All news in category "Regulation and Policy Brief"

UN Cybercrime Treaty Faces Criticism Over Researcher Risks

🔒 Cybersecurity researchers and rights groups warn the UN Convention against Cybercrime, which begins a ratification process in Hanoi this weekend, could criminalize legitimate research and expand intrusive surveillance powers. The Cybersecurity Tech Accord and organizations such as Human Rights Watch say the draft's vague scope, broad criminalization language, and expansive data-access provisions risk arbitrary abuse and could hamper incident response. Some analysts acknowledge improvements around intent-based language but stress that robust national safeguards and explicit protections for security research are still needed.

Canada Fines Cryptomus $176M over AML Oversight in 2025

🔒 FINTRAC has imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., the operator of Cryptomus, after finding widespread failures to file suspicious transaction reports tied to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion. Regulators said the payments platform enabled dozens of Russian‑focused exchanges and cybercrime‑facing services to move illicit proceeds. The action follows investigative reporting showing numerous money service businesses clustered at shared Canadian addresses that appear to be fronts.

Experian Fined €2.7m by Dutch Regulator for GDPR Breach

🔒 Experian Netherlands has been fined €2.7m by the Dutch Data Protection Authority for breaching GDPR requirements after collecting and processing personal data from public and private sources without proper notice or consent. The regulator found Experian compiled extensive databases using information from the Chamber of Commerce and data sold by telecom and energy firms, and that its credit scores influenced contract terms, deposits and denials. Experian acknowledged the violations, will not appeal, has ceased Dutch operations and plans to delete the database by year-end.

Experian Netherlands fined €2.7M for unlawful data use

🔍 Experian Netherlands was fined EUR 2.7 million by the Dutch Data Protection Authority for collecting and using personal data from multiple public and private sources without properly informing individuals or obtaining consent. The AP found the company aggregated information from the Chamber of Commerce, telecom and energy firms to produce credit assessments that affected interest rates and upfront deposits. Experian acknowledged the violations, will not appeal, has ceased operations in the Netherlands, and pledged to delete its database of personal data before year-end.

IT Leaders Fear Regulatory Patchwork as Gen AI Spreads

⚖️ More than seven in 10 IT leaders list regulatory compliance as a top-three challenge when deploying generative AI, according to a recent Gartner survey. Fewer than 25% are very confident in managing security, governance, and compliance risks. With the EU AI Act already in effect and new state laws in Colorado, Texas, and California on the way, CIOs worry about conflicting rules and rising legal exposure. Experts advise centralized governance, rigorous model testing, and external audits for high-risk use cases.

Supporting Teens Online: Beyond Bans Toward Guidance

👪 The early teen years are pivotal for digital development, and trust between parents and teens matters more than any single setting. Tools like Family Link and YouTube’s supervised experience are valuable, but parents juggling multiple children, apps and devices need simpler solutions—AI assistants could configure age- and app-specific controls. Rather than blanket bans, the piece calls for thoughtful restrictions developed with parents, schools and communities alongside independent digital literacy standards.

CISA Emergency Directive Targets Critical F5 Flaws

🛡️ CISA has issued Emergency Directive 26-01 requiring Federal Civilian Executive Branch agencies to install vendor-provided updates for at-risk F5 devices and software — including F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF — by October 22, 2025. The action responds to disclosure that a nation-state actor maintained persistent access to F5 development environments and exfiltrated files containing embedded credentials and API keys. CISA will assess and support agency adherence and urges all entities using these products to apply mitigations immediately.

UK and US Sanction Southeast Asian Online Scam Network

🛡️The UK and US have jointly sanctioned a transnational network accused of operating scam centres across Southeast Asia, immediately freezing businesses and UK properties linked to the group. Targets include Prince Group, its chairman Chen Zhi, and proxy firms such as Jin Bei Group, Golden Fortune Resorts World Ltd and crypto platform Byex Exchange. Investigations by the UK FCDO and US OFAC allege victims were lured by fake job adverts, forced to perpetrate online fraud under threat of torture, and that proceeds were laundered via front companies, casinos and crypto services.

Security Firms Clash Over CVE Credit and Disclosure

🔍 A public dispute erupted when FuzzingLabs accused Y Combinator-backed Gecko Security of copying proof-of-concepts (PoCs), resubmitting them for CVEs, and backdating blog posts to claim credit. FuzzingLabs cites two specific flaws — an Ollama token-stealing bug and a Gradio arbitrary file-copy/DoS issue — and says unique markers in its PoCs prove plagiarism. Gecko denies wrongdoing, saying its process involves direct coordination with maintainers and that overlaps were accidental; it has since updated posts to credit FuzzingLabs.

UK urges FTSE 350 CEOs to boost cyber readiness now

📣 Senior leaders are being warned to take personal responsibility for cyber resilience as the UK government says organisations cannot rely on state protection alone. The NCSC's 2025 Annual Review recorded 204 "nationally significant" incidents and prompted a ministerial letter to FTSE 350 CEOs urging physical incident plans and supply‑chain checks. The agency also highlighted slow uptake of Cyber Essentials and launched the Cyber Action Toolkit to help small businesses reach minimum standards.

Trump Administration Expands Social Media Visa Surveillance

🔍The Brookings report details the Trump administration’s expanded social media surveillance to identify and punish foreign nationals for public speech. Agencies historically gathered millions of handles, but Secretary of State Marco Rubio has promoted a zero-tolerance “Catch and Revoke” policy that uses AI to flag conduct deemed contrary to national interest. Rubio said about 300 visas—mainly student and visitor visas—were revoked, and a State Department cable now requires student applicants to set accounts public for vetting.

EU Authorized to Sign UN Cybercrime Convention Agreement

🔐 The Council of Europe has authorized the European Commission and EU member states to sign the United Nations Convention against Cybercrime, adopted by the UN General Assembly in December 2024, which sets common global standards for cybercrime and the cross-border exchange of electronic evidence. The treaty requires harmonization of criminal offenses, including computer fraud, illegal interception and measures targeting online child sexual abuse, grooming and non-consensual dissemination of intimate images, while including explicit safeguards to protect human rights. The Convention will be open for signature from October 25, 2025 until December 31, 2026 and enters into force ninety days after the fortieth ratification; the EU Presidency will prioritize finalizing a Council decision to enable conclusion of the instrument and seek the European Parliament's consent.

Reassignment of CISA Staff Raises National Cyber Risks

🔔 The US Department of Homeland Security has reassigned hundreds of cybersecurity personnel from the Cybersecurity and Infrastructure Security Agency to non-cyber roles supporting immigration and border enforcement, reports say. This shift has most impacted CISA’s Capacity Building team, which writes emergency directives and oversees protections for the government’s highest-value assets; refusal to accept new roles reportedly risks termination. Analysts warn that reductions in specialized threat hunting, vulnerability scanning, and coordinated advisories will slow response times and create exploitable gaps. Enterprises are urged to tighten patch cycles, adopt phishing-resistant MFA, review privileges, and rely on sector ISACs and private intel sharing while federal capacity is strained.

UK Upper Tribunal Upholds ICO Claim Against Clearview

🔍 The UK Information Commissioner’s Office (ICO) won an Upper Tribunal ruling that bolsters its authority to enforce the UK GDPR against Clearview AI and increases the likelihood of a previously issued £7.5m penalty being upheld. The tribunal found that Clearview’s scraping and global database usage involved monitoring the behavior of UK residents and is not beyond the reach of UK law even when services are provided to foreign law‑enforcement customers. The UT has directed the First‑Tier Tribunal to reconsider its earlier decision in light of this jurisdictional clarity, though Clearview may still appeal.

NCSC urges better observability, threat hunting in UK

🔍 The NCSC, led by CTO Ollie Whitehouse, has urged UK organisations to strengthen observability and threat-hunting capabilities to improve national cyber resilience. It warns many lack comprehensive visibility across accounts, devices, networks, applications and cloud services, and often cannot apply advanced analytics. The centre advises maximising cross-asset visibility, pressing vendors to build monitorable systems, and moving beyond simple IOCs to detect TTPs. It also recommends the NCSC Assured incident response list and CyAS for validation.

Europol Urges Stronger EU Data Laws to Aid Investigations

🔐 At Europol’s 4th Annual Cybercrime Conference in The Hague, officials warned that criminals are exploiting encryption, anonymization and emerging technologies faster than law enforcement and regulators can adapt. Speakers including Europol executive director Catherine De Bolle and European commissioner Magnus Brunner urged stronger cooperation, updated laws and enhanced cross-border data-sharing to ensure lawful access to digital evidence while respecting privacy.

AI's Role in the 2026 U.S. Midterm Elections and Parties

🗳️ One year before the 2026 midterms, AI is emerging as a central political tool and a partisan fault line. The author argues Republicans are poised to exploit AI for personalized messaging, persuasion, and strategic advantage, citing the Trump administration's use of AI-generated memes and procurement to shape technology. Democrats remain largely reactive, raising legal and consumer-protection concerns while exploring participatory tools such as Decidim and Pol.Is. The essay frames AI as a manipulable political resource rather than an uncontrollable external threat.

US Government Shutdown Threatens Federal Cybersecurity

⚠️ The US government shutdown will sharply reduce federal cybersecurity capacity, with CISA set to furlough approximately 1,651 of its 2,540 staff (about 65%), leaving only 889 employees, and NIST estimated to retain roughly 34% of its workforce. Core functions such as vulnerability management, guidance, the CVE program and website operations will be curtailed until appropriations resume. The pause raises immediate operational risks, complicates incident response and increases opportunities for threat actors and fraud.

Expiry of CISA 2015 Leaves US Intelligence Sharing Exposed

🔒 The 2015 Cybersecurity Information Sharing Act (CISA 2015) has expired after lawmakers failed to extend legal safe-harbors for voluntary threat sharing via the Automated Indicator Sharing program (AIS). Amid a congressional funding standoff and a resulting partial government shutdown, industry leaders warn the lapse exposes companies to litigation and may deter intelligence exchange. Security executives say reduced sharing could create blind spots, elevate software supply-chain risk and slow development of AI-driven defenses.

ICO: Imgur UK Exit Will Not Stop Potential Regulatory Fine

⚖️ The ICO has confirmed that Imgur’s decision to block UK access does not absolve the company from scrutiny over alleged past data protection breaches. The regulator issued a notice of intent to fine parent company MediaLab on 10 September and says its findings are provisional while the investigation continues. The concerns relate to potential breaches of the Age Appropriate Design Code, including failures to request or verify ages, lack of high-privacy defaults for children, and serving targeted adverts to minors. The ICO stressed that exiting the UK market is a commercial choice and does not prevent regulatory action for prior infringements.