#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

Regulatory Compliance | Breaking Cybersecurity News | The Hacker News

Category — Regulatory Compliance
How to Plan a New (and Improved!) Password Policy for Real-World Security Challenges

How to Plan a New (and Improved!) Password Policy for Real-World Security Challenges

Dec 04, 2024 Data Protection / Regulatory Compliance
Many organizations struggle with password policies that look strong on paper but fail in practice because they're too rigid to follow, too vague to enforce, or disconnected from real security needs. Some are so tedious and complex that employees post passwords on sticky notes under keyboards, monitors, or desk drawers. Others set rules so loose they may as well not exist. And many simply copy generic standards that don't address their specific security challenges. Creating a password policy that works to protect your organization in the real world requires a careful balance: it must be strict enough to protect your systems, flexible enough for daily work, and precise enough to be enforced consistently. Let's explore five strategies for building a password policy that works in the real world. 1. Build compliant password practices Is your organization in a regulated industry like healthcare, government, agriculture, or financial services? If so, one of your top priorities...
SEC Charges 4 Companies Over Misleading SolarWinds Cyber Attack Disclosures

SEC Charges 4 Companies Over Misleading SolarWinds Cyber Attack Disclosures

Oct 25, 2024 Regulatory Compliance / Data Breach
The U.S. Securities and Exchange Commission (SEC) has charged four current and former public companies for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020 . The SEC said the companies – Avaya, Check Point, Mimecast , and Unisys – are being penalized for how they handled the disclosure process in the aftermath of the SolarWinds Orion software supply chain incident and downplaying the extent of the breach, thereby infringing the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules under them. To that end, Avaya will pay a fine of $1 million, Check Point will pay $995,000, Mimecast will pay $990,000, and Unisys will pay $4 million to settle the charges. In addition, the SEC has charged Unisys with disclosure controls and procedures violations. "While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their sh...
Beyond Compliance: The Advantage of Year-Round Network Pen Testing

Beyond Compliance: The Advantage of Year-Round Network Pen Testing

Nov 18, 2024Penetration Testing / Network Security
IT leaders know the drill—regulators and cyber insurers demand regular network penetration testing to keep the bad guys out. But here's the thing: hackers don't wait around for compliance schedules. Most companies approach network penetration testing on a set schedule, with the most common frequency being twice a year (29%), followed by three to four times per year (23%) and once per year (20%), according to the Kaseya Cybersecurity Survey Report 2024 . Compliance-focused testing can catch vulnerabilities that exist at the exact time of testing, but it's not enough to stay ahead of attackers in a meaningful way. Why More Frequent Testing Makes Sense When companies test more often, they're not just checking a box for compliance—they're actually protecting their networks. The Kaseya survey also points out that the top drivers for network penetration testing are: Cybersecurity Control and Validation (34%) – ensuring the security controls work and vulnerabilities are minimized. Re...
Acronym Overdose – Navigating the Complex Data Security Landscape

Acronym Overdose – Navigating the Complex Data Security Landscape

Oct 19, 2024 Regulatory Compliance / Data Security
In the modern enterprise, data security is often discussed using a complex lexicon of acronyms—DLP, DDR, DSPM, and many others. While these acronyms represent critical frameworks, architectures, and tools for protecting sensitive information, they can also overwhelm those trying to piece together an effective security strategy. This article aims to demystify some of the most important acronyms in data security today and offer practical guidance to help businesses navigate the data security landscape and protect their most valuable assets with confidence. What's driving data security? In today's ever-evolving digital landscape, data security has become a top priority for businesses of all sizes. As data continues to be the most valuable asset for organizations, the need to protect it from breaches, unauthorized access, and other security threats grows. But what exactly is driving businesses to prioritize data security? From compliance with regulations to safeguarding intellectual pr...
cyber security

The AppSec & R&D Playbook: How to Align Security and Innovation

websiteBackslashApplication Security
AppSec vs. R&D? Bridge the gap with clear steps to streamline workflows and foster collaboration.
U.S. Proposes Ban on Connected Vehicles Using Chinese and Russian Tech

U.S. Proposes Ban on Connected Vehicles Using Chinese and Russian Tech

Sep 24, 2024 National Security / Regulatory Compliance
The U.S. Department of Commerce (DoC) said it's proposing a ban on the import or sale of connected vehicles that integrate software and hardware made by foreign adversaries, particularly that of the People's Republic of China (PRC) and Russia. "The proposed rule focuses on hardware and software integrated into the Vehicle Connectivity System (VCS) and software integrated into the Automated Driving System (ADS)," the Bureau of Industry and Security (BIS) said in a press statement. "These are the critical systems that, through specific hardware and software, allow for external connectivity and autonomous driving capabilities in connected vehicles." The agency said nefarious access to such systems could enable adversaries to harvest sensitive data and remotely manipulate cars on American roads.  The proposal extends to all wheeled on-road vehicles such as cars, trucks, and buses. Agricultural and mining vehicles are not included. The BIS said "cert...
Meta to Train AI Models Using Public U.K. Facebook and Instagram Posts

Meta to Train AI Models Using Public U.K. Facebook and Instagram Posts

Sep 17, 2024 Artificial Intelligence / Regulatory Compliance
Meta has announced that it will begin training its artificial intelligence (AI) systems using public content shared by adult users across Facebook and Instagram in the U.K. in the coming months. "This means that our generative AI models will reflect British culture, history, and idiom, and that U.K. companies and institutions will be able to utilize the latest technology," the social media behemoth said . As part of the process, users aged 18 and above are expected to receive in-app notifications starting this week on both Facebook and Instagram, explaining its modus operandi and how they can readily access an objection form to deny their data being used to train the company's generative AI models. The company said it will honor users' choices and that it won't contact users who have already objected to their data being used for their purpose. It also noted that it will not include private messages with friends and family, as well as information from accounts...
Ireland's Watchdog Launches Inquiry into Google's AI Data Practices in Europe

Ireland's Watchdog Launches Inquiry into Google's AI Data Practices in Europe

Sep 12, 2024 Regulatory Compliance / Data Protection
The Irish Data Protection Commission (DPC) has announced that it has commenced a "Cross-Border statutory inquiry" into Google's foundational artificial intelligence (AI) model to determine whether the tech giant has adhered to data protection regulations in the region when processing the personal data of European users. "The statutory inquiry concerns the question of whether Google has complied with any obligations that it may have had to undertake an assessment, pursuant to Article 35[2] of the General Data Protection Regulation (Data Protection Impact Assessment), prior to engaging in the processing of the personal data of E.U./E.E.A. data subjects associated with the development of its foundational AI model, Pathways Language Model 2 (PaLM 2)," the DPC said . PaLM 2 is Google's state-of-the-art language model with improved multilingual, reasoning, and coding capabilities. It was unveiled by the company in May 2023. With Google's European headqu...
Why Is It So Challenging to Go Passwordless?

Why Is It So Challenging to Go Passwordless?

Sep 11, 2024 Password Security / Identity Management
Imagine a world where you never have to remember another password. Seems like a dream come true for both end users and IT teams, right? But as the old saying goes, "If it sounds too good to be true, it probably is."  If your organization is like many, you may be contemplating a move to passwordless authentication. But the reality is that a passwordless security approach comes with its own set of pitfalls and perils. In this post, we'll discuss the real-world complexity of going passwordless and explore why strengthening your existing password protocols may be the simpler solution.  The appeal of passwordless authentication Password-related vulnerabilities pose a major threat to organizational security. According to research by  LastPass , a full 80% of data breaches stem from weak, reused, or compromised passwords. This sobering statistic highlights the appeal of passwordless systems, which offer a way to completely circumvent the risks associated with traditional pas...
Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Sep 10, 2024 SaaS Security / Risk Management
Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers.  Shadow apps may include instances of software that the company is already using. For example, a dev team may onboard their own instance of GitHub to keep their work separate from other developers. They might justify the purchase by noting that GitHub is an approved application, as it is already in use by other teams. However, since the new instance is used outside of the security team's view, it lacks governance. It may store sensitive corporate data and not have essential protections like MFA enabled, SSO enforced, or it could suffer from weak access controls. These misconfigurations can easily lead to risks like stolen source code and other issues. Types of Shadow Apps  Shadow apps can be categorized based on thei...
The Loper Bright Decision: How it Impacts Cybersecurity Law

The Loper Bright Decision: How it Impacts Cybersecurity Law

Aug 05, 2024 Cybersecurity Law / Data Privacy
The Loper Bright decision has yielded impactful results: the Supreme Court has overturned forty years of administrative law, leading to potential litigation over the interpretation of ambiguous laws previously decided by federal agencies. This article explores key questions for cybersecurity professionals and leaders as we enter a more contentious period of cybersecurity law. Background What is the Loper Bright Decision? The Loper Bright decision by the U.S. Supreme Court overruled the Chevron deference , stating that courts, not agencies, will decide all relevant questions of law arising on review of agency action. The Court held that because the Administrative Procedure Act (APA)'s text is clear, agency interpretations of statutes are not entitled to deference. The ruling emphasized that courts must exercise independent judgment in deciding whether an agency has acted within its statutory authority. This decision shifts the power of statutory interpretation from federal agencies ...
Meta Given Deadline to Address E.U. Concerns Over 'Pay or Consent' Model

Meta Given Deadline to Address E.U. Concerns Over 'Pay or Consent' Model

Jul 23, 2024 Data Privacy / Regulatory Compliance
Meta has been given time till September 1, 2024, to respond to concerns raised by the European Commission over its "pay or consent" advertising model or risk-facing enforcement measures, including sanctions. The European Commission said the Consumer Protection Cooperation ( CPC ) Network has notified the social media giant that the model adopted for Facebook and Instagram might potentially violate consumer protection laws. It described the new practice as misleading and confusing, with authorities expressing worries that consumers might have been pressured into choosing quickly between either paying for a monthly subscription or consenting to their personal data being used for targeted advertising. This, the agency said, could have been motivated by fears that they "would instantly lose access to their accounts and their network of contacts." Meta, which introduced a subscription plan for European Union (E.U.) users in late 2023, has run into hot water over o...
Google Abandons Plan to Phase Out Third-Party Cookies in Chrome

Google Abandons Plan to Phase Out Third-Party Cookies in Chrome

Jul 23, 2024 Online Privacy / Regulatory Compliance
Google on Monday abandoned plans to phase out third-party tracking cookies in its Chrome web browser more than four years after it introduced the option as part of a larger set of a controversial proposal called the Privacy Sandbox. "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time," Anthony Chavez, vice president of the initiative, said . "We're discussing this new path with regulators, and will engage with the industry as we roll this out." The significant policy reversal comes nearly three months following the company's announcement that it intends to eliminate third-party cookies starting early next year after repeated delays, underscoring the project's tumultuous history. While Apple Safari and Mozilla Firefox no longer support third-party cookies as of early 2020, Go...
Practical Guidance For Securing Your Software Supply Chain

Practical Guidance For Securing Your Software Supply Chain

Jun 26, 2024 DevSecOps / Risk Management
The heightened regulatory and legal pressure on software-producing organizations to secure their supply chains and ensure the integrity of their software should come as no surprise. In the last several years, the software supply chain has become an increasingly attractive target for attackers who see opportunities to force-multiply their attacks by orders of magnitude. For example, look no further than 2021's Log4j breach, where Log4j (an open-source logging framework maintained by Apache and used in a myriad of different applications) was the root of exploits that put thousands of systems at risk.  Log4j's communication functionality was vulnerable and thus provided an opening for an attacker to inject malicious code into the logs which could then be executed on the system. After its discovery, security researchers saw millions of attempted exploits, many of which turned into successful denial-of-service (DoS) attacks. According to some of the latest research by Gartner, close t...
Meta Pauses AI Training on EU User Data Amid Privacy Concerns

Meta Pauses AI Training on EU User Data Amid Privacy Concerns

Jun 15, 2024 Artificial Intelligence / Privacy
Meta on Friday said it's delaying its efforts to train the company's large language models ( LLMs ) using public content shared by adult users on Facebook and Instagram in the European Union following a request from the Irish Data Protection Commission (DPC). The company expressed disappointment at having to put its AI plans on pause, stating it had taken into account feedback from regulators and data protection authorities in the region. At issue is Meta's plan to use personal data to train its artificial intelligence (AI) models without seeking users' explicit consent, instead relying on the legal basis of ' Legitimate Interests ' for processing first and third-party data in the region. These changes were expected to come into effect on June 26, before when the company said users could opt out of having their data used by submitting a request "if they wish." Meta is already utilizing user-generated content to train its AI in other markets such ...
Expert Insights / Articles Videos
Cybersecurity Resources