All news in category "Regulation and Policy Brief"

Government Shutdown Deepens US Cybersecurity Risks

⚠️ The US government shutdown that began on Sept. 30 deepens federal cyber risk by compounding prior spending cuts and workforce reductions. Significant cuts — including roughly $1.23 billion trimmed from civilian cyber budgets and about 1,000 CISA staff fired earlier in July — have already weakened defenses. Agencies have issued contingency plans and will exempt some critical SOCs and intelligence functions, but contractors and broader response capacity face disruption. Adversaries are likely monitoring for opportunities, and the effects will persist even after funding resumes.

CISA 2015 Expires Amid Government Shutdown, Hurdles Loom

🔒 Congress allowed CISA 2015 to lapse on Sept. 30, 2025 amid a US government shutdown, removing statutory liability shields for private-sector cyber threat information sharing. The expiration reduces government visibility into corporate threat data and is likely to make companies and CISOs more cautious about exchanging indicators and defensive measures. Experts urge immediate legal review and expect Congress may pursue a temporary reauthorization, though the timing and duration remain uncertain.

Imgur blocks UK access after ICO signals possible fine

🔒 Imgur has geoblocked access for users in the United Kingdom after the Information Commissioner's Office (ICO) issued a notice of intent on 10 September 2025 to impose a monetary penalty on Imgur's parent, MediaLab, over age-verification and children's data protections under the Online Safety Act. From 30 September 2025 UK visitors cannot log in, view, upload, or see embedded Imgur content on third-party sites. The ICO cautioned that blocking UK traffic does not absolve the company of potential fines while MediaLab may make representations.

FTC Sues Sendit for Alleged Illegal Collection of Child Data

🔔 The FTC has filed a lawsuit against Iconic Hearts Holdings Inc., the operator of Sendit, and its CEO Hunter Rice, alleging unlawful collection of personal data from users under 13 and deceptive subscription practices. The complaint claims Sendit collected phone numbers, birthdates, photos, and social media usernames without parental consent, created fake anonymous messages (some deliberately provocative), and misrepresented a paid "Diamond Membership" while imposing recurring charges. The FTC has referred the matter to the Department of Justice; the allegations remain unproven.

US Cuts Federal Funding for MS-ISAC Cyber Program Impact

🛡️ CISA has ended its cooperative agreement with the Center for Internet Security, terminating federal funding for the MS-ISAC on September 30 and placing the program's future in doubt. The MS-ISAC supports more than 18,000 state, local, territorial and tribal members with services such as advisories, secure information sharing, tabletop exercises and the Albert intrusion detection system. CIS has been temporarily subsidizing operations at over $1m per month but plans to phase out that support and is pushing members toward a paid membership model. CISA says it will move to a "new model" to support SLTT partners with tools, grant access and regional advisors.

Seven Nations Publish Unified OT Security Guidance

🛡️ National cybersecurity agencies from seven countries released unified operational technology (OT) security guidance on 29 September, aimed at practitioners who deploy or operate OT equipment and systems. The document is organised around five core principles and supplies step-by-step actions for OT security teams to strengthen resilience. It emphasises creating and maintaining a definitive record that covers asset classification, connectivity mapping, system architecture and third-party risks.

CISA Strengthens Support for SLTT Governments Nationwide

🔒 CISA announced a transition to a new support model to better equip state, local, tribal, and territorial (SLTT) governments to strengthen shared responsibility nationwide. The agency's cooperative agreement with the Center for Internet Security (CIS) will end on September 30, 2025, prompting a shift to direct support. CISA will provide access to grant funding (via DHS/FEMA SLCGP and TCGP), no-cost tools such as cyber hygiene scanning and phishing assessments, regional advisors, and professional services to bolster local cybersecurity posture.

CISA Strengthens Cyber Support for State and Local Govts

🔒 CISA has transitioned to a new direct-support model to equip state, local, tribal, and territorial (SLTT) governments with access to grant funding, no-cost cybersecurity tools, and hands-on expertise. The agency’s cooperative agreement with the Center for Internet Security concludes on September 30, 2025, and CISA will deliver funding via DHS/FEMA programs including SLCGP and TCGP. Offered services include cyber hygiene scanning, phishing assessments, vulnerability management, the Cybersecurity Performance Goals and Cyber Security Evaluation Tool, regional advisors and incident response coordination, while CISA continues collaboration with MS-ISAC for Albert sensor users.

CISA and NCSC Joint Guidance on Securing OT Systems

🔒 CISA, the FBI, the UK NCSC, and international partners published joint guidance titled Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture. The guidance explains how organizations can use data sources such as asset inventories and manufacturer-provided resources, including software bill of materials, to create and maintain an accurate OT record. It highlights benefits like improved risk assessment, prioritization of critical and exposed systems, and stronger architectural controls, and recommends cross-team collaboration and alignment with IEC 62443 and ISO/IEC 27001.

EU Opens Antitrust Probe into SAP ERP Support Practices

⚖️ The European Commission has launched a formal investigation into whether SAP engaged in anti-competitive conduct in aftermarket services for its on‑premise ERP software. The probe focuses on four practices: mandatory uniform support across products, blocking termination of unused licenses, extending non‑terminable initial support terms, and charging reinstatement fees equal to prior amounts. The Commission says these practices could limit competition from third‑party support providers and amount to unfair trading conditions. SAP says its policies follow industry standards and expects no significant financial impact.

U.S. Investors to Take Over and Restructure TikTok Operations

🔐 President Trump has signed an executive order approving a plan to separate TikTok’s U.S. operations from Chinese owner ByteDance, enabling a new U.S.-based joint venture to manage the service domestically. The agreement covers TikTok and related apps such as Lemon8 and CapCut and limits ByteDance to under 20% ownership. Oracle and other American investors will control algorithms, data storage, and content moderation while security partners monitor code and data flows.

Singapore Threatens Meta With Fines Over Facebook Scams

🛡️ The Singapore Police Force has issued an implementation directive under the Online Criminal Harms Act requiring Meta to implement enhanced facial recognition for Singapore users and to prioritise review of local scam reports by September 30. The Ministry of Home Affairs said Facebook was the primary platform for government impersonation scams between June 2024 and June 2025, and the SPF disrupted about 2,000 problematic ad schemes on Meta. If Meta fails to comply without a reasonable excuse it faces a S$1m fine and daily penalties after conviction.

Amazon to Pay $2.5 Billion Over Prime Enrollment Practices

⚖️ The FTC announced a $2.5 billion settlement with Amazon over allegations it used dark patterns to trick millions into enrolling in and retaining Prime subscriptions. The agreement includes a $1 billion civil penalty and $1.5 billion in refunds for an estimated 35 million affected consumers. The FTC said Amazon's checkout and cancellation designs obscured opt-outs, failed to disclose automatic renewals, and relied on an internal cancellation flow nicknamed "Iliad" that deterred cancellations. Internal documents, the agency added, showed employees discussing the problematic practices.

Microsoft to Provide Free Windows 10 Security Updates in EEA

🛡️ Microsoft will provide no-cost Extended Security Updates (ESU) for Windows 10 consumer users across the European Economic Area (EEA). The company adjusted enrollment so consumers can access critical patches without tying updates to Windows Backup or Microsoft Rewards, following pressure from Euroconsumers. Microsoft says the change aims to support customers transitioning to Windows 11 before Windows 10 reaches end of support on October 14, 2025.

Global Harms of Restrictive Cloud Licensing: One Year

⚖️ A year after Google Cloud filed a formal complaint with the European Commission, restrictive cloud licensing by Microsoft remains entrenched and, according to recent disclosures, appears to be intensifying. Microsoft has described efforts to drive customers to Azure as a core growth pillar, while new licensing changes due at the end of September further restrict managed service providers from hosting workloads on competing clouds. Regulators such as the U.K.'s CMA have found these policies harm customers, competition, innovation, and cybersecurity, and multiple global authorities are now scrutinizing the practices.

Foundations for OT Cybersecurity: Asset Inventory Guide

🔐 CISA and partners released Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators to help operational technology (OT) owners build accurate, prioritized asset inventories. The guide—co-developed with federal, international, and industry experts—details practical steps to classify devices, map dependencies, and integrate inventories into risk and incident response workflows. It emphasizes continuous maintenance and alignment with NIST and IEC 62443.

Former Meta Lobbyist Named to Ireland's DPC, Concerns

⚖️ The Irish government has appointed Niamh Sweeney as a member of the Data Protection Commission, the authority that leads EU oversight of major technology companies. The appointment has drawn strong criticism from privacy organization Noyb, which highlights Sweeney’s previous role as a lobbyist for Meta. Critics, including Max Schrems, argue this raises questions about impartiality and potential regulatory capture. As recently as December, the DPC fined Meta €251 million for breaches of GDPR, a fact cited by opponents of the appointment.

Whistleblower Lawsuit Alleges WhatsApp Security Failures

🛡️ Attaullah Baig, former head of security at WhatsApp, has filed a whistleblower lawsuit alleging that Facebook knowingly failed to fix multiple security flaws in breach of its 2019 settlement with the FTC. The complaint asserts that in 2022 roughly 100,000 accounts were compromised daily, rising to as many as 400,000 daily lockouts by last year, and that inadequate anti-scraping protections exposed profile data at scale. Baig invokes the whistleblower-protection provisions of the Sarbanes-Oxley Act, and the filing has prompted wider media coverage and potential regulatory scrutiny.

OIG: CISA Wasted Millions and Mismanaged Incentives

🔍 The DHS Office of Inspector General (OIG) audit found that CISA misused federal funds and undermined its mission by broadly administering the Cyber Incentive program. The review identified 240 recipients in non-cyber support roles, poor record-keeping in OCHCO, and $1.4m in undocumented back pay among more than $138m disbursed since 2020. Payments typically ranged from $21,000 to $25,000 annually per person, more than 40% of staff received incentives, and the OIG issued eight recommendations to tighten eligibility, tracking, governance and recovery procedures; CISA has concurred with all recommendations.

Cyberattack Victim Notification Framework: Recommendations

🔔 This report analyzes the persistent difficulty organizations face when notifying victims of cyber incidents and proposes a practical roadmap to improve outcomes. It introduces the CSRB's native-notification concept and outlines nearer-term, narrower changes that could increase both delivery and trust. The authors recommend that cloud service providers adopt better notification practices, support secure middleware for cross-platform delivery, and strengthen post-notification victim assistance.