itself from cyber threats.

       

    • FBI hacks vulnerable US computers to fix malicious malware - Alex Hern, The Guardian (04/14/2021)
      The FBI has been hacking into the computers of US companies running insecure versions of Microsoft software in order to fix them, the US Department of Justice has announced.

       

    • Cash-Strapped Local Governments Turn to Students for Cybersecurity Help - James Rundle, The Wall Street Journal (04/14/2021)
      Mounting threats against local governments and struggles many job seekers face to gain industry experience without prior work in the field are two of the most acute challenges in cybersecurity. A Washington state-based nonprofit believes it has a way to help tackle both.

       

    • NYDFS Fines Residential Mortgage Services $1.5 Million For Failures To Comply With New York's Cybersecurity Regulation - Jami Mills Vibbert et al., Mondaw (04/09/2021)
      On March 3, 2021, the New York Department of Financial Services (NYDFS) announced its execution of a consent order (the Order) with Residential Mortgage Services, Inc. (RMS), a NYDFS-licensed mortgage banker and mortgage loan servicer. The Order fines RMS $1,500,000 for its violations of Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations (Part 500). According to the Order, RMS failed to meet its Part 500 obligations by inadequately responding to a data security breach and failing to conduct a comprehensive cybersecurity risk assessment. This action is the latest demonstration of the seriousness with which NYDFS is approaching enforcement of Part 500, which became fully effective in March 2019.

       

    • Hackers try to extort University of Colorado in cyberattack - The Associated Press, The Associated Press (04/09/2021)
      Hackers are trying to extort the University of Colorado after a cyberattack that potentially compromised personal information from more than 310,000 files, including student data, medical information and several Social Security numbers, university officials said Friday.

       

    • Thousands of SAP users face cyberattacks over unsecured flaws - Mayank Sharma, Tech Radar (04/07/2021)
      Security researchers working with German software firm SAP have discovered that unpatched instances of the latter’s enterprise resource planning (ERP), customer relationship management (CRM), and other offerings are being actively targeted.

       

    • Senators press for more on SolarWinds hack after AP report - Alan Suderman, The Associated Press (04/06/2021)
      Key lawmakers said Tuesday they’re concerned they’ve been kept in the dark about what suspected Russian hackers stole from the federal government and they pressed Biden administration officials for more details about the scope of what’s known as the SolarWinds hack.

       

    • The Cybersecurity 202: A massive Facebook breach underscores limits to current data breach notification laws - Tonya Riley, The Washington Post (04/06/2021)
      Lawmakers and privacy experts are slamming Facebook for its handling of a leak of more than 500 million users' personal information that was posted online for free.

       

    • Half a billion Facebook users' information posted on hacking website, cyber experts say - Donie O'Sullivan, CNN (04/05/2021)
      The personal information of about half a billion Facebook users, including their phone numbers, have been posted to a website used by hackers, cybersecurity experts say.

       

    • US looks to keep critical sectors safe from cyberattacks - https://apnews.com/article/politics-electric-utilities-utilities-national-security-hacking-b1da2bcda1ffedbf6d54b56f5879eebd#:~:text=WASHINGTON%20(AP)%20%E2%80%94%20A%20top,protect%20against%20potentially%20damaging%20cyberattacks., Eric Tucker, Alan Suderman (04/01/2021)
      A top Biden administration official says the government is undertaking a new effort to help electric utilities, water districts and other critical industries protect against potentially damaging cyberattacks.

       

    • General says attacks by foreign hackers are ‘clarion call’ - Eric Tucker, The Associated Press (03/25/2021)
      The U.S. Cyber Command conducted more than two dozen operations aimed at thwarting interference in last November’s presidential election, the general who leads the Pentagon’s cyber force said Thursday.

       

    • DHS Cyber Chief Says Hacks Slowed Progress on Public-Private Collaboration - David Uberti, The Wall Street Journal (03/23/2021)
      Hacks of U.S. agencies and companies in recent months have set back efforts to improve the public-private collaboration seen as key to defending against future attacks, the Department of Homeland Security’s top cyber official said Tuesday.

       

    • Wawa customers could get $5 or $15 gift cards to settle a class-action suit. Is that fair for consumers? - Christian Hetrick, The Inquirer (03/18/2021)
      Wawa customers whose payment card numbers were stolen in a massive data breach would get gift cards under a proposed settlement. The lawyers would be paid in cash.

       

    • Teen who hacked Joe Biden and Bill Gates' Twitter accounts sentenced to three years in prison - Kari Paul, The Guardian (03/16/2021)
      An 18-year-old hacker who pulled off a huge breach in 2020, infiltrating several high profile Twitter accounts to solicit bitcoin transactions, has agreed to serve three years in prison for his actions.

       

    • The Cybersecurity 202: Congress mulls legislation to require companies to report major cyberattacks - Tonya Riley, The Washington Post (03/16/2021)
      The breaches of SolarWinds and Microsoft software, which collectively ensnared the data of federal and local governments as well as thousands of other U.S. organizations, have renewed a longstanding debate: Should companies be required to report cybersecurity breaches to the government?

       

    • Assistant principal, daughter accused of hacking student records to steal homecoming queen election - Minyvonne Burke, NBC News (03/16/2021)
      The assistant principal of a Florida elementary school was arrested along with her teenage daughter after authorities said they hacked a high school's homecoming election.

       

    • Mother 'used deepfake to frame cheerleading rivals' - BBC Tech, BBC (03/15/2021)
      A mother allegedly used explicit deepfake photos and videos to try to get her teenage daughter's cheerleading rivals kicked off the team.

       

    • US moves closer to retaliation over hacking as cyber woes grow - Agence France Presse, Yahoo News (03/12/2021)
      A senior US official said Friday the Biden administration is close to a decision on retaliation for state-sponsored hacking as fears grew over the fallout from the latest of two major cyberattacks.

       

    • Despite hacks, US not seeking widened domestic surveillance - Erick Tucker, Frank Bajak, The Associated Press (03/12/2021)
      The Biden administration is not planning to step up government surveillance of the U.S. internet even as state-backed foreign hackers and cybercriminals increasingly use it to evade detection, a senior administration official said Friday.

       

    • Security camera hack exposes hospitals, workplaces, schools - Matt O'Brien, Frank Bajak, The Associated Press (03/11/2021)
      Hackers aiming to call attention to the dangers of mass surveillance say they were able to peer into hospitals, schools, factories, jails and corporate offices after they broke into the systems of a security-camera startup.

       

    • Hacker Group Says It Accessed Tesla’s, Others’ Internal Video-Surveillance Feeds - Micah Maidenberg, The Wall Street Journal (03/10/2021)
      Hackers said they accessed internal video feeds at several companies, including Tesla Inc., and at public agencies by breaching the network of security-camera vendor Verkada Inc., the latest cybersecurity incident in which a supplier unwittingly opened a back door into client networks.

       

    • FireEye CEO: Reckless Microsoft hack unusual for China - Frank Bajak, Nathan Ellgren, The Associated Press (03/09/2021)
      Cyber sleuths have already blamed China for a hack that exposed tens of thousands of servers running Microsoft’s Exchange email program to potential hacks. The CEO of a prominent cybersecurity firm says it now seems clear China also unleashed an indiscriminate, automated second wave of hacking that opened the way for ransomware and other cyberattacks.

       

    • FireEye CEO: Reckless Microsoft hack unusual for China - Frank Bajak, Nathan Ellgren, The Associated Press (03/09/2021)
      Cyber sleuths have already blamed China for a hack that exposed tens of thousands of servers running Microsoft’s Exchange email program to potential hacks. The CEO of a prominent cybersecurity firm says it now seems clear China also unleashed an indiscriminate, automated second wave of hacking that opened the way for ransomware and other cyberattacks.

       

    • Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China - Kate Conger, Sheera Frenkel, The New York Times (03/06/2021)
      Businesses and government agencies in the United States that use a Microsoft email service have been compromised in an aggressive hacking campaign that was probably sponsored by the Chinese government, Microsoft said.

       

    • Airline data hack: hundreds of thousands of Star Alliance passengers' details stolen - Martin Farrer, The Guardian (03/05/2021)
      Data on hundreds of thousands of airline passengers around the world has been hacked via a “highly sophisticated” attack on the IT systems operator that serves around 90% of the global aviation industry.

       

    • The Cybersecurity 202: A new government watchdog report highlights urgent federal cybersecurity risks - Tonya Riley, The Washington Post (03/03/2021)
      Addressing years-old cybersecurity failures could have helped the government ... watchdog report highlights urgent federal cybersecurity risks.

       

    • China refutes reports on cyber attacks against India's power grid - Yahoo News, Yahoo News (03/01/2021)
      Refuting reports stating that China had initiated cyber attacks against India's power grid resulting in massive power outages, Beijing on Monday claimed that it is 'firmly opposed' to such irresponsible and ill-intentioned practices.

       

    • New York Group Urges Action on Cyber Coordination - James Rundle, The Wall Street Journal (03/01/2021)
      A think tank formed by Columbia University has proposed a dramatic shift in how the private sector and the federal government collaborate on cybersecurity, saying the status quo leaves the U.S. vulnerable to destructive attacks.

       

    • Amazon’s Lack of Public Disclosure on SolarWinds Hack Angers Lawmakers - Dustin Volz, Robert McMillan, The Wall Street Journal (02/25/2021)
      As lawmakers and security researchers continue to unravel the SolarWinds hack, some are growing more frustrated with Amazon.com Inc., AMZN -0.40% saying the cloud-computing giant should be more publicly forthcoming about its knowledge of the suspected Russian cyberattack.

       

    • Oxford University says research not affected after expert flags COVID lab hack - Reuters Staff, Reuters (02/25/2021)
      Oxford University said on Thursday it was investigating a digital intrusion after a researcher said he had seen evidence that a laboratory researching COVID-19 had been hacked.

       

    • Biden Orders Broad Supply-Chain Review Amid Chip Shortages - Alex Leary, The Wall Street Journal (02/24/2021)
      President Biden signed an executive order Wednesday directing a broad review of supply chains for critical materials—from semiconductors to pharmaceuticals and rare-earth minerals—with the aim of spurring domestic production while strengthening ties with allies.

       

    • Chinese hackers cloned a Windows security flaw stolen from the NSA - Mayank Sharma, Tech Radar (02/23/2021)
      The investigation into a malware tool being used by Chinese hackers has revealed it to be a copy of software reportedly originally developed by part of the US National Security Agency (NSA).

       

    • Biden administration prepares to impose sanctions on Russia over Navalny poisoning and SolarWinds hack - Kylie Atwood, Zachary Cohen, CNN (02/23/2021)
      The Biden administration is preparing to impose sanctions on Russia in the coming weeks over the poisoning and jailing of Russian opposition leader Alexey Navalny and the SolarWinds hack, according to two administration officials familiar with the Navalny plans and a US official familiar with the hack response discussions.

       

    • SolarWinds hack was work of 'at least 1,000 engineers', tech executives tell Senate - Kari Paul, The Guardian (02/23/2021)
      Tech executives revealed that a historic cybersecurity breach that affected about 100 US companies and nine federal agencies was larger and more sophisticated than previously known.

       

    • Suspected Russian hack fuels new US action on cybersecurity - Ben Fox, Alan Suderman, The Associated Press (02/19/2021)
      Jolted by a sweeping hack that may have revealed government and corporate secrets to Russia, U.S. officials are scrambling to reinforce the nation’s cyber defenses and recognizing that an agency created two years ago to protect America’s networks and infrastructure lacks the money, tools and authority to counter such sophisticated threats.

       

    • US charges North Korean computer programmers in global hacks - Eric Tucker, The Associated Press (02/18/2021)
      The Justice Department has charged three North Korean computer programmers in a broad range of global hacks, including a destructive attack targeting an American movie studio, and in the attempted theft and extortion of more than $1.3 billion from banks and companies, federal prosecutors said Wednesday.

       

    • France to boost cyberdefense after hospital malware attacks - Sylvia Corbet, The Associated Press (02/18/2021)
      French President Emmanuel Macron on Thursday unveiled a plan to better arm public facilities and private companies against cybercriminals following ransomware attacks at two hospitals this month and an upsurge of similar cyber assaults in France.

       

    • Kia and Hyundai recovering from days-long network outages - Frank Bajak, The Associated Press (02/18/2021)
      Kia Motors America says it’s restoring services crippled by a computer network outage that began Saturday and which apparently affected dealers’ ability to order vehicles and parts and knocked offline a smartphone app that owners use to remotely start and warm up vehicles.

       

    • U.S. indicts three North Koreans in massive WannaCry, Sony hacks - Andrew Blankstein, NBC News (02/17/2021)
      Three North Koreans have been indicted in the crippling 2014 Sony Pictures Entertainment hack and a wide-ranging scheme to steal and extort more than $1 billion in cash and cryptocurrency from banks and companies based across the globe, federal prosecutors said Wednesday.

       

    • France Says Multiyear Hack Similar to Russian Attacks - Helene Fouquet, Ryan Gallagher, Bloomberg (02/16/2021)
      The French cybersecurity agency warned that an attack similar to one used by Russian military hackers has been penetrating companies that use Centreon software for three years.

       

    • Hacker Claims to Have Stolen Files Belonging to Prominent Law Firm Jones Day - Tawnell D. Hobbs, Sara Randazzo , The Wall Street Journal (02/16/2021)
      A hacker claims to have stolen files belonging to the global law firm Jones Day and posted many of them on the dark web.

       

    • Washington auditor’s office warned agencies of data-breach risks. Then it got hacked - Jim Brunner, Paul Roberts , The Seattle Times (02/15/2021)
      On Christmas Eve last year, Washington State Auditor Pat McCarthy’s office issued a dire warning that state agency computer systems and data make “attractive targets for cyberattacks.”

       

    • U.N. Members Plan New Cyber Group as States Suffer Large-Scale Hacks - Catherine Stupp, The Wall Street Journal (02/11/2021)
      European diplomats are pushing to create a long-term United Nations group that would consider how to respond to government-sponsored cyberattacks, while also involving companies in discussions about how to design secure technology.

       

    • Big Russian hack used a technique experts had warned about for years. Why wasn’t the U.S. government ready? - Craig Timberg, The Washington Post (02/09/2021)
      The disastrous Russian hack of federal government networks last year relied on a powerful new trick: Digital spies penetrated so deeply that they were able to impersonate any user they wanted. It was the computer network equivalent of sneaking into the State Department and printing perfectly forged U.S. passports.

       

    • Cybersecurity experts want more transparency as Amazon government data requests soar - Yasmine Ghania, Canada's National Observer (02/03/2021)
      Amazon recorded an increase of close to 800 per cent in user data requests by governments in the last half 2020, according to its transparency report released Sunday. In total, the company processed 27,664 legal orders from government agencies around the world in the form of subpoenas, search warrants and court actions.

       

    • Hospitals Suffer New Wave of Hacking Attempts - James Rundle, The Wall Street Journal (02/02/2021)
      Hackers are increasing their attempts to break into health-care companies, putting additional pressure on an industry already struggling with managing the coronavirus pandemic.

       

    • The Cybersecurity 202: Here's what cybersecurity experts think Biden should prioritize in his first 100 days - Tonya Riley, The Washington Post (02/01/2021)
      President Biden has promised that cybersecurity will be a top priority of his administration. The Cybersecurity 202's network of experts had some ideas for how the new administration could make the biggest impact in the first 100 days.

       

    • Russian hack brings changes, uncertainty to US court system - Maryclaire Dale, The Associated Press (01/31/2021)
      Trial lawyer Robert Fisher is handling one of America’s most prominent counterintelligence cases, defending an MIT scientist charged with secretly helping China. But how he’ll handle the logistics of the case could feel old school: Under new court rules, he’ll have to print out any highly sensitive documents and hand-deliver them to the courthouse.

       

    • Suspected Russian Hack Extends Far Beyond SolarWinds Software, Investigators Say - Robert McMillan, Dustin Volz, The Wall Street Journal (01/29/2021)
      Investigators probing a massive hack of the U.S. government and businesses say they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack.

       

    • Car Makers Seek Ways to Secure Data Needed to Build Connected Services - Catherine Stupp, The Wall Street Journal (01/29/2021)
      The huge volumes of data churned out by connected cars could be a gold mine for auto makers and their technology suppliers. But pooling that data poses a challenge for companies that are wary of violating privacy laws or sharing valuable proprietary information.

       

    • Attacks on individuals fall as cybercrime shifts tactics - Sarah Skidmore Sell, The Associated Press (01/28/2021)
      Cybercriminals shifted away from stealing individual consumers’ information in 2020 to focus on bigger, more profitable attacks on businesses, according to a report from the Identity Theft Resource Center.

       

    • Google says North Korea-backed hackers sought cyber research - Kim Tong-Hyung, The Associated Press (01/27/2021)
      Google says it believes hackers backed by the North Korean government have been posing as computer security bloggers and using fake accounts on social media while attempting to steal information from researchers in the field.

       

    • Cybercops derail malware botnet, FBI makes ransomware arrest - Mike Corder, Frank Bajak, The Associated Press (01/27/2021)
      European and North American cyber cops have joined forces to disrupt what may be the world’s largest network for seeding malware infections. The operation appears to strike a major blow against criminal gangs that have used that network for years to install ransomware for extortion schemes and to steal data and money.

       

    • EU urges US to draft joint rule book to rein in tech giants - The Associated Press, The Associated Press (01/26/2021)
      The European Union called Tuesday on U.S. President Joe Biden to help draw up a common rule book to rein in the power of big tech companies like Facebook and Twitter and combat the spread of fake news that is eating away at Western democracies.

       

    • Joe Biden's Peloton bike may pose cybersecurity risk, experts warn - Martin Belam, The Guardian (01/21/2021)
      Joe Biden’s fitness regime may potentially cause an unexpected headache for security services charged with keeping the new president safe in the White House, with his Peloton exercise bike viewed by some as a potential cybersecurity risk.

       

    • Reporter Nidhi Razdan claims she was victim of ‘phishing attack’ that led her to believe she’d been hired as a journalism professor at Harvard - Steve Annear, The Boston Globe (01/15/2021)
      A prominent TV news anchor in India, Nidhi Razdan was looking forward to starting her new job as an associate professor of journalism at Harvard University in September.

       

    • Cyberattack leads to $5.1 million settlement to be paid by Excellus - Dan Herbeck, The Buffalo News (01/15/2021)
      A company that provides health insurance to many people in Western New York has agreed to pay $5.1 million to the federal government to settle potential violations of health privacy regulations.

       

    • SolarWinds Hack Forces Reckoning With Supply-Chain Security - David Uberti, Kim S. Nash, The Wall Street Journal (01/14/2021)
      The hack of SolarWinds Corp. provided an unwanted holiday gift that will keep on giving to many companies: a jolt to the supply chains that help the digital economy run.

       

    • Official: Number of victims of Russian hack likely to grow - Eric Tucker, The Associated Press (01/12/2021)
      The number of federal agencies and private companies who learn that they have been affected by a massive Russian hack is expected to grow as the investigation into it continues, the U.S. government’s chief counterintelligence official said Tuesday.

       

    • SolarWinds Hackers’ Attack on Email Security Company Raises New Red Flags - Robert McMillan, The Wall Street Journal (01/12/2021)
      A breach at email security provider Mimecast Inc. underscores that Russia-linked hackers appear to have targeted victims along multiple avenues of attack in what is shaping up to be one of the most successful cyber campaigns of U.S. government and corporate systems.

       

    • Robinhood Hacking Victim Sues Trading Platform Over Security - Sophie Alexander, Bloomberg (01/08/2021)
      A California man sued Robinhood Markets Inc. after his account was hacked, claiming the trading platform aimed at millennials didn’t do enough to protect customers’ sensitive information.

       

    • White House Publishes Maritime Cybersecurity Strategy - James Rundle, The Wall Street Journal (01/08/2021)
      A White House plan for enhancing maritime cybersecurity warns that the sector’s growing reliance on technology has introduced previously unknown risks.

       

    • Cyber attack: Hackers post Hackney Council's 'stolen documents' - BBC, BBC (01/07/2021)
      A cyber criminal group has posted what it claims are documents stolen from Hackney Council in a ransomware attack.

       

    • Justice Department also hacked by Russians in the ongoing cyberespionage campaign, officials say - Ellen Nakashima, The Washington Post (01/06/2021)
      The Justice Department has become the latest known victim of Russian hackers, who are engaged in an ongoing campaign of cyberespionage that has afflicted federal agencies and the private sector.

       

    2020

    2019

    • Cyber attack forces airline to cancel flights in Alaska - Associated Press, ABC News (12/21/2019)
      RavnAir canceled at least a half-dozen flights in Alaska on Saturday — at the peak of holiday travel — following what the company described as “a malicious cyber attack” on its computer network.
    • New Orleans government shut down by massive cyber attack - David Millward, The Telegraph (12/15/2019)
      New Orleans has declared a state of emergency after falling victim to a cyber attack which forced the shutdown of all the city government’s computers.
    • Ring hackers are reportedly watching and talking to strangers via in-home cameras - Poppy Noor, The Guardian (12/13/2019)
      Hackers are tapping in to cameras intended for home security, talking to children through the devices and even dropping racist remarks, according to multiple news reports. The intended purpose of a two-way talk function on the devices is to allow parents to check in on their children. But hackers are using them to wake people up in the middle of the night, and watch unsuspecting children.
    • What Security Chiefs Learned From the Capital One Hack - Tom Loftus, The Wall Street Journal (12/03/2019)
      The Capital One Financial Corp. hack disclosed this summer put cloud security at the top of every security chief’s agenda, where it remains.
    • Equifax, Norsk Hydro Executives Describe Chaos After Attacks - James Rundle, The Wall Street Journal (12/03/2019)
      Cyberattacks often cause pandemonium and the cleanup can take far longer than the public thinks, say executives from companies that have suffered hacks.

    • The Criminal Silicon Valley Is Thriving - Jonathan Lusthaus, The New York Times (11/29/2019)
      The holiday shopping season is upon us, and along with the bright lights and frosted window displays we can count on suffering through a more shadowy tradition: rampant cybercrime. Between Black Friday and Christmas in 2013, cyberthieves gained access to credit and debit card information from up to 40 million Target customers. This month, Macy’s announced that digital intruders had stolen payment information on its website from an undisclosed number of accounts — not the first time this has happened to the company.

    • Google fired four employees over alleged data-security issues - Ahiza Garcia, CNN (11/25/2019)
      Tensions continue to rise between Google and its employees.

      The latest development occurred Monday when Google (GOOG) sent an email to all staff members describing its decision to fire four employees for allegedly violating its data-security policies. Google confirmed the contents of the email titled "Securing our data," which was first obtained and reported on by Bloomberg.
    • Cyberattack Hit 10% of Louisiana’s State Government Servers - The Associated Press, US News & World Report (11/22/2019)
      Louisiana’s technology office says one in ten of the 5,000 computer network servers that power operations across state government were damaged by this week’s cyberattack.
    • Stop! Don’t Charge Your Phone This Way - Aimee Ortiz, The New York Times (11/18/2019)
      A dead or dying phone or laptop is enough to send anybody on a mad dash to find a way to charge the device, but you might want to think twice before using that random cable found at an airport charging station or docking into that hotel USB port — hackers could be waiting.
    • The Cybersecurity 202: States and cities make cybersecurity pledge after Trump administration rejects it - Joseph Marks, The Washington Post (11/15/2019)
      U.S. states and cities are breaking with the federal government and signing onto an international pledge aimed at making cyberspace safer.

      Virginia, Colorado and Washington state have all endorsed the Paris Call, which was first boosted last year by French President Emmanuel Macron and which commits members to combatting major cyberattacks, digital theft of intellectual property and foreign election interference. City governments in Louisville, San Jose and Huntington, W.Va., have also joined.
    • Hackers demand $5 million from Mexico's Pemex in cyberattack - Adriana Barrera, Raphael Satter, Reuters (11/12/2019)
      Hackers demanded about $5 million in bitcoin from Mexico’s Pemex, they told Reuters on Tuesday, saying the state oil firm missed a special discount by not paying immediately after a cyberattack that fouled up the company’s systems.
    • The Cybersecurity 202: Swing state election websites aren’t secure against Russian hacking, McAfee says - Joseph Marks, The Washington Post (11/08/2019)
      County election websites in two battleground states are highly vulnerable to hacking by Russia or another adversary that might seek to disrupt the 2020 vote by misleading voters about polling locations or spreading other false information.
    • Flaw in Amazon's Ring doorbell could have allowed hackers to control homes - Matthew Field, The Telegraph (11/07/2019)
      A security flaw in Amazon's £200 Ring Pro doorbell could allow hackers to control smart devices within a home, security researchers have warned.
    • Hackers can hijack your iPhone or smart speaker with a simple laser pointer — even from outside your home - Taylor Telford, The Washington Post (11/05/2019)
      Laser pointers are great for taunting cats and inflicting irritation. But they’re also quite effective at hacking Alexa, Siri or Google Assistant, researchers say — even from hundreds of feet away.
    • Filling Out a Cyber Insurance Policy Application: Do Not Give Insurers a Material Misrepresentation Defense - Robert P. Jacobs, Tech Risk Report (11/04/2019)
      As the risks associated with cyber liability continue to evolve, so do the insurance products that are theoretically meant to protect against those risks. As the insurance industry attempts to keep pace, the applications that insurers are using to capture the data they believe is necessary to underwriting these risks are also evolving and vary to a large degree. Regardless of whether an application is long or short or seeks information in generalities or in detail, all prospective policyholders must take care in completing these applications, enlisting the help of a data security professional (whether within the organization or a consultant) and possibly of a good broker that specializes in this area. Indeed, a failure to provide accurate information could cause an insurer to resist providing coverage for a claim, or attempt to rescind the policy, on the purported grounds that there was a material misrepresentation in the policy application.

    • Cities Warned Not to Rely on Cyber Insurance Alone - James Rundle, Wall Street Journal (10/25/2019)
      Cities and towns across the U.S. are taking out cyber insurance or considering it, but experts warn that coverage can’t substitute for effective security.
    • U.S. senators call for intelligence probe into Chinese-owned app TikTok - Elizabeth Culliford, Reuters (10/24/2019)
      U.S. Senate Minority Leader Chuck Schumer and Senator Tom Cotton on Wednesday asked intelligence officials to investigate whether the popular Chinese-owned app TikTok poses national security risks.
    • Baltimore to purchase $20M in cyber insurance as it pays off contractors who helped city recover from ransomware - Kevin Rector, The Baltimore Sun (10/16/2019)
      As costs from this spring’s ransomware attack on Baltimore continue to come due, city officials will buy $20 million in cyber liability insurance to cover any additional disruptions to city networks over the next year.
    • Without Naming Huawei, E.U. Warns Against 5G Firms From ‘Hostile’ Powers - Matina Stevis-Gridneff, The New York Times (10/09/2019)
      A 5G supplier from a “hostile” country could be forced by its home government to wreak havoc by causing cyberattacks, a European Union report warned on Wednesday, but the bloc stopped short of naming the Chinese giant Huawei, which the United States blacklisted after the White House labeled it a tool for espionage by Beijing.

    • EU police: Cybercrime threats now focus on profits, data - AP, Associated Press (10/09/2019)
      Cybercriminals are using new technology and exploiting existing online vulnerabilities as they shift their focus to larger and more profitable targets, the European Union’s police agency said in a report published Wednesday.
    • Report says workers are biggest data-security threat - Neal St. Anthony, Star Tribune (10/07/2019)
      Headlines about cybersecurity breaches and data theft from government agencies and companies such as Caribou Coffee, Target and Medtronic in recent years can inspire fear of bad guys exploiting the internet from dark places on the web.
    • Microsoft Says Iranians Tried To Hack U.S. Presidential Campaign October 4, 20193:31 PM ET - Shannon Bond, NPR (10/04/2019)
      Microsoft says a hacker group with ties to Iran has targeted a U.S. presidential campaign, in the latest sign that foreign governments may try to influence the 2020 election.
    • FDA issues warning on medical devices that are vulnerable to takeover from hackers - Berkeley Lovelace Jr., CNBC (10/01/2019)
      The Food and Drug Administration issued a warning to consumers Tuesday about potentially serious cybersecurity flaws in some medical devices that could allow hackers to take control of them remotely.
    • U.S. Steps Up Scrutiny of Airplane Cybersecurity - Robert McMillan, Dustin Volz, The Wall Street Journal (09/29/2019)
      Concerns that planes could be targeted in cyberattacks are prompting U.S. officials to re-energize efforts to identify airliners’ vulnerability to hacking.
    • Czech intelligence blames China for major cyber attack - Fred Tanneau, Channel News Asia (09/26/2019)
      PRAGUE: China was behind a major cyber attack at a key government institution in the Czech Republic last year, the EU member's intelligence agency said in a report on Wednesday (Sep 25).
    • State AG sues Dunkin’ over response to app cyberattacks - Priscilla DeGregory, New York Post (09/26/2019)
      Hungry hackers are causing a world of trouble for donut maker Dunkin.

      The New York Attorney General sued the retail chain formerly known as Dunkin Donuts for its handling of a cyber-security lapse that gave hackers access to hundreds of thousands in store credit that could only be used to buy crullers and other Dunkin products.
    • U.S. Navy to Appoint Cyber Chief Following a Blistering Audit - Gordon Lubold, Dustin Volz, The Wall Street Journal (09/26/2019)
      The Navy is hiring a new cyber chief in an attempt to better shield its military secrets from Chinese hackers and other nation-state thieves who have aggressively targeted naval operations in recent years, according to Navy officials.
    • What Cybercriminals Steal When They Hack Hospitals, New Study - Andrea Morris, Forbes (09/23/2019)
      When hospitals have access to your electronic medical record, you get better care. Depending on what you’re admitted for, readily available digital health information could be the difference between life and death.
    • Chubb Survey Finds Disconnect Between U.S. Consumers' Awareness and Actions Toward Cybersecurity - Yahoo Finance (09/17/2019)
      A new study from Chubb finds that when it comes to cybersecurity, Americans are concerned, but not necessarily prepared to take the appropriate—and necessary—preventative steps to protect themselves from a cyber attack.
    • Medical data of millions of Americans available online - Anthony Spadafora, Tech Radar (09/17/2019)
      The medical images and health data of millions of Americans, including X-rays, MRIs and CT scans, have been discovered on unsecured servers.
    • Baltimore transfers $6 million to pay for ransomware attack; city considers insurance against hacks - Luke Broadwater, The Baltimore Sun (08/28/2019)
      Baltimore officials on Wednesday voted to transfer $6 million from a fund for parks and public facilities to help pay for the devastating impact of the May ransomware attack on the city.
    • U.S. Cyberattack Hurt Iran’s Ability to Target Oil Tankers, Officials Say - Julian E. Barnes, The New York Times (08/28/2019)
      WASHINGTON — A secret cyberattack against Iran in June wiped out a critical database used by Iran’s paramilitary arm to plot attacks against oil tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily, according to senior American officials.
    • Recent FTC Cybersecurity Settlements Highlight Benefits and Risks of Settling vs. Litigating - David Cohen, Jonathan Direnfeld, Monica Svetoslavov, JD Supra (08/22/2019)
      Amidst mounting pressure to pursue cybersecurity more aggressively, the Federal Trade Commission (“FTC”), the federal government’s most active enforcer in the space, has recently imposed increasingly stringent cybersecurity requirements in its consent orders. Given that FTC consent orders typically carry 20-year terms and a potential fine of $42,530 (which the FTC may contend applies to each consumer subject to a breach), it is vital for companies faced with an FTC cybersecurity investigation to take every possible step to narrow the scope of relief requested by the FTC. Several recent FTC cybersecurity settlements illustrate an emerging pattern: a company that litigates may secure a better deal than it would have received in an initial settlement, if not defeat the action entirely. But when considering whether to settle or litigate with the FTC, companies must still balance the various legal, business, and reputational risks at stake.
    • Hackers can turn headphones into ‘acoustic weapons,’ cybersecurity expert warns - Charlotte Edwards, New York Post (08/13/2019)
      Speakers on your phone, computer and other internet-connected devices could be hacked and used to wreak havoc on your eardrums, warns a new investigation.

      A cybersecurity expert claims to have conducted a malware test that found everyday items like headphones could be turned into “acoustic weapons.”
    • 'Bug bounty': Apple to pay hackers more than $1m to find security flaws - Alex Hern, The Guardian (08/12/2019)
      Apple will pay ethical hackers more than $1m if they responsibly disclose dangerous security vulnerabilities to the firm, the company announced at the Black Hat security conference in Las Vegas.
    • Data breach exposes personal information of 18,500 Bismarck Public Schools students - Blair Emerson, Bismarck Tribune (08/12/2019)
      About 18,500 current and former Bismarck Public Schools students had some of their personal information exposed in a data breach at a company that provides a universal screening tool to the district.
    • North Korea 'stole $2bn for weapons via cyber-attacks' - Staff, BBC (08/07/2019)
      North Korea has stolen $2bn (£1.6bn) to fund its weapons programme using cyber-attacks, a leaked United Nations report says.
    • How the Accused Capital One Hacker Stole Reams of Data From the Cloud - Robert McMillan, The Wall Street Journal (08/04/2019)
      The woman who allegedly pulled off one of the largest-ever bank-data heists appeared to have exploited a vulnerability in the cloud that security experts have warned about for years.
    • Facebook Agrees to Extensive New Oversight as Part of $5 Billion Settlement - Mike Isaac & Natasha Singer, The New York Times (07/24/2019)
      Facebook was ordered on Wednesday to create new layers of oversight for its collection and handling of users’ data by the Federal Trade Commission, as the agency detailed a privacy settlement with the social network that became a referendum on how aggressive American regulators would be against big tech companies.
    • FaceApp Lets You ‘Age’ a Photo by Decades. Does It Also Violate Your Privacy? - Niraj Chokshi, The New York Times (07/17/2019)
      Some security concerns raised about the app at the center of a popular social media trend are exaggerated, but experts say the developer should be more transparent.
    • U.S. businesses are preparing for Iranian hacks after American cyberattack - Joseph Marks, The Washington Post (06/24/2019)
      U.S. businesses should get ready for a barrage of digital retaliation from Iran after the Trump administration launched a cyberattack against the Islamic Republic’s rocket and missile launching systems, current and former U.S. government officials said this weekend.
    • Kremlin Warns of Cyberwar After Report of U.S. Hacking Into Russian Power Grid - Ivan Nechepurenko, The New York Times (06/17/2019)
      The Kremlin warned on Monday that reported American hacking into Russia’s electric power grid could escalate into a cyberwar with the United States, but insisted that it was confident in the system’s ability to repel electronic attacks.
    • The Highly Dangerous "Triton" Hackers Have Proved the US Grid - Andy Greenberg, Wired (06/14/2019)
      On the Scale of security threats, hackers scanning poten­tial targets for vulnerabilities might seem to rank rather low. But when it's the same hackers who previously executed one of the most reckless cyberattacks in history—one that could have easily turned destructive or even lethal—that recon­nais­sance has a more foreboding edge. Especially when the target of their scanning is the US power grid.
    • California operator of electricity grid fends off millions of cyberattacks each month - Rob Nikolewski, The San-Diego Union-Tribune (06/14/2019)
      The California Independent System Operator, which oversees about 80 percent of the state’s electricity consumers and 26,000 miles of transmission infrastructure, is a busy place.
    • La Liga 'secretly listened through people's microphones' to catch out pirates illegally streaming games - Anthony Cuthbertson, The Independent (06/12/2019)
      La Liga has been fined 250,000 euros after secretly listening through the microphones of users of its mobile app, according to Spain's data protection agency.
    • I agree Cybercriminals Target Americans Planning Summer Vacations to Mexico and Other Destinations - Maya Nimnicht, Business Wire (06/12/2019)
      Today, McAfee reveals how cybercriminals are capitalizing on consumers’ risky travel booking habits. The findings show that popular summer destinations in Mexico, Europe – and, surprisingly, Canmore, Canada – generate the riskiest search results when people are hunting for vacation deals online.
    • Luzerne County still recovering from cyber attack - Jennifer Learn-Andes, The Times Leader (06/04/2019)
      As Luzerne County’s recovery from a cyber attack continues, officials said much of the expense should be covered by insurance.
    • Laptop with some of the world’s most destructive malware sold for $1.3 million - Taylor Telford, The Washington Post (05/28/2019)

      An art patron has paid $1.3 million for the tech equivalent of a dormant land mine: a 2008 Samsung laptop containing some of the world’s most destructive malware.

    • DHS warns of 'strong concerns' that Chinese-made drones are stealing data - David Shortell, CNN (05/20/2019)
      Chinese-made drones may be sending sensitive flight data to their manufacturers in China, where it can be accessed by the government there, the US Department of Homeland Security warned in an alert issued Monday obtained by CNN.
    • EU Agrees Powers to Sanction, Freeze Assets Over Cyber-Attacks - Natalia Drozdiak, Bloomberg (05/17/2019)

      The European Union on Friday agreed to new rules that will grant it authority to impose travel bans and asset freezes against individuals responsible for cyber-attacks that pose a significant threat to the bloc.

    • 8 days after cyberattack, Baltimore’s network still hobbled - David McFadden, The Washington Post (05/15/2019)
      More than a week after a cyberattack hobbled Baltimore’s computer network, city officials said Wednesday they can’t predict when its overall system will be up and running and continued to give only the broadest outlines of the problem.
    • WhatsApp patches security flaw after spyware injection revealed - Staff, AFP (05/14/2019)
      WhatsApp on Tuesday urged users to upgrade the application to plug a security hole that allowed for the injection of sophisticated malware that could be used to spy on journalists, activists and others.
    • Russia and Iran expected to conduct disruptive cyber-attacks in Middle East - Naushad K. Cherrayil, Tech Radar (05/09/2019)
      Security solutions provider FireEye has said that Russia and Iran are looking to conduct disruptive cyber-attacks on OT [operational technology] targets in the Middle East in a bid to disrupt industrial production. OT consists of machinery equipment, assets monitoring systems and industrial control systems.
    • Binance says hackers stole $40 million worth of bitcoin in one transaction - Hamza Shaban, The Washington Post (05/08/2019)
      In a single withdrawal, hackers siphoned $40 million in bitcoin from one of the largest cryptocurrency exchanges in the world.
    • Cyber-attack threat is costly for Modesto schools. The total estimate may surprise you - Ken Carlson, The Modesto Bee (05/05/2019)
      The costs of combating a recent cyber attack and securing computer services against further attacks will easily exceed $1 million for Sylvan Union School District.
    • Fort Bragg issues apology after fake cyber attack prompts alarm, conspiracy theories - Mark Price, The Charlotte Observer (04/26/2019)
      Fort Bragg officials issued an apology late Thursday, after realizing shutting off power to tens of thousands of post residents created alarm on the post and generated some rather bizarre conspiracy theories in the surrounding community.
    • Many firms fear impact of data security measures on business operations - Bob Violino, Information Management (04/26/2019)
      Many technology executives around the world have held back from implementing critical measures that keep their organizations resilient against disruption and cyber threats, according to a new report from endpoint visibility software provider Tanium.
    • The Russians are screwing with the GPS system to send bogus navigation data to thousands of ships - Jim Edwards, Business Insider (04/14/2019)

       

      On May 15, 2018, under a sunny sky, Russian President Vladimir Putin drove a bright-orange truck in a convoy of construction vehicles for the opening of the Kerch Strait Bridge from Russia to Crimea. At 11 miles long, it is now the longest bridge in Europe or Russia.

      As Putin drove across the bridge, something weird happened. The satellite navigation systems in the control rooms of more than 24 ships anchored nearby suddenly started displaying false information about their location. Their GPS systems told their captains they were anchored more than 65 kilometers away — on land, at the Anapa Airport.

    • Chinese hackers reportedly targeted 27 universities for military secrets - Shannon Liao, The Verge (03/05/2019)
      Chinese hackers singled out over two dozen universities in the US and around the world in an apparent bid to gain access to maritime military research, according to a report by cybersecurity firm iDefense, which was obtained by The Wall Street Journal. . . . The hackers sent universities spear phishing emails doctored to appear as if they came from partner universities, but they unleashed a malicious payload when opened. Universities are traditionally seen as easier targets than US military contractors, and they can still contain useful military research. . . . Twenty-seven universities were found to have been targeted by the group, including the Massachusetts Institute of Technology, the University of Washington, and other colleges in Canada and Southeast Asia. iDefense didn’t name every school in the report due to ongoing investigations, but anonymous sources told the WSJ that Penn State and Duke University were two of the other targets.
    • Chinese firm attempts to assuage concerns amid mounting accusations - Adam Shepherd, ITPRO (02/07/2019)
      It will take up to five years for Huawei to start fixing security issues in its telecoms infrastructure equipment highlighted by the UK government, it has emerged.
      In a letter to Parliament's Science and Technology committee, the company warned that its $2 billion plan to address the government's concerns would not start to see measurable results for around three to five years. . . . "Enhancing our software engineering capabilities is like replacing components on a high-speed train in motion," said Ryan Ding, president of Huawei's carrier business group. "We hope the UK government can understand this." . . . It added that while its software engineering has "room for improvement", its "operational quality and performance of our products on live networks are top in the industry".

    2018

    • FDA Issues Draft Guidance on Management of Cybersecurity in Medical Devices - Neil P. Di Spirito, Epstein Becker Green Health Law Advisor (11/18/2018)
      The FDA issued a new Draft Guidance today to ensure medical devices – an increasing potential target for hackers – are better protected from unauthorized digital access. . . . According to the FDA’s draft guidance issued today, “Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally. Such cyberattacks and exploits can delay diagnoses and/or treatment and may lead to patient harm.”
    • ATM HACKERS STEAL £10M ACROSS 28 COUNTRIES IN AUDACIOUS BANK HEIST - ANTHONY CUTHBERTSON, INDEPENDENT UK (08/16/2018)
      Hackers with suspected ties to North Korea have syphoned more than 940 million rupees (£10.5 million) from ATMs around the world in a highly-coordinated attack. . . . The heist on Cosmos Bank took place across several days, beginning on 11 August, just a day after the FBI warned cyber criminals could be planning a highly-coordinated attack on cash machines. . . . Hackers carried out the attack by infecting the bank's debit card payment system with malware, which allowed them to self-approve transactions. Fake cards were then used to withdraw money through roughly 14,800 ATM transactions across 28 countries.
    • Google says employees haven't been hacked since safeguarding accounts with physical keys - Andrew Blake, The Washington Times (07/24/2018)
      Google has successfully defended its over 85,000 employees against phishing attacks like the kind that hacked Democrats during the 2016 U.S. presidential race since requiring that staffers use physical, USB-based security keys to access their work accounts, the company said Monday. . . .None of Google’s employees have had their work-related accounts compromised since mandating physical keys in early 2017, a Google spokesperson told the Krebson Security website. . . . “We have had no reported or confirmed account takeovers since implementing security keys at Google,” said the spokesperson. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.” . . . . Physical security keys can safeguard users who have been “phished,” or duped into disclosing their log-in credentials, by requiring more than just a username and password to access an account. Accounts protected using physical security keys can typically only be accessed by inserting a recognized USB-based device into the computer being used during the log-in process and pressing a button, meaning a hacker would need both a user’s password and the physical key to gain entry.
    • Russian hackers penetrated networks of U.S. electric utilities - WSJ, Reuters (07/23/2018)
      Russian hackers gained access to the networks of U.S. electric utilities last year, which could have allowed them to cause blackouts, according to federal government officials, who said the campaign is likely continuing, The Wall Street Journal reported on Monday. . . . The hackers, who worked for a Russian state-sponsored group known as Dragonfly or Energetic Bear, claimed “hundreds of victims” in 2017, according to officials at the Department of Homeland Security, the Journal reported. . . . Hackers used conventional tools such as spear-phishing emails and watering-hole attacks that trick victims into entering their passwords and then gained access to corporate networks of suppliers, which allowed the hackers to steal credentials and gain access to utility networks, the report on.wsj.com/2LxBrtZ said.
    • Bitcoin, malware and 'spearphishing' helped Russian agents hack Democratic Party computers in 2016 election - CHRIS MEGERIAN, LA Times (07/15/2018)
      The email landed in John Podesta’s crowded inbox around March 19, 2016, during the height of the presidential primaries, and it appeared to be a standard security request from Google for Hillary Clinton’s campaign chairman to change his password. . . . Doing so ultimately led to a political firestorm that is still raging. . . . The email was actually from Aleksey Lukashev, a senior lieutenant in Russian military intelligence, using the account “john356gh” to mask his purpose, U.S. officials say. The email contained an embedded link that secretly opened Podesta’s account to a hacking team at 20 Komsomolskiy Prospekt, near Moscow’s Red Square.
    • Hacks on a Plane: Researchers Warn It's Only 'a Matter of Time' Before Aircraft Get Cyber Attacked - KEVIN KELLEHER, Fortune (06/08/2018)
      Since 9/11, airlines, airports and government agencies have introduced many travel security measures aimed at protecting passengers from a terrorist attack. Some researchers in the US government are starting to show concern about another avenue of attack: remote hacking of an airplane. . . . Among the chief concerns are the “potential of catastrophic disaster,” should an aircraft be breached while in flight, according to a report from Motherboardthat drew on documents from the Department of Homeland Security and other federal agencies. One risk-assessment presentation called an airline breach “a matter of time.” . . . .Last November, a DHS official said at a cybersecurity conference that he had remotely hacked the systems of an airplane parked at the airport in Atlantic City, N.J. The breach, which relied on the aircraft’s radio-frequency communications, took place in September 2016.
    • BMW 'powerless' to stop car hack thefts - JAMES SALMON, INDUSTRY NEWS (05/01/2018)
      In e-mails to a customer seen by the UK's Daily Mail, the German giant acknowledged its latest keyless models are vulnerable to thieves using gadgets widely available online. . . . However, it insisted it cannot accept any responsibility for this. . . . The Mail has highlighted a surge in thefts using ‘relay boxes’ to extend the signal from owners’ key fobs to steal vehicles outside their homes. . . . BMW admitted its ‘comfort access’ cars can be stolen in this way but said that while such thefts were "extremely regrettable… we cannot take responsibility". . . . It insisted they were an "act involving the highest level of criminal energy", adding that "BMW is powerless against criminal mechanism".
    • Zelle, the Banks’ Answer to Venmo, Proves Vulnerable to Fraud - Alfred Jackson, America’s Richest (04/22/2018)
      Last June, Early Warning launched Zelle. It is constructed immediately into every financial institution’s cell app, making the system straightforward to use for purchasers — or thieves who achieve entry to their accounts. . . . The scale of the downside is tough to pinpoint, as a result of Zelle is pretty new and banks don’t report a lot information about it. But banking analysts say they’ve seen some alarming incidents.
      “I know of one bank that was experiencing a 90 percent fraud rate on Zelle transactions, which is insane,” mentioned Genevieve Gimbert, a companion in PwC’s monetary crimes unit. Most banks have sturdy authentication and fraud-detection controls for Zelle, she mentioned, however some “just implemented it without any protections” like two-factor authentication and user-behavior monitoring. . . . Zelle mentioned the downside was below management. . . . “There are very few incidents,” mentioned Lou Anne Alexander, Early Warning’s head of funds. “When there is a problem, we and the banks are proactive. It’s not something we’re putting our heads in the sand about.” . . . Eighteen banks in the United States, together with most of the largest gamers, are utilizing Zelle, and 70 extra are in the means of setting it up. Collectively, they join about half of the conventional checking accounts in the United States. Cash transfers inside the community usually happen inside seconds — a lot quicker than on most of its rival fee providers. That has made it harder for banks to halt or reverse illicit transactions.
    • Hackers 'led warplanes to Syrian hospital' after targeting British surgeon's computer - Hayley Dixon, Aisha Majid, Steven Swinford, The Telegraph (03/20/2018)
      British surgeon who helped carry out operations in Aleppo fears that the hacking of his computer led to a hospital being bombed by suspected Russian warplanes. . . . In a world first, renowned consultant David Nott gave remote instructions via Skype and WhatsApp which allowed doctors to carry out surgery in an underground hospital. . . . But, after footage was broadcast by the BBC, Mr Nott believes his computer was targeted, allowing hackers to gain the coordinates of the M10 hospital. . . . Weeks later a "bunker buster" bomb destroyed the M10 when warplanes, believed to be Russian, delivered a direct hit to the operating theatre, killing two patients and permanently closing the hospital. . . . Mr Nott believes that the timing of the attack and the precise nature of the target could only have been gleaned from the coordinates on his computer.
    • One Hacker Can Make $100M A Year With Evil Cryptocurrency Miners - Thomas Fox-Brewster, Forbes (01/31/2018)
      In the online criminal underworld, a booming industry has been born, with as much as $100 million to be made per hacker. It involves breaking into people's PCs and smartphones, installing malware on the devices and then forcing them to mine Monero, a cryptocurrency that's become increasingly attractive to ne'er-do-wells of late due to its focus on protecting the identities of its owners. . . . On Tuesday, Cisco's Talos division detailed the extent of the problem. Such is the rise in popularity of cryptomining amongst criminals that it could overtake ransomware as their favorite way of making illicit profit, according to Talos. Why? It's partly because with newer coins like Monero, which is currently worth around $275 per token (known as an XMR), the power needed to mine a vast number of coins at speed is small when compared to the likes of Bitcoin. . . . Such mining relies on computing power to solve difficult mathematical problems; once they're solved coins are unlocked. The more power hackers can steal from the PCs they compromise, the quicker they can mine coins. . . . According to Talos data, a typical PC can generate around $0.28 of Monero per day. Where a hacker has control of tens of thousands or even millions of PCs, the profit can be significant, up to $100 million for a single hacker crew, Cisco's security division claimed.
    • Lloyd’s of London chief warns cyberattack is now the insurance sector’s main battle ground - Enoch Yiu, South China Morning Post (01/16/2018)
      Lloyd’s of London, the world’s oldest insurance market, has warned that financial and other companies are still not taking strong enough measures to defend themselves against serious cyberattack. Lloyd’s of London, the world’s oldest insurance market, has warned that financial and other companies are still not taking strong enough measures to defend themselves against serious cyberattack. . . . In Hong Kong this week, taking part in the Asian Financial Forum, its Chief Executive Inga Beale said a malicious hacker who takes down a single cloud service provider, for instance, could easily end in losses of well upwards of US$50 billion. . . . But it could be double that, as the insurance industry still hasn’t got enough experience of dealing with how pricey such cyber raids really could be. . . .While attacks on computer operating systems run by a large number of businesses around the world, could end up causing companies losses of US$30 billion, leaving big business or even governments highly exposed.

    2017

    • Bitcoin exchange collapses after second cyber attack in a year - Margi Murphy, The Telegraph (12/19/2017)
      South Korean digital currency exchange said it is filing for bankruptcy after it was hacked for the second time in a year. . . . North Korean hackers are believed to be behind a heist that lost an exchange called YouBit nearly 4,000 Bitcoins in April, according to South Korean reports. . . . YouBit - a small player in South Korea's cryptocurrency market - said this morning that hackers had stolen 17 per cent of its crypto assets at 04:35am local time on Tuesday. The price of Bitcoin fell from just under $19,000 (£14,200) to just over $18,000.
    • Bitcoin exchange collapses after second cyber attack in a year - Margi Murphy, The Telegraph (12/19/2017)
      South Korean digital currency exchange said it is filing for bankruptcy after it was hacked for the second time in a year. . . . North Korean hackers are believed to be behind a heist that lost an exchange called YouBit nearly 4,000 Bitcoins in April, according to South Korean reports. . . . YouBit - a small player in South Korea's cryptocurrency market - said this morning that hackers had stolen 17 per cent of its crypto assets at 04:35am local time on Tuesday. The price of Bitcoin fell from just under $19,000 (£14,200) to just over $18,000.
    • The rise of cryptojacking: How hackers hog computer CPUs to make money - ALEKSANDRA SAGAN, HE CANADIAN PRESS (11/19/2017)
      Anyone casually surfing the internet at home can be deployed as an unwittingly productive member of a hacker’s workforce, a practice known as “cryptojacking” that is on the rise. . . . Internet sleuths have discovered malicious code on the websites of several major companies — including Canada’s Loblaw Companies Ltd. — left by cryptojackers looking to break into computers and commandeer their processing power for cryptocurrency mining. . . . Cryptocurrencies, such as Bitcoin, are digital “coins” created by groups of computers — known as miners — that work together to solve mathematical puzzles that verify transactions. The more puzzles they solve, the more currency they earn. The exercise is hugely taxing on a computer’s processing power and the electricity it requires is expensive.
    • EU to Declare Cyber-Attacks “Act of War” - Phil Muncaster, Infosecurity Magazine (10/31/2017)
      European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war. . . . The document, said to have been developed as a deterrent to provocations by the likes of Russia and North Korea, will state that member states may respond to online attacks with conventional weapons “in the gravest circumstances." . . . . The framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure. . . . Security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments. . . . The suspected state-sponsored group known as Dragonfly has also been active of late probing US energy facilities.
    • Study examines how insurers mitigate cyberrisk for small and medium-sized businesses - III Press Office , III (10/30/2017)
      More than half of U.S. small- and medium-sized businesses (SMBs) experienced a cyberattack within the past year, yet only 14 percent of businesses felt prepared and protected, according to a recent white paper from the Insurance Information Institute (I.I.I.). . . . The white paper, Protecting Against #Cyberfail: Small Business and Cyber Insurance, examines how insurers are addressing the threat cyberattacks and data breaches pose to SMBs through a combination of innovative insurance products, risk management techniques and employee training.
    • US warns of security flaw which can compromise Wi-Fi connections - msn (10/17/2017)
      The US government's computer security watchdog warned Monday of a security flaw in Wi-Fi encryption protocol which can open the door to attacks to eavesdrop on or hijack devices using wireless networks. . . . The disclosure by the government's Computer Emergency Response Team could potentially allow hackers to snoop on or take over millions of devices which use Wi-Fi. . . . The agency, part of the Department of Homeland Security, said the flaw was discovered by researchers at the Belgian university KU Leuven. . . . According to the news site Ars Technica, the discovery was a closely guarded secret for weeks to allow Wi-Fi systems to develop security patches. . . . Attackers can exploit the flaw in WPA2 -- the name for the encryption protocol -- "to read information that was previously assumed to be safely encrypted," said a blog post by KU Leuven researchers. . . . "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.
    • Scientists hack a computer using DNA: Malware encoded in strands of genetic code takes 'full control' of a machine in a world first - HARRY PETTIT, Daily Mail (08/10/2017)

      Scientists have synthesised a strand of DNA that can be used to hack computers in a world first. . . . The malware was encoded into a gene and used to take over a computer that analyses DNA code. . . . Scientists warn that cyber criminals could one day use faked spit or blood samples to steal information from police forensics labs, hack into university computers, or infect genome files shared by researchers.

    • Criminals can beat your burglar alarm with a click of an electronic hacking device available for £109 on Amazon - SIMON MURPHY, DAILYMAIL.COM (07/15/2017)

      Criminals can switch off burglar alarm systems at the touch of a button using an electronic device sold on Amazon, a Mail on Sunday investigation can reveal.

      Thieves using the £109 hacking gadget can deactivate wireless burglar alarms within seconds by jamming the signal from battery-powered sensors around the home that would otherwise sound a siren, allowing them to discreetly gain entry.

      Called YARD Stick One, the gadget is a hand-held USB stick with a small antenna that plugs into a laptop. Although the use of jamming devices in Britain is illegal, the device is freely available on Amazon with next-day delivery.

    • Apple sets up China data center to meet new cyber-security rules - Reuters (07/12/2017)

      Apple Inc on Wednesday said it is setting up its first data center in China, in partnership with a local internet services company, to comply with tougher cyber-security laws introduced last month. . . . The U.S. technology company said it will build the center in the southern province of Guizhou with data management firm Guizhou-Cloud Big Data Industry Co Ltd (GCBD). . . . An Apple spokesman in Shanghai told Reuters the center is part of a planned $1 billion investment into the province.

    • 'Smishing' scams target your text messages. Here's how to avoid them - Marc Saltzman, USA Today (07/03/2017)
      While the name of this growing threat might sound funny, being a victim of it is no joke.
    • Above The Clouds: Jeweler's Trade Secret Spat Highlights Risk Of Employee-Controlled Cloud Storage - Trade Secrets Watch, Mondaq (06/26/2017)
      We have discussed before the importance of maintaining internal policies and procedures to protect the security and integrity of cloud-based repositories.
    • EU agrees to use sanctions against cyber hackers - Robin Emmott, Reuters (06/19/2017)
      The European Union can levy economic sanctions on anyone caught attacking EU states' computer networks, EU foreign ministers said on Monday, the bloc's latest step to deter more attacks following incidents in Britain and France.
    • Employees Assert Illinois Biometric Privacy Claims against Supermarket over Fingerprint Collection Practices - Jeffrey D. Neuburger, The National Law Review (06/12/2017)
      Even though Washington passed its own biometric privacy law last month (HB 1493), and other states are currently debating their own bills, Illinois's Biometric Information Privacy Act (BIPA) is still the crux of biometric and facial recognition privacy-related litigation.
    • Cybercrime Costs to Reach $8 Trillion by 2022 - Dark Reading Staff, Dark Reading (05/30/2017)
      Cybercrime costs are expected to saddle businesses with a whopping $8 trillion price tag over the next five years, as connectivity to the Internet rises but security system upgrades don't keep pace, according to a Juniper Research report released today.
    • Cyber Kid Stuns Experts Showing Toys Can be 'Weapons' - AFP, Security Week (05/16/2017)
      American wunderkind Reuben Paul, may be still only in 5th grade at his school in Austin, Texas, but he and his teddy bear Bob wowed hundreds at a timely cyber security conference in The Netherlands. "From airplanes to automobiles, from smart phones to smart homes, anything or any toy can be part of the" Internet of Things (IOT)," he said, a small figure pacing the huge stage at the World Forum in The Hague. "From terminators to teddy bears, anything or any toy can be weaponised." To demonstrate, he deployed his cuddly bear, which connects to the icloud via wifi and bluetooth smart technology to receive and transmit messages.
    • Car hacking – could it actually happen? Why security is the next frontier for vehicle manufacturers - David Williams, The Telegraph (04/13/2017)

      Car hacking and connected vehicle security is poised to become one of the most talked-about (and worried-about) issues in the industry for three main reasons. . . . The first is that it’s a genuinely huge risk and represents a whole new frontier in vehicle security. While most people – both the industry and its customers – are still largely preoccupied with good old-fashioned smash-and-grab theft, criminals are increasingly sophisticated and will develop new techniques as technology allows it. . . . The second is that the media is weirdly paranoid about things like this. We tend to get a bit panicky whenever tech-related crime gets brought up, overusing words like “hacking” and “cyber” without any real grasp of what they mean.  . .  . And the third is that car hacking is a big part of the new Fast and the Furious film, The Fate of the Furious. This franchise is not renowned for its straightforward relationship with reality – think “danger to manifold!” and quarter-mile drag races that take 90 seconds – but the new film will be enough to prompt a glut of pontificating what-if articles, including this one. . . . As always, the reality is a lot less spectacular and probably a bit more depressing than the lurid portrayal of car hacking as found in The Fate of the Furious and elsewhere. But it’s a real risk and, depending on your interpretation of the key words “hacking” and “cyber”, might already be happening. . . . The shocking ease with which a car’s computers can be hijacked was graphically illustrated last year when US hackers remotely took control of a Chrysler Jeep’s core functions – including brakes, wipers steering and transmission – during a dramatic filmed stunt.

    • Brexit voting website crash 'caused by foreign cyber attack,' report reveals - Patrick Grafton-Green, The Evening Standard (04/12/2017)
      A report into how the public views the Government's handling of Brexit revealed shocking details of possible online interference by a foreign country in last year's vote. The Commons Public Administration and Constitutional Affairs Committee (PACAC) said it was deeply concerned about the allegations of foreign interference. While the committee did not identify who may have been responsible, it noted that both Russia and China use an approach to cyber attacks based on an understanding of mass psychology and of how to exploit individuals. The warning comes amid repeated claims that Russia has sought to interfere in foreign elections, including last year's US presidential election.
    • Power grid leaders worry that a cyberattack is looming - James Osborne & Collin Eaton, The Houston Chronicle (04/07/2017)
      The potential for a major cyberattack against the nation's power system is at an all-time high, according to the industry group representing electrical grid operators. Gerry Cauley, president of the North American Electric Reliability Corp., told members of the Senate Energy and Natural Resources Committee last week that hackers have yet to shut down power to U.S. electricity customers but have succeeded in other countries. In December 2015, for example, hackers shut down power for thousands of Ukrainian electricity customers for six hours in an attack that compromised three power plants.
    • MIT: Cybersecurity at risk - Jordan Graham, The Boston Herald (03/29/2017)
      Tech experts and former government officials from MIT are calling on the government to beef up cybersecurity systems guarding the nation’s infrastructure and warning that it’s only a matter of time before terrorists or criminals can take down a power grid or wipe out financial records. . . . “This is not hypothetical, this stuff is happening,” said Joel Brenner, former inspector general and senior council at the National Security Agency. . . .  Brenner, a principal author of the shocking report, which was produced by a group of professors and experts from MIT’s Center for International Studies and Computer Science and Artificial Intelligence Laboratory, went on to warn that “we’re going to see more of this — and it’s going to be worse.”
    • UK targets WhatsApp encryption after London attack - Aljazeera (03/26/2017)
      The British government has said its security services must have access to encrypted messaging applications such as WhatsApp to prevent violent London crimes. . . . UK media reports have suggested that the man behind an attack in London last week sent an encrypted WhatsApp message moments before killing four people by ploughing his car into pedestrians and fatally stabbing a policeman. . . . Home Secretary Amber Rudd said on Sunday it was "completely unacceptable" that police and security services had not been able to crack the heavily encrypted service.
    • New York Cyber Regs Take Effect, Mid-Sized Firms Could See Biggest Impact - Elizabeth Blosfield, The Insurance Journal (03/01/2017)
      As the insurance industry has closely followed developments regarding The New York State Department of Financial Services’ (DFS) cybersecurity regulation, concerns remain in terms of how the final regulation, set to go into effect March 1, may impact mid-sized companies in particular.
    • N.Y. cyber rules could raise loss exposures for US insurers - Rob Lenihan, Business Insurance (02/13/2017)
      The New York Department of Financial Service's new cyber security regulations have the potential to raise premium growth in cyber security and directors and officers liability insurance, but they could also raise loss potential for insurers, Fitch Ratings Inc. said Monday. The rules, effective March 1, will cover over 3,000 financial institutions and make New York the first U.S. state to put cyber security regulations into place, the New York-based rating agency said in a statement.
    • Law Firm Data Breaches Demonstrate Expanding Scope of Cyber Attacks - Joseph Facciponti and Joseph V. Moreno, National Law Review (01/18/2017)
      In a case of “cyber meets securities fraud,” the United States Attorney’s Office for the Southern District of New York (“SDNY”) recently indicted three foreign nationals on charges of insider trading, wire fraud, and computer hacking for allegedly trading on information they stole from the computer networks of two major New York law firms.1 A parallel enforcement action brought by the Securities and Exchange Commission – its first time bringing civil charges based on the hacking of a law firm’s computer network – alleges insider trading and other violations of the Securities Exchange Act of 1934. The case is a wake-up call that hackers are becoming more creative both in their choice of victims and in how they use the information they steal, requiring companies to reconsider what type of data is prone to hacking and whether their security protocols are sufficient to detect and prevent it. It is also a reminder to certain federal and state regulated entities that they may soon have to comply with new cybersecurity rules requiring robust policies and procedures governing how confidential data and computer networks are handled and protected.
    • Families of Americans killed in Brussels, Paris attacks sue Twitter - Andrew V. Pestano, UPI (01/10/2017)
      Relatives of three U.S. citizens killed during the Islamic State's attacks on Belgium and Paris filed a lawsuit against Twitter, accusing the social media platform of conspiring with the terrorist group. . . . Filed Sunday in the U.S. District Court for the Southern District of New York, the lawsuit alleges Twitter failed to keep members of IS, also known as ISIS, ISIL and Daesh, off the platform.
    • U.S. Power Grid Called Easy Cyber Target - Ari Natter and Mark Chediak, Bloomberg News (01/06/2017)
      The U.S. Energy Department says the electricity system “faces imminent danger” from cyber-attacks, which are growing more frequent and sophisticated, but grid operators say they are already on top of the problem. . . . In the department’s landmark Quadrennial Energy Review, it warned that a widespread power outage caused by a cyber-attack could undermine “critical defense infrastructure” as well as much of the economy and place at risk the health and safety of millions of citizens. The report comes amid increased concern over cybersecurity risks as U.S. intelligence agencies say Russian hacking was aimed at influencing the 2016 presidential election.
    • At CES, security experts warn of lurking threats from smart devices - Adam Candee , Las Vegas Sun (01/06/2017)
      Hey Siri, did you tell Alexa what we talked about last night? . . . . This is not sample conversation from the latest episode of "The Bachelor." Within the “internet of things” that connects everything from our phones to our refrigerators, people talk to their devices to access a world of information and convenience. Your device listens when you talk to it — and when you don’t. . . . Cybersecurity experts discussed Thursday at a series of panels at CES a range of topics, including how to safeguard "always-on" devices such as Amazon’s Echo and Apple’s iPhone.

    2016

    • FDA issues industry guidance to secure networked medical devices - Greg Slabodkin, Health Data Management (12/29/2016)
      The Food and Drug Administration has released final guidance on the post-market management of cybersecurity in medical devices. Of particular concern is the growing number of networked medical devices, the vulnerabilities of which could potentially put patient safety at risk.
    • Nuclear power plants vulnerable to hacking attack in 'nightmare scenario', UN warns - AP (12/13/2016)
      The “nightmare scenario” of radioactive material being released from nuclear power stations using a cyber attack is being attempted by terrorist groups, the Deputy Secretary-General of the United Nations (UN) has warned. . . . Jan Eliasson told the UN Security Council “vicious non-state groups” were making efforts to acquire weapons of mass destruction (WMDs) and warned: “These weapons are increasingly accessible.” . . . A hacking attack on a nuclear power plant would be a “nightmare scenario”, he added. . . . Terrorist groups such as Isis and al-Qaeda are known to have sought access to WMDs and it was reported earlier this year that Isis operatives in Belgium had been following a scientist who worked at a nuclear power station, with the hope of using him to gain access to the plant.
    • Attack Crashes Nearly 1M Deutsche Telekom Internet Routers - Drew Fitzgerald , The Wall Street Journal (11/29/2016)
      An attack hit nearly one million home internet routers of Deutsche Telekom AG customers, knocking them offline, the latest in a string of similar events that have revealed vulnerabilities in home devices connected to the internet. Deutsche Telekom, which has 20 million fixed line customers, said the attack started Sunday and attempted to infect the routers with malicious software. In about 5% of the routers, the company said, the virus caused the devices to malfunction, interrupting internet service.
    • Medical devices pose weak link in preventing cyber attacks - Fred Bazzoli , HealthData Management (11/14/2016)
      For many users of Johnson & Johnson’s OneTouch Ping insulin pump, the benefit of ease of use has been outweighed by the fear of hacking. In early October, the company sent letters to patients using the devices, alerting them to the fact that the OneTouch contained a cybersecurity flaw that could allow a hacker to reprogram the device to administer additional doses of the diabetes drug, which could be life-threatening. In its letter to patients, Johnson & Johnson portrayed the risk as minimal. “The probability of unauthorized access to the OneTouch Ping System is extremely low,” it noted. “It would require technical expertise, sophisticated equipment and proximity to the pump.” A spokesman for the company says it’s working to eliminate the vulnerability; it has laid out a series of steps patients can take to reduce the risk, such as turning off the pump’s wireless connection to a blood-sugar meter, or setting a limit on the amount of insulin that can be delivered.
    • Why Light Bulbs May Be the Next Hacker Target - John Markoff , The New York Times (11/03/2016)
      The so-called Internet of Things, its proponents argue, offers many benefits: energy efficiency, technology so convenient it can anticipate what you want, even reduced congestion on the roads. Now here’s the bad news: Putting a bunch of wirelessly connected devices in one area could prove irresistible to hackers. And it could allow them to spread malicious code through the air, like a flu virus on an airplane. Researchers report in a paper to be made public on Thursday that they have uncovered a flaw in a wireless technology that is often included in smart home devices like lights, switches, locks, thermostats and many of the components of the much-ballyhooed “smart home” of the future.
    • Microsoft says Russia-linked hackers exploiting Windows flaw - Kim Finkle and Dustin Volz , Reuters (11/01/2016)
      Microsoft Corp (MSFT.O) said on Tuesday that a hacking group previously linked to the Russian government and U.S. political hacks was behind recent cyber attacks that exploited a newly discovered Windows security flaw. The software maker said in an advisory on its website there had been a small number of attacks using "spear phishing" emails from a hacking group known Strontium, which is more widely known as "Fancy Bear," or APT 28. Microsoft did not identify any victims. Microsoft's disclosure of the new attacks and the link to Russia came after Washington accused Moscow of launching an unprecedented hacking campaign aimed at disrupting and discrediting the upcoming U.S. election.
    • Litigation Alert: The Fifth Circuit Limits Coverage Under The Computer Fraud Provision Of Insurance Policies - Hanley Chew, Fenwick and West LLP (10/26/2016)
      Last week, the U.S. Court of Appeals for the Fifth Circuit narrowed the conduct covered under an insurance policy’s computer fraud provision by vacating the judgment in favor of the insured, Apache Corp., and rendering judgment for the insurer, Great American Insurance Company, in Apache Corp. v. Great Am. Insur. Co., No. 15-20499 (S.D. Tex. Oct. 18, 2016).
    • Regulators to Toughen Cybersecurity Standards at Nation’s Biggest Banks - Donna Borak, The Wall Street Journal (10/19/2016)
      U.S. regulators on Wednesday unveiled an initial plan to bolster the ability of the country’s largest banks to withstand a major cyberattack, a move aimed at protecting the U.S. financial system in the event of a technology failure. The plan, released jointly by the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency, would strengthen the way agencies oversee how large U.S. banks and foreign banks operating in the U.S. with $50 billion or more in assets manage and address threats to cybersecurity.
    • J&J warns diabetic patients: Insulin pump vulnerable to hacking - Jim Finkle , Reuters (10/04/2016)
      Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low. Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible bugs in pacemakers and defibrillators. J&J executives told Reuters they knew of no examples of attempted hacking attacks on the device, the J&J Animas OneTouch Ping insulin pump. The company is nonetheless warning customers and providing advice on how to fix the problem.
    • Zurich: SMEs increasingly worried by cyber risk - Mina Martin , Insurance Business Online (09/29/2016)
      Small and medium-sized enterprises (SMEs) are increasingly concerned about cyber risks and reputational damage; with impact of competition on margins and lack of consumer demand topping the list of SME concerns, a global insurer has found. Zurich Insurance Group’s third annual global SME survey has revealed that concerns about cybercrime have tripled since 2013, from 4 per cent to 11 per cent; while concerns about reputational damage, have almost doubled, from 8 per cent to 14 per cent. Zurich said the two were the fastest growing perceived risks since the survey was first held in 2013.
    • Punish companies for cyber security failures, directors say - James Titcomb , The Telegraph (09/26/2016)
      Companies should face severe financial penalties if they fail to keep customers’ data safe, a majority of directors believe, amid a spate of cyber attacks on big businesses. Seven in 10 board members have demanded stricter punishment for those who fail to meet basic cyber-security requirements, according to research group ComRes. The figures, due to be presented at the Institute of Directors Annual Convention on Tuesday by the FTSE 250 security company NCC Group, come in the wake of Yahoo revealing the biggest-ever cyber attack on a major company.
    • New Airborne Technologies Promise to Better Link Planes and Satellites - Andy Pasztor, The Wall Street Journal (09/21/2016)
      Hawaiian Airlines and FedEx Corp. are trying novel airborne technologies that promise to cut the cost, reduce the weight and exponentially increase the capacity of communication systems connecting aircraft with satellites. But the moves also raise cybersecurity issues, because experts say such links eventually could blur longstanding distinctions between the way information is sent to cabin entertainment devices versus transmission of safety-related data to cockpits… Currently, cabin and cockpit communications on commercial airliners are completely separate. They use different equipment and different frequencies, plus there is a physical gap between hardware that processes cabin signals and electronics reserved exclusively for the cockpit. But as jetliners steadily become more connected to the internet—and carriers hunt for less expensive, more flexible ways to ship various types of data—many experts envision those digital firewalls eventually will erode.
    • Team of hackers take remote control of Tesla Model S from 12 miles away - Olivia Solon , The Guardian (09/20/2016)
      Three months since the first fatal crash involving a Tesla driving in autopilot mode, hackers have taken remote control of a Tesla Model S from a distance of 12 miles, interfering with the car’s brakes, door locks, dashboard computer screen and other electronically controlled features in the high-tech car. A team of Chinese security researchers – Samuel LV, Sen Nie, Ling Liu and Wen Lu from Keen Security Lab – were able to target the car wirelessly and remotely in an attack that could cause havoc for any Tesla driver. The hack targeted the car’s controller area network, or Can bus, the collection of connected computers found inside every modern vehicle that control everything from its indicators to its brakes. In a video demonstrating the vulnerability, the hackers targeted both the Tesla Model S P85 and Model 75D, although they said it would work on other models too.
    • New York Proposes Cybersecurity Regulations for Banks - Christopher M. Matthews, The New York Times (09/13/2016)
      New York Gov. Andrew Cuomo and the state’s top banking regulator proposed regulations Tuesday that would be among the first in the U.S. to require banks to establish cybersecurity programs. If implemented, the regulations would increase the onus on some of the world’s largest banks to invest in cyber protections that could cost them and insurers millions of dollars, according to experts. Banks would be required to hire a chief information security officer and implement measures that detect and deter cyber intrusions and protect consumer data.
    • Report: IoT Security Failures are 100 Percent Preventable - Ariel Robinson , Nextgov (09/09/2016)
      One hundred percent of internet of things security failures reported between November 2015 and July 2016 could have been easily avoided had manufacturers and developers taken a more serious approach to security and privacy, according to new research. That number comes from Online Trust Alliance, a nonprofit that works with companies and policymakers to enhance privacy and security on the internet… IoT security is uniquely challenging because it’s “three dimensional.” There’s the security of the physical device, the mobile app, and the back-end service—and then there’s the data flow between the three points.
    • Apple Mac virus can take screenshots and see everything you type - Cara McGoogan, The Telegraph (09/09/2016)
      A new strain of malicious software that can be used to steal information from Mac computers has been discovered by security researchers. The malware, called Mokes.A, can take screenshots from a computer every 30 seconds, as well as access photos, videos and documents, according to Stefan Ortloff, the Kaspersky Lab researcher who found the program. A version of the malware for PC was discovered earlier this year. It can also see what keys a user is typing onto their keyboard which, along with screenshots, could hand a hacker bank credentials, passwords and other sensitive information. And it could let hackers control the breached computer remotely.
    • Who’s in Charge of Regulating the Internet of Things? - Mohana Ravindranath, Nextgov (09/01/2016)
      Increasing interconnectivity might help consumers—who doesn’t want their washer-dryer to text them when their clothes are done?—but could also create new risks. The most granular data about individual consumers, down to their thermostat settings, might be available to hackers who can infiltrate the wireless networks that connect hundreds of devices, or even the devices themselves. As the cyber and physical worlds become intertwined, intruders could also control tangible objects—remotely turning off someone’s lights, or worse, disabling the power grid. So, who governs the internet of things? Who ensures connected and self-driving cars don’t put their passengers in danger, that security cameras don’t relay video feeds of their users to third parties, or that data collected from billions of consumer devices can be used without compromising personal information? For now, it’s still not clear.
    • Watch Out That Your Rental Car Doesn't Steal Your Phone Data - Jeff John Roberts, Fortune (09/01/2016)
      Here’s something to think about the next time you plug your phone into a rental car: The vehicle may be slurping up and recording all sorts of data, including your location, personal contacts, and even your text messages and web browsing. That warning comes via a Federal Trade Commission blog post this week, which highlights a downside of so-called “connected cars.” The gist of it is that, today, a strange car is just like a strange computer, and consumers should be careful how them connect to them. A blog post written by an FTC staff attorney describes how rental cars can not only access and record your cell phone data, but hold on to it for an indefinite period. The risk is obvious.
    • Global cybercrime costs will exceed $6T annually by 2021 - Jessica Davis , Healthcare IT News (08/30/2016)
      The cost of cybercrime around the globe will exceed $6 trillion annually by 2021 – more than double the annual cybercrime costs of 2015, according to a recent Cybersecurity Ventures report, sponsored by security firm Herjavec Group. These costs include data damage and destruction, stolen money, loss of productivity, intellectual property theft, personal or financial data theft, fraud, embezzlement, business disruption after the attack, investigation, restoration and deletion of hacked data and systems.
    • Mobile Bank Heist: Hackers Target Your Phone - Robin Sidel, Wall Street Journal (08/26/2016)
      Cyberthieves have a new way to hack into consumer bank accounts: mobile phones. Malicious software programs with names like Acecard and GM Bot are gaining popularity around the world as criminals look for new and lucrative ways to attack the financial-services industry. Cyberthieves are using such so-called malware to steal banking credentials from unsuspecting consumers when they log on to their bank accounts via their mobile phones, according to law-enforcement officials and cybersecurity specialists…Attacks have occurred on the two most common mobile operating systems—Apple Inc.’s iOS and Attacks have occurred on the two most common mobile operating systems— Apple Inc.’s iOS and Alphabet Inc.’s Android. Phones typically come with built-in security protections, but the devices can still be vulnerable. Inc.’s Android. Phones typically come with built-in security protections, but the devices can still be vulnerable.
    • Fitch: U.S. Cyber Insurance Premiums Total $1B Per New Supplemental Filing - Reuters (08/24/2016)
      Aggregating the cybersecurity statutory supplement data for the U.S. property/casualty (P/C) insurance industry finds that approximately 120 insurance groups reported writing cyber coverage in 2015 totaling approximately $1 billion in direct written premiums volume… "Industry estimates suggest that the global cyber insurance business could increase to $20 billion by 2020, but the lack of information on cyber insurance is a challenge for insurance companies, policyholders, regulators, and investors to evaluate and price risk," said James Auden, Managing Director, Fitch Ratings.
    • The Mobile Banking Revolution Has Arrived but Cyber Heists May Ensue, Warns The Bunker - Information Security Buzz (08/23/2016)
      The Competition and Markets Authority (CMA) has announced changes in the banking industry that will enable customers to access the details of their entire finances through a single mobile phone app by 2018, raising inevitable security concerns…Phil Bindley, CTO of The Bunker explains: “Undoubtedly, hackers that target financial institutions are more professional than they once were and cybercriminals will use any means possible to achieve their aims. It used to be that risks to banks existed in the form of someone with a gun entering the establishment and stealing the money. From a risk perspective, the gun has now become a mobile device as this is going to have access to the banking system in some way, shape or form.”
    • Security experts: Remotes are hackable on many vehicles - AP - HeraldNet (08/13/2016)

      A group of computer security experts say they figured out how to hack the keyless entry systems used on millions of cars, meaning that thieves could in theory break and steal items without leaving a broken window. . . . The experts say that remote entry systems on millions of cars made by Volkswagen since 1995 can be cloned to permit unauthorized access to the car’s interior. . . .The same experts say another system used by other brands including Ford, General Motor’s Opel and Chevrolet and Renault can also be defeated.

    • Insurance Industry Takes Cautious Approach to Home Smart Devices - DANNI SANTANA , Information Management (08/12/2016)

      The property and casualty insurance industry is taking a closer look at the potential for smart home devices. Observers expect that smart homes will have a similar effect on home insurance that telematics and the connected car did for auto insurance. Soon, carriers aim to use connected-home technology for claims avoidance, underwriting and improved interactions with homeowners beyond just creating a policy. . . . That’s according to new research from technology-research firm Gartner. And, some insurers are beginning to invest in connected-home companies using their internal venture capital arms.

    • QuadRooter Android bug could affect almost 1bn phones, researchers claim - Alex Hern, The Guardian (08/10/2016)

      Security flaws that could give hackers complete access to a smartphone have been found in the processors of hundreds of millions of Android devices, researchers claim. . . . Computer security firm Check Point says that the bugs could affect up to 900m Android phones, including some made by BlackBerry, Google and LG among others.

    • Dozens join lawsuit over Wendy's data breach - JD Malone, The Columbus Dispatch (08/05/2016)

      The class-action lawsuit filed against Wendy's over a data breach at more than 1,000 restaurants has attracted a crowd. . . . More than 20 credit unions across the country, from Alaska to Florida, and a handful of credit union associations, including the Credit Union National Association, have joined as parties to the suit filed in Federal Court earlier this year by First Choice Federal Credit Union of western Pennsylvania.

    • Cyber attackers hit Banner Health food services, compromise data of 3.7 million customers - Sharon Dunn, Greeley Tribune (08/03/2016)

      In what company officials described as an unprecedented cyber attack, hackers may have made off with credit card and personal information on 3.7 million people who were patients at or bought food from Banner Health facilities across the country in the past month and a half.

    • WikiLeaks Has Published DNC Officials’ Stolen Voicemails - David Meyer, Fortune (07/28/2016)

      WikiLeaks has followed up on its publication of almost 20,000 Democratic National Committee emails by releasing audio recordings that appear to be DNC officials’ voicemails.

    • Fiat Chrysler Is Paying the Public to Find Security Flaws in Its Cars - Kirsten Korosec, Fortune (07/13/2016)
      Fiat Chrysler Automobiles will start rewarding the public with cash for finding vulnerabilities and security bugs in its vehicle software, more than a year after two hackers showed how they could remotely take control of its popular Jeep Cherokee.
    • EU members states to receive €1.8bn of cybersecurity funding - Emma Boyle, The Independent (07/05/2016)

       The European Commission has signed an agreement to launch a new public-private partnership that will see EU member states working with private cybersecurity firms.

    • “Interim” No More: DHS and DOJ Publish Final Cybersecurity Information Sharing Act Guidance on Cybersecurity Sharing - Brian H. Lam, Cynthia J. Larose, The National Law Review (06/20/2016)

       The Department of Homeland Security (DHS) and the Department of Justice (DOJ) have issued the long-awaited final procedures for both Federal and Non-Federal Entities under the Cybersecurity Information Sharing Act (CISA) (“Final Procedures”) that provide information on how DHS will implement CISA.

    • Chinese curbing cyberattacks on U.S. interests, report finds - David E. Sanger, The New York Times (06/20/2016)
      Nine months after President Barack Obama and President Xi Jinping of China agreed to a broad crackdown on cyberespionage aimed at curbing the theft of intellectual property, the first detailed study of Chinese hacking has found a sharp drop-off in almost daily raids on Silicon Valley firms, military contractors and other commercial targets.
    • NATO officially recognizes cyberspace as domain for war - Doug G. Ware, Upi.com (06/14/2016)

       The North Atlantic Treaty Organization on Tuesday, for the first time, recognized cyberspace as a frontier for war -- in addition to the traditional sites of battle, like land and sea.

    • FDIC cyberattacks included hit on former chairwoman’s computer - Joe Davidson, Washington Post (05/11/2016)
      The Federal Deposit Insurance Corp. is an independent agency created by Congress to maintain “public confidence in the nation’s financial system.”... So says its mission statement...
    • As ‘Sextortion’ Proliferates, Victims Find Precarious Place in Legal System - Jada F. Smith, New York Times (05/10/2016)
      On Wednesday, the Brookings Institution will release two studies billed as the first in-depth reviews of sextortion — in which someone uses nude photographs of someone to demand ever more sexually explicit content or other goods — and its precarious place in a legal system that acknowledges its existence but has yet to write it into law.
    • Hackers’ $81 Million Sneak Attack on World Banking - Michael Corkery, New York Times (04/30/2016)
      Tens of millions of dollars siphoned from the Federal Reserve Bank of New York. A shadowy set of casinos in the Philippines. A large bank in Bangladesh with creaky technology. An unknown — and perhaps uncatchable — group of anonymous thieves with sophisticated hacking skills….What unites this curious cast of characters and enabled one of the most brazen digital heists ever is a ubiquitous and highly trusted international bank messaging system called Swift.
    • Supreme court grants FBI massive expansion of powers to hack computers - Danny Yadron, The Guardian (04/29/2016)
      The US Congress has seven months to block a potentially massive expansion of the government’s ability to hack into suspects’ computers.
    • Feds: Let’s build a terrorist-proof car, or at least try - Tresa Baldas, Detroit Free Press (04/14/2016)
      In its quest to build connected and self-driving cars, the automotive industry is facing a daunting task that national security experts say is a must: Design a car that's terrorist-proof — or at least try.
    • Ransomware: Extortionist hackers borrow customer-service tactics - Jim Finkle, Reuters (04/12/2016)
      When hackers set out to extort the town of Tewksbury, Massachusetts with "ransomware," they followed up with an FAQ explaining the attack and easy instructions for online payment.
    • Medical records breach affects Palm Beach County patients - Andy Reid, Palm Beach Sun Sentinel (04/11/2016)
      More than 1,000 patients of Florida Department of Health clinics in Palm Beach County may be at risk of identity theft after a breach of medical records, state officials disclosed Monday.
    • Maryland health institutions join forces to combat cyberattacks - Meredith Cohn, Baltimore Sun (04/08/2016)
      At least six major health systems across the country have suffered debilitating cyberattacks this year, including most recently Columbia-based MedStar Health. The rate has unsettled health system information technology administrators who are now working together to block future attacks.
    • Hackers broke into hospitals despite software flaw warnings - Tami Abdollah, AP (04/06/2016)
      The hackers who seriously disrupted operations at a large hospital chain recently and held some data hostage broke into a computer server left vulnerable despite urgent public warnings since at least 2007 that it needed to be fixed with a simple update, The Associated Press has learned.
    • Alvarado hospital fighting cyber attack - Paul Sisson, San Diego Union-Tribune (03/31/2016)
      Alvarado Hospital Medical Center in San Diego is among the growing number of health facilities nationwide hit with software attacks, a problem that has drawn attention from cyber experts to the FBI.
    • Hospital Cyberattack Highlights Health Care Vulnerabilities - Tom Murphy, AP (03/30/2016)
      A cyberattack that paralyzed the hospital chain MedStar this week is serving as a fresh reminder of vulnerabilities that exist in systems that protect sensitive patient information.
    • U.S. indicts Iranians for hacking dozens of banks, New York dam - Dustin Wolz and Jim Finkle, Reuters (03/25/2016)
      Seven Iranian hackers conducted a coordinated cyber attack on dozens of U.S. banks, causing millions of dollars in lost business, and tried to shut down a New York dam, the U.S. government said on Thursday in an indictment that for the first time accused individuals tied to another country of trying to disrupt critical infrastructure.
    • 1.5M customers of Verizon anti-hacker unit hacked - Elizabeth Weise, USA Today (03/25/2016)
      Records for more than 1.5 million customers of the computer security wing of Verizon, Verizon Enterprise Solutions, appeared for sale earlier this week.
    • 2 more Southland hospitals attacked by hackers using ransomware - Richard Winton, Los Angeles Times (03/22/2016)
      Two more Southern California hospitals have been attacked by hackers who infiltrated their computer systems with ransomware and demanded payment to unlock the data, officials said.
    • Personal Data Of Nearly 14,000 LAZ Parking Employees Stolen - Kenneth R. Gosselin, Hartford Courant (03/15/2016)
      The Social Security numbers and other personal information of nearly 14,000 employees of LAZ Parking across the country were stolen in what federal authorities are calling an emerging Internet scam.
    • WhatsApp Encryption Said to Stymie Wiretap Order - Mark Apuzzo, New York Times (03/12/2016)
      While the Justice Department wages a public fight with Apple over access to a locked iPhone, government officials are privately debating how to resolve a prolonged standoff with another technology company, WhatsApp, over access to its popular instant messaging application, officials and others involved in the case said.
    • Obama Says 'Dangers Are Real' in Debate Over EncryptionObama Says 'Dangers Are Real' in Debate Over Encryption - Darlene Superville, AP (03/11/2016)
      President Barack Obama sided with law enforcement Friday in the debate pitting encryption and personal privacy against national security, arguing that authorities must be able to access data held on electronic devices because the "dangers are real."
    • Apple’s Mac Operating System Targeted by ‘Ransomware’ for Certain Users - Anne Steele, Wall Street Journal (03/07/2016)
      A small number of Mac users could be getting ransom notes to unlock their computers in what is believed to be the first such attack on Apple Inc. products, typically seen as less likely to be hit by hackers and virus creators.
    • Los Angeles County health department targeted in ransomware attack - Abby Sewell, LA Times (02/26/2016)
      Los Angeles County Department of Health Services computers have been targeted in a "ransomware" cyberattack, officials said Friday. 
    • Baltimore hackers say they reveal potentially deadly cybersecurity weaknesses at area hospitals - Ian Duncan, Baltimore Sun (02/26/2016)
      Area hospitals are riddled with cybersecurity flaws that could allow attackers to hack into medical devices and harm patients, a team of Baltimore-based researchers has concluded after a two-year investigation.
    • F.B.I. Chief Presses Congress to Act on Data Privacy - Eric Lichtblau and Nick Wingfield, New York Times (02/25/2016)
      The head of the F.B.I., battling Apple over unlocking an iPhone used by one of the killers in a December rampage in San Bernardino, Calif., called on Congress on Thursday to settle the question of when law enforcement officials should get access to citizens’ private data.
    • Cyber attacks are increasing because bosses don’t know who the enemy is, report shows - Zlata Rodionova, The Independent (02/17/2016)
      ...Over 50 per cent of bosses agree that more external collaboration is needed to combat cybercrime, but less than one-third are willing to share their own information externally, according to a survey by IBM, a technology and consulting corporation, which gathered answers from more than 700 top senior executives globally.
    • Tax Software Provider Discloses Data Breach - Laura Saunders, Wall Street Journal (02/04/2016)
      Criminals may have stolen personal and tax-return information from about 8,800 customers of TaxSlayer LLC, a provider of software to individuals who prepare their own tax returns, according to the company.
    • Tax Software Provider Discloses Data Breach - Laura Saunders, Wall Street Journal (02/04/2016)
      Criminals may have stolen personal and tax-return information from about 8,800 customers of TaxSlayer LLC, a provider of software to individuals who prepare their own tax returns, according to the company.
    • Cyberthieves Have a New Target: Children - Priya Anand, Wall St. Journal (01/31/2016)
      Cyberthieves target children because their identities offer a clean slate with which to apply for bank accounts, credit cards or loans, government benefits and tax breaks.
    • Identity theft complaints leap 47% - Christine DiGangi, USA Today (01/30/2016)
      Reports of identity theft shot up in 2015, largely driven by an increase in tax- and wage-related fraud, according to the Federal Trade Commission. People made 490,220 identity theft complaints to the FTC in 2015, up from 332,647 (a 47% increase) in 2014 and 290,102 in 2013.
    • Identity theft complaints leap 47% - Christine DiGangi, USA Today (01/30/2016)
      Reports of identity theft shot up in 2015, largely driven by an increase in tax- and wage-related fraud, according to the Federal Trade Commission.
    • Chip Cards Won't Spoil Crooks' Appetite for Sensitive Data - George Rice, Payments Source (01/29/2016)
      Many people in the payments industry believe stolen payment card industry (PCI) data will diminish in its black market value as EMV approaches ubiquity across U.S. retailers. That's not the case...
    • Chip Cards Won't Spoil Crooks' Appetite for Sensitive Data - George Rice, Payments Source (01/29/2016)
      Many people in the payments industry believe stolen payment card industry (PCI) data will diminish in its black market value as EMV approaches ubiquity across U.S. retailers. That's not the case…
    • Can We Insure the Internet of Things Against Cyber Risk? - Tim Mullaney, MIT Technology Review (01/25/2016)

      What the industry needs is data, and analytics to translate statistics on losses into policy standards and consistent pricing. Only then can emerging industries like self-driving cars and network-connected medical devices really take off, says software security expert Josh Corman.

    • Biometrics is the latest shield against password hacks - Bob O'Donnell, USA Today (01/25/2016)
      At last week’s unveiling of Intel’s latest 6th generation Core CPUs for business PCs... the company talked about its new Authenticate technology.
    • Can We Insure the Internet of Things Against Cyber Risk? - Tim Mullaney, MIT Technology Review (01/25/2016)
      Insuring the security of connected products is hard for a simple reason: they are too new, and too little is known about the economic losses or personal injury they might cause. What the industry needs is data, and analytics to translate statistics on losses into policy standards and consistent pricing.
    • FDA outlines cybersecurity recommendations for medical device manufacturers - FDA (01/15/2016)
      The U.S. Food and Drug Administration today issued a draft guidance outlining important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health.

    2015

    • Kaspersky: Consumers Less Security-Savvy Than Before - Michael Cusanelli, The VAR Guy (12/30/2015)
      The average consumer is actually less security-aware than they were two years ago, according to a recent study from Kaspersky Lab and B2B International.
    • UTSA professor’s new study explores the mind of a cyberterrorist - Joanna Carver, UTSA Today (12/14/2015)
      A new study by Max Kilger, director of Data Analytics Programs at The University of Texas at San Antonio (UTSA) College of Business, is delving into an aspect of cybersecurity rarely explored before now: the human component.
    • Hacker makes canceled American Express card work again - Sean Sposito, SF Gate (11/28/2015)
      Earlier this year, Samy Kamkar canceled his American Express card — not because it was lost or stolen, but to prove a point.
    • Sony employees' hacking suit settlement gets preliminary OK - CBS News (11/25/2015)
      A federal judge has given preliminary approval to a settlement of up to $8 million between Sony Pictures Entertainment and current and former employees related to the hack of the company's computers last year.
    • Starwood Reports Payment Information Data Breach - Dow Jones Business News (11/20/2015)
      Starwood Hotels Resorts Worldwide Inc. said a data breach exposed customer credit-card and debit-card information at 54 locations for nearly eight months, the latest in a wave of hacking attacks that have hit the hotel industry.
    • Trend Micro Q3 Security Roundup Report Showcases Vulnerabilities and Aftermath of Data Breaches - Trend Micro (11/17/2015)
      The interconnectivity of technology has led to a point where many devices are potentially vulnerable, and in the third quarter, the real world impacts of cyberattacks became clear.
    • PHI Data Breaches Commonplace Across Vast Majority of Industries - Greg Slabodkin, Health Data Management (11/13/2015)
      An analysis from Verizon Enterprise Solutions finds that 90 percent of studied industries have experienced a PHI data breach outside of traditional healthcare settings.
    • Hired-gun hacking played key role in JPMorgan, Fidelity breaches - Jim Finkle and Joseph Menn, Reuters (11/13/2015)
      When U.S. prosecutors this week charged two Israelis and an American fugitive with raking in hundreds of millions of dollars in one of the largest and most complex cases of cyber fraud ever exposed, they also provided an unusual look into the burgeoning industry of criminal hackers for hire.
    • Update your Comcast password; it may have been sold - Robert Channick, The Chicago Tribune (11/09/2015)
      Comcast is notifying about 200,000 customers to change their email passwords after discovering their account information was being sold online.
    • Europe Seeks to Reach Data Transfer Pact by Early 2016 - Mark Scott, The New York Times (11/06/2015)

      Senior European officials said on Friday that they expected to complete a new trans-Atlantic data sharing agreement in the next three months that would allow companies to continue moving online information like social media posts and search queries to the United States.

    • Recent Amendments to Security Breach Notification Laws Further Complicate Breach Notification for Employers - Philip Gordon and Jennifer Mora, Littler (11/04/2015)
      According to the Privacy Rights Clearinghouse's Chronology of Data Breaches, more than 1,000 breaches, implicating more than 280 million records, have been publicly reported since January 2013.
    • NAIC Adopts Cybersecurity Bill of Rights - F. Paul Pittman, Data Privacy Monitor (11/03/2015)
      The National Association of Insurance Commissioners (“NAIC”) continued its efforts to advance cybersecurity in the insurance industry when it recently adopted the Cybersecurity Bill of Rights.
    • Stolen Netflix logins being traded online, potentially leaving people's most sensitive information exposed - Andrew Griffin, The Independent (10/30/2015)
      Stolen Netflix logins are being traded across the internet — and could be leaving people’s most personal information exposed.
    • Security breach at Halifax and Bank of Scotland left account activities visible for up to six years - Katie Morley, The Telegraph (10/15/2015)
      A security hole in Halifax and Bank of Scotland’s online banking facilities has put tens of thousands of customers at risk of fraud by leaving their financial activities visible to anyone.
    • Suit targets Scottrade in hack case - Jim Gallagher, St. Louis Post-Dispatch (10/07/2015)
      Law firms in St. Louis and Chicago have filed a class action law suit against Scottrade, alleging that lax security at the brokerage firm allowed hackers to steal customer information. Scottrade, based in west St. Louis County, last week said it learned through the FBI that hackers stole names and address of clients in late 2013 and early 2014. Although Social Security numbers and other information was in the database, the company said it appeared the thieves were after contact information.
    • Coke breach class action moves forward - Robert Abel, SC Magazine (10/06/2015)
      A U.S. District Court in Pennsylvania granted three claims and denied seven against Coca-Cola and several bottling companies under its brand to pave the way for a class action lawsuit stemming from a 2014 breach.
    • Collateral damage: 26% of DDoS attacks lead to data loss - Neha Madaan, The Times of India (09/28/2015)
      According to the research, 20% of businesses with 50 or more employees have suffered at least one DDoS attack, with enterprises being most affected (24%).
    • Drinker Biddle Cyber Bulletins - Drinker Biddle , Drinker Biddle Drinker Biddle Cyber Bulletins (09/01/2015)

      September Bulletin

       

    • NYSE cyberattack an inevitability - Jessica Van Sack , Boston Herald (07/09/2015)
      The New York Stock Exchange shutdown yesterday amounted to an unintended Wall Street fire drill for the real deal: a massive hack of our trading infrastructure.
    • Warning over Adobe Flash vulnerability revealed by Hacking Team leak - Alex Hern , The Guardian (07/08/2015)
      An unpatched security flaw in Adobe Flash, discovered then kept secret by Italian cyber-surveillance firm Hacking Team Team, is now being used by malware developers to hack victims’ computers following the leak of over 400GB of data from the company’s servers.
    • EU Governments Agree Draft Data Protection Law - Valentina Pop and Natalia Drozdiak, Wall Street Journal (06/15/2015)

       The 28 governments of the European Union on Monday agreed a new EU-wide data protection law that would tighten privacy provisions for users of online services, including those provided by U.S. tech companies, in a majority of European countries.

       

    • Emojis Could Soon Replace Online Banking Pin Codes - Nitya Rajan, The Huffington Post UK (06/15/2015)
      The humble emoji could soon replace numerical passwords and make for safer online banking practices, according to [a] British software company...
    • EHR/PHR Vendor MIE Gets Hacked - Joseph Goedert, Health Data Management (06/14/2015)
      Electronic health records vendor Medical Informatics Engineering and its personal health records vendor subsidiary NoMoreClipboard have been hit by a sophisticated cyber attack.
    • When Does a Hack Become an Act of War? - Damian Paletta, Wall Street Journal (06/13/2015)
      A tremendous number of personnel records—including some quite personal records—have likely been stolen by computer hackers. The White House won’t say who did it, but a number of U.S. officials and even some lawmakers have said all signs point to China.
    • Businesses Taking More Than 100 Days to Contain Data Breaches, Finds Study - Out-Law.com (06/09/2015)
      Businesses take more than 100 days on average to contain a data breach, a new study has found.
    • Internet of Things Market To Reach $1.7 Trillion By 2020: IDC - Steven Norton, Marketwatch (06/02/2015)
      The global Internet of Things market will grow to $1.7 trillion in 2020 from $655.8 billion in 2014, research firm IDC says, as more devices come online and a bevy of platforms and services grow up around them.
    • Drinker Biddle Cyber Bulletins - Drinker Biddle , Drinker Biddle Cyber Bulletins (06/01/2015)
      June Bulletin
    • Banks' Cyber Risks Compounded by 'Commjacking' of Wi-Fi Networks - Penny Crosman, American Banker (05/26/2015)
      We know we shouldn't, but most of us do it anyway: access the Internet on Wi-Fi networks at coffee shops and airports, knowing full well those networks are not secure.
    • As Chipped Credit Cards Become Norm, Other Fraud Targets Rise - Marco Santana, Orlando Sentinel (05/24/2015)
      Studies show a climb in the number of "digital shoppers" in the U.S. every year from 2010 with growth expected to continue... But as more buy online, security experts say "Card Not Present" fraud, a specific kind that does not require a physical credit card, has also increased.
    • Will Your Cyber Insurance Respond When You Need It Most? - Russel P. Cohen, Mark Mermelstein, and Nancy E. Harris, Orrick Alert (05/21/2015)
      As the number of data breach events and costs have soared, specialty cyber insurance policies have become both ubiquitous and necessary. 
    • Target-MasterCard settlement can proceed despite not passing “the smell test” - Erin Ayers , cyberrisknetwork.com (05/10/2015)
      A $19 million settlement between Target and MasterCard over costs stemming from the retailer’s 2013 data breach can proceed, according to a ruling from United States District Court Judge Paul Magnuson, who told interveners that he had little authority to dispute a settlement that does not seem either “fair or reasonable.”
    • Use of multiple contractors could leave oil, gas operators open to hackers - Katelyn Ferral, Andrew Conte, Pittsburgh Tribune-Review (04/18/2015)
      The chances of an adversary initiating a cyber attack on an oil and gas company are much greater than that of a physical attack, said former Homeland Security Director Tom Ridge.
    • Cybersecurity at Aetna Is a Matter of Business Risk - Rachael King, CIO Journal (03/30/2015)
      Security breaches have become a daily fact of digital life, prompting some companies like insurance giant Aetna Inc. to approach cybersecurity as just one more business risk that needs to be managed, much as they approach fluctuating currency prices or the threat of lawsuits.
    • Need Some Espionage Done? Hackers Are for Hire Online - Matthew Goldstein, New York Times (01/15/2015)
      At a time when huge stealth attacks on companies like Sony Pictures, JPMorgan Chase and Home Depot attract attention, less noticed is a growing cottage industry of ordinary people hiring hackers for much smaller acts of espionage.
    • Schnuck Markets Scores Win In Fight Over Data Breach Responsibility - Tim Barker, St. Louis Today (01/15/2015)
      Schnuck Markets scored a victory Thursday in its legal battle against two credit card payment processors in the aftermath of a massive data breach two years ago.
    • New breed of cyber criminal spies on your laptop even when it’s offline – Daily Times - Daily Times (01/11/2015)
      When your computer performs a spell check, opens a programme or even just types a letter, it emits a tiny, imperceptible signal, Daily Mail reports.
    • Catastrophe modelers developing cyber risk technologies to assess exposures - Bill Kenealy , Business Insurance (01/04/2015)
      In the wake of major cyber breaches that defined 2014, technologies to help risk managers, brokers and insurers better assess and model cyber risks are in their infancy.
    • Smart devices prey to hackers - Jessica Van Sack, BostonHerald.com (01/02/2015)
      An unprecedented boom in wearable technology and smart homes will make 2015 a year of huge rewards for American consumers — and terrifying opportunities for hackers.

    2014

    • New York Establishes New Cyber Security Examination Process for Financial Institutions - Ropes & Gray (12/16/2014)
      New York’s Department of Financial Services released a letter on December 10, 2014, announcing the details of its plan to focus more attention on cyber security matters in conducting examinations.
    • Agencies Mold Regulations Around “Voluntary” Cyber Standards - Aliya Sternstein, Nextgov.com (12/15/2014)
      Federal regulators are adapting voluntary cybersecurity standards to suit industries they oversee, for what could pan out to be requirements.
    • Ridesharing companies are now providing insurance to their drivers, but is it enough? - Joseph Jaafari, Property Casualty 360 (10/22/2014)
      The contingent policy [Lyft and Uber had used] is exactly as it sounds – a policy that kicks in only if the driver’s personal auto insurance doesn’t foot the bill before picking up a passenger, but after the passenger is picked up, the TNC's policy becomes primary.
    • J.P. Morgan Hackers Tried to Infiltrate Other Financial Institutions, Sources Say -- Update - Danny Yadron, Emily Glazer and Devlin Barrett, Dow Jones Business News (10/06/2014)
      Hackers who breached J.P. Morgan Chase & Co.'s computer network earlier this year also tried to infiltrate a number of other financial institutions, but the companies believe they were unsuccessful, according to people familiar with the investigation.
    • Security breach fatigue: So many hacks that nobody cares anymore - Ruth Reader, Venture Beat (10/03/2014)
      An SEC filing yesterday revealed that 76 million households and 7 million businesses were affected by a breach that took place at J.P. Morgan over the summer.
    • More Japanese companies disclosing information security risks - Nekkei Asian Review (08/21/2014)
      An increasing number of Japanese companies are citing their vulnerability to information leaks in their annual financial statements, as incidents like the data breach at Benesse Holdings raise corporate awareness of these issues.
    • DDoS extortion attacks on the rise - TMC News (08/18/2014)
      While digital ransom attacks come in various types and forms, Distributed Denial of Service (DDoS) attacks are top of the list of methods used by attackers to force money from targeted companies.
    • Ex-Cyber Spy’s Message to Board Members: You’re Not OK - Amir Mizroch, Wall Street Journal (07/23/2014)
      [CEO Andrew France says Darktrace] is growing fast, mostly because the “wild west” of cybercrime is outstripping companies’ ability to keep up. In fact, they’re never going to keep up. The trick, he says, is for company executives and board members to realize that data now represents the real wealth of their corporation, and decide how to deal with the risk to it.
    • Web Tracking Advances Beat Privacy Defenses - Thomas Claburn , InformationWeek (07/22/2014)
      Researchers warn that advances in online tracking have made it difficult even for sophisticated computer users to protect their privacy -- and call for further regulatory intervention.
    • Credit card breaches keep coming - Andrea Rumbaugh, Dane Schiller , Houston Chronicle (07/11/2014)
      With their public mea culpas and retention of forensic investigators to tell them how the hackers penetrated their computer networks, Spec's and The Houstonian have thus taken their place in a long line of national businesses that have been victimized, including Target, Neiman Marcus, Michaels and P.F. Chang's restaurants.
    • Cyber Insurance: The Next Big Thing for Businesses - Mary Thompson, Entrepreneur (07/06/2014)
      At an estimated $1 billion to $2 billion, 2013 sales of cyber insurance were a fraction of the $1.1 trillion in total U.S. insurance premiums last year. But Parisi sees the number growing exponentially in the foreseeable future.
    • Banking apps threaten to become money for cyber crooks - Chris Fleisher, Pittsburgh Tribune (06/28/2014)
      Mobile banking applications are becoming the next target for hackers, leading to security concerns as more con­sumers use phones and tab­­­lets to manage their money.
    • Comcast wants to turn your routers into Wi-Fi hotspots. Why? - Aaron Mamiit, Tech Times (06/13/2014)
      Comcast announced plans to turn wireless Internet routers in homes into Wi-Fi hotspots that are available to the public.
    • Global Raids Target 'Blackshades' Hacking Ring - Danny Yadron, Christopher M. Matthews, Wall Street Journal (05/16/2014)
      The Federal Bureau of Investigation and foreign police agencies have launched a series of raids around the world at the homes of people linked to a type of hacking software called Blackshades.
    • US senators reach deal on cybersecurity legislation - Chad Hemenway, CyberRisk Network (05/01/2014)

      Two Senators said they will formally introduce cybersecurity legislation to promote the sharing of information about cyber threats among companies.

    • City sues to halt app-based car service Lyft - Rick Rouan, The Columbus Dispatch (04/24/2014)
      The city filed a lawsuit yesterday to try to stop the app-based car service Lyft from operating in Columbus, as arguments wrapped up in a similar case against UberX.
    • Cyber risks can cause disruption on scale of 2008 crisis: Study - AsiaOne News (04/23/2014)
      Organisations must dramatically improve their response to cyber risks to avoid a new global shock on the scale of the financial crisis that rocked the world in 2008, a study showed Tuesday.
    • Cyber insurance becoming more mainstream - Cadie Thompson, CNBC (04/17/2014)
      Increasingly companies are trying to hedge costs associated with attacks on their networks by purchasing cyber insurance. Not only are more start-ups and established insurance providers getting into the cyber insurance business, but more companies including mom and pops are paying for insurance against cybercriminals.
    • GAO Faults SEC for Lax Cybersecurity - Andrew Ackerman, Wall Street Journal (04/17/2014)
      A congressional watchdog is faulting the Securities and Exchange Commission for lax cybersecurity.
    • New York Trial Court Denies Coverage for Cyber Claims Under Commercial General Liability Policies – McGuire Woods - McGuireWoods.com (03/04/2014)
      Last week, a New York trial court granted Sony’s insurers summary judgment on the issue of whether the claims fall within the personal and advertising injury coverage of the policies.

    2013

    Additional Items

    By far and away the most well rounded and useful Cat-focused industry conference out there. Perfect for all levels within the industry. From the conference content, the presenters and the attendees, this conference is a can’t miss for those interested in expanding their knowledge and learning more about cat related insurance and reinsurance modeling topics Nick DiMuzio, Everest

    "Fantastic, enriching conference - brilliantly planned and run, illuminating talks and excellent opportunities for networking across multiple areas of catastrophic risk.” Gary Ackerman, University at Albany

    “From a treaty underwriter's point of view, RAA presented relevant topics related to today's macro events. Scientific presentations provided insight that I can incorporate in underwriting and share with my clients.” Eric B. Silberman, Munich Re

    "Great conference with some of the biggest names in the business presenting their work. What more could you ask for?” Ron Nash, Nash Consulting

    “A perfect introduction to the world of reinsurance. Relevant topics, great speakers and the opportunity to network with industry peers makes this a must go event.”
    Tom Barrett, Everest Re

    Demystifying Reinsurance was an excellent tool to clearly understand and break down the basics. Very good class and recommend it for beginners and even as a refresher course for the intermediate student.”
    Chenessia West, TransRe

    “Re Basics is the ideal opportunity whether an industry professional or student of insurance to understand the in and outs of reinsurance while being able to network with persons spread across the whole industry.”
    Darius Zuill, Bermuda Monetary Authority

    “This has been the best reinsurance seminar that I have been to! Whether a reinsurance seasoned vet or new to the field, this is an engaging seminar that addressed specific issues of the reinsurance market.”
    Michelle Thimm, Church Mutual Insurance 

    “Re Underwriting provided a comprehensive and interesting overview of underwriting in the current market with a major (and interesting) focus on trends. Very useful for underwriting and non-underwriting alike.”
    DeVika Bourne, PartnerRe

    “Very informative experience, and a great way to keep up to date on current underwriting events and trends.”
    Steven Whalen, Aspen Re

    “Time well spent in learning the updated underwriting business and networking!”
    Christine Chen,  Everest Re 

    “The panels and presentations were thought provoking and fascinating as numerous topics were covered affecting the industry. I’m leaving the conference with a greater insight of the future market.”
    Brittany de Frias, AXIS Capital 

     

    “RAA Re Finance was the first RAA seminar I attended, and I was thoroughly impressed with the speakers and content. I learned a great deal from the presentations and intend to bring some new ideas back to my company and share with the team!”
    Taylor Robinson, ICW Group

    “Fantastic slate of instructors who thoughtfully walked us through financial reporting and other aspects of reinsurance finance. They used terminology that non finance people (lawyers) could understand. Really great program.”
    Steven Bazil, The Bazil Group

    “If you are in Reinsurance Accounting/Finance, you need to take this course to help you with your job.”
    Frank Borawski, Markel  

    “The speakers were excellent! There is something to be said about a person, and in this case a group of people, who can take time away from their busy schedules and explain to everyone something they feel passionate about in a manner that's understandable. My only complaint is that I wish we had more time with them.”
    Jessica Mieles, Sompo International

    “The RAA ReContracts is the most comprehensive reinsurance contract wording training available in the U.S. market.”
    David Kragseth, Guy Carpenter   

    “The course was very helpful in addressing different viewpoints and important things to consider in contract design and review.”
    Andy Martin, AmericanAg 

    “The RAA contract course was very informative and interesting. It covered a wide range of Reinsurance Contracts Types. In my Reinsurance Career, I have had the opportunity to work on a limited type of contracts, so I learned a lot.”
    Vivian Castro, Arch Insurance Company 

    “The RAA Contracts course provides the opportunity to engage with relevant topics, taught by industry experts, in both seminar and small group environments. The course material and industry experts provide an understanding on a wide range of subjects.” 
    Kevin English, LMRe

    “Participation in Re Claims should be mandatory for all P&C reinsurance underwriters. It’s truly an eye-opener, providing an in-depth look from a claims manager’s perspective on what happens to the business that we underwrite. There are lots of do’s and don’ts to pay attention to. Re Claims answers all the hard questions."  Michael Delacruz, China Re P&C

    “I absolutely love this program. I learned so many new things. Reinsurance from the industry’s top executives, interactive activities, interesting panels, and innovating presentations makes for an intriguing few days. Well worth the time and money.” Chenessia West, TransRe

    “As a reinsurance attorney I find Re Claims highly valuable to stay abreast of emerging issues. Also, being walked through practical case studies is extremely helpful in creating a thorough understanding of how contracts work.” Steven Bazil, The Bazil Group

    Become a Re Scholar!

    The Re Ed Institute's Re Scholar Program seeks to recognize those who achieve a high standard of reinsurance education by completing the Re Scholar curriculum. Learn More.


    Become a Re Ed Sponsor

    The RAA’s Reinsurance Education Institute programs attract professionals from the world’s leading insurance/reinsurance companies, brokers, law firms and consulting firms. Interested in sponsoring? Contact Carolyn Fahey.