All news with #regulatory action tag

🔒 Supply chain security has shifted from a technical concern to a board-level business priority, driven by high-profile incidents and emerging regulation such as the European Cyber Resilience Act. CSOs must confront pervasive open-source risk—highlighted by Log4Shell—and adopt SBOMs, tooling and processes that reduce false positives. Automation, integration with developer workflows and rapid supplier communication are essential to limit fines and protect customer trust.

🔐 On March 23, 2026, Hong Kong authorities amended enforcement of the National Security Law, allowing police to demand passwords or other assistance to access personal electronic devices, including phones, laptops, and hard drives. The U.S. Consulate General issued a security alert on March 26 warning that refusal to comply is now a criminal offense. Authorities may also seize and retain devices they allege are linked to national security offenses. The change applies even to travellers transiting the airport.

🔒 Cambodia has enacted the Law on Combating Online Scams, effective immediately, imposing steep penalties for organisers of scam compounds. The law threatens ringleaders with 5–10 years imprisonment and fines up to $250,000, escalating to 10–20 years and larger fines where violence, forced labour, or trafficking are involved. It also shields coerced victims from prosecution.

🔍 German Federal Police (BKA) have identified two Russian nationals as the leaders of GandCrab and REvil between 2019 and 2021. The suspects — 31‑year‑old Daniil Maksimovich Shchukin (alias UNKN/UNKNOWN) and 43‑year‑old Anatoly Sergeevitsch Kravchuk — are linked to at least 130 extortion cases in Germany. At least 25 victims paid roughly $2.2 million, with total damages estimated above $40 million; authorities believe both are now in Russia and have released identifying images to solicit tips.

🔎 German Federal Police (BKA) say they have identified two Russian nationals as alleged leaders of the GandCrab and REvil ransomware operations active from 2019 to 2021. Authorities attribute at least 130 extortion cases in Germany to the pair, with 25 victims paying roughly $2.2 million and estimated total damages exceeding $40 million. Images, including tattoo photos, have been released and the suspects are listed on the EU Most Wanted portal as authorities seek public tips.

🔒 Mike Masnick argues the New Mexico court ruling against Meta applies a troubling 'design choices create liability' framework that could undermine end-to-end encryption. The state used Meta's 2023 decision to add E2EE in Messenger as evidence that the company 'shielded' predators, and is seeking court-ordered changes to 'protect minors from encrypted communications.' The ruling risks forcing companies to weaken security features and stop documenting internal safety tradeoffs.

🔒 The Executive Branch has determined that foreign-made consumer routers create a supply-chain vulnerability and pose a severe cybersecurity risk that could disrupt U.S. critical infrastructure and harm U.S. persons. Any new router manufactured outside the United States must receive FCC approval before it can be imported, marketed, or sold; approval requires disclosure of foreign investors or influence and a plan to shift manufacturing to the U.S. Certain devices may be exempted by the Department of Defense or DHS, though neither agency has listed exceptions yet. Existing home routers do not need to be discarded, and market impacts may favor companies able to produce domestically, such as Starlink, while vendors like Netgear—which manufactures abroad—face new compliance and cost pressures.

📞 The Information Commissioner’s Office (ICO) fined Birmingham-based monitored alarm provider TMAC £100,000 after staff used false identities on marketing sales calls and the firm made over 260,000 calls to numbers registered on the Telephone Preference Service. The ICO said TMAC deliberately targeted individuals over 60 between February and September 2024, impersonating local crime and fire prevention initiatives to trick recipients. The regulator stressed these actions breached the Privacy and Electronic Communications Regulations and highlighted the importance of public reporting in enabling enforcement.

🗳️The December Trump executive order constrains state AI regulation by directing federal lawsuits and withholding funds from states that attempt limits, effectively prioritizing industry interests over local consumer protections. Polling in 2025 shows broad bipartisan support for greater state and federal oversight, yet the order reshapes political fault lines ahead of the midterms. Candidates may use AI as a wedge—highlighting job displacement, datacenter opposition, and corporate concentration—while organizers work to broaden the debate beyond local fights.

🔒 Russian authorities have arrested the alleged administrator of LeakBase, a major cybercrime forum accused of trading stolen personal databases since 2021. The suspect, reported to be a resident of Taganrog, was detained and technical equipment seized during a search. Officials say the platform hosted hundreds of millions of accounts, bank details and corporate documents and had over 147,000 registered users. The site was dismantled earlier this month and its content preserved for evidentiary purposes.

🔒 The FCC has banned the import and sale of all consumer-grade internet routers manufactured in foreign countries, saying they pose an 'unacceptable risk' to US national security. The rule, announced on 23 March, allows only devices with conditional DoD or DHS approval, effectively blocking most future consumer models because many are made abroad. The agency cited incidents such as the Volt, Flax and Salt Typhoon attacks, while industry experts caution that governance, patching and lifecycle management — not just country of origin — drive much of the risk.

🔔 Sen. Ron Wyden warned on the Senate floor that a classified, previously undisclosed interpretation of Section 702 is affecting Americans’ privacy and has been withheld from public and congressional debate. He raised the issue while opposing the nomination of Joshua Rudd to lead the NSA, citing Rudd’s unwillingness to accept basic constitutional limits on surveillance. Wyden said he has repeatedly asked administrations to declassify the matter and is still awaiting a response from DNI Gabbard. He urged Congress to openly debate the matter before Section 702 is reauthorized.

🔒 The FCC announced a ban on imports of new foreign-made consumer routers, citing unacceptable cyber and national security risks after an Executive Branch determination. New models are placed on the Covered List unless granted Conditional Approval by the Department of War or DHS; Starlink routers are exempt. Existing customer-owned devices and previously authorized models remain legal to use and sell.

🔒 The FCC has expanded its Covered List under the Secure and Trusted Communications Networks Act to include all consumer routers manufactured outside the United States, effectively banning the sale of new foreign-made models. The move follows a National Security Determination that identified foreign-produced routers as a significant supply-chain threat and cited recent compromises linked to groups such as Volt, Flax, and Salt Typhoon. The agency permits limited exemptions and an alternative approval path for vendors that transparently disclose ownership, manufacturing, and supply-chain details and commit to onshoring critical component production. Existing routers remain available, but consumers may face reduced model availability and higher prices as certification adds time and cost.

🔒 A Russian national, 26-year-old Aleksey Olegovich Volkov (aliases "chubaka.kor" and "nets"), was sentenced to 81 months in U.S. federal prison after pleading guilty to acting as an initial access broker for the Yanluowang ransomware operation. Between July 2021 and November 2022 he sold corporate network access to at least eight U.S. companies, enabling affiliates to deploy ransomware and demand payments. The FBI recovered chat logs, stolen data, victim credentials, and evidence of ransom negotiations after seizing a server tied to the gang, and traced Volkov through Apple iCloud, cryptocurrency exchange records, and social media. He was arrested in Italy in January 2024, extradited to the U.S., and ordered to pay over $9.16 million in restitution and forfeit equipment used in the crimes.

🔒 Aleksei Volkov, a Russian initial access broker tied to dozens of ransomware incidents that produced more than $9m in documented victim losses, has been sentenced to 81 months in a US federal prison. He pleaded guilty to offenses including trafficking in access information, access device fraud and aggravated identity theft. Volkov was linked to Yanluowang and other cybercrime groups, and has agreed to pay at least $9.2m in restitution.

🔒 CISA ordered U.S. federal agencies to patch three iOS vulnerabilities exploited by the DarkSword exploit kit, imposing a two-week deadline under BOD 22-01. Apple has released fixes and the flaws now only affect iPhones running iOS 18.4 through 18.7. Researchers linked DarkSword to multiple threat groups and to data-stealing malware families including GhostBlade, GhostKnife, and GhostSaber.

⚠️ CISA has added five actively exploited vulnerabilities affecting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to patch them by April 3, 2026. The flaws include high‑severity memory corruption bugs in Apple WebKit and kernel components and critical code injection issues in Craft and Laravel that were fixed in 2025. Security researchers have observed exploitation linked to the DarkSword iOS exploit kit and campaigns attributed to MuddyWater.

🔒 The FCA has issued clarified rules on reporting cyber-related incidents and supplier outages to give firms greater certainty about what to report and when. The update creates a streamlined regime coordinated with the PRA and the Bank of England, introduces a single reporting portal, removes duplicated reporting for payment service providers and credit rating agencies, and refines required information so most firms can use a short form. Firms have 12 months to prepare; the changes take effect on 18 March 2027.

🔒The Trump administration's ban on Anthropic as a supply-chain risk forces CISOs to locate, isolate, and potentially remove a specific AI model across complex environments. The Pentagon memo gives 180 days and requires contractor certification, but enterprises lack comprehensive inventories and visibility into AI usage. Experts debate whether existing SBOM methods suffice and warn that removal can be disruptive without careful governance.