All news with #regulatory action tag

IT Leaders Fear Regulatory Patchwork as Gen AI Spreads

⚖️ More than seven in 10 IT leaders list regulatory compliance as a top-three challenge when deploying generative AI, according to a recent Gartner survey. Fewer than 25% are very confident in managing security, governance, and compliance risks. With the EU AI Act already in effect and new state laws in Colorado, Texas, and California on the way, CIOs worry about conflicting rules and rising legal exposure. Experts advise centralized governance, rigorous model testing, and external audits for high-risk use cases.

Capita fined £14M for 2023 breach exposing 6.6M people

🔒 The ICO fined Capita £14 million after a March 2023 cyberattack that exposed personal information for 6.6 million people and hundreds of clients, including 325 pension providers. Attackers—claiming responsibility as Black Basta—gained access via a malicious file, remained in systems for 58 hours, exfiltrated almost 1TB, and deployed ransomware. The fine was reduced from an initial £45 million after Capita accepted liability and implemented remediation measures, including enhanced access controls and customer protections.

Capita Fined £14m Over 2023 Data Breach Failings, Remediated

🔒 The Information Commissioner’s Office (ICO) confirmed Capita will not appeal a £14m penalty for security failings that led to a March 2023 breach affecting nearly seven million people. The fine was reduced from an initial £45m after the ICO considered post-incident remediation, support to affected individuals and engagement with the NCSC. The regulator cited delayed SOC response, absence of a tiered privileged-access model and siloed pen testing that allowed a threat actor linked to Black Basta to escalate privileges and deploy ransomware.

UK and US Sanction Southeast Asian Online Scam Network

🛡️The UK and US have jointly sanctioned a transnational network accused of operating scam centres across Southeast Asia, immediately freezing businesses and UK properties linked to the group. Targets include Prince Group, its chairman Chen Zhi, and proxy firms such as Jin Bei Group, Golden Fortune Resorts World Ltd and crypto platform Byex Exchange. Investigations by the UK FCDO and US OFAC allege victims were lured by fake job adverts, forced to perpetrate online fraud under threat of torture, and that proceeds were laundered via front companies, casinos and crypto services.

UK urges FTSE 350 CEOs to boost cyber readiness now

📣 Senior leaders are being warned to take personal responsibility for cyber resilience as the UK government says organisations cannot rely on state protection alone. The NCSC's 2025 Annual Review recorded 204 "nationally significant" incidents and prompted a ministerial letter to FTSE 350 CEOs urging physical incident plans and supply‑chain checks. The agency also highlighted slow uptake of Cyber Essentials and launched the Cyber Action Toolkit to help small businesses reach minimum standards.

Trump Administration Expands Social Media Visa Surveillance

🔍The Brookings report details the Trump administration’s expanded social media surveillance to identify and punish foreign nationals for public speech. Agencies historically gathered millions of handles, but Secretary of State Marco Rubio has promoted a zero-tolerance “Catch and Revoke” policy that uses AI to flag conduct deemed contrary to national interest. Rubio said about 300 visas—mainly student and visitor visas—were revoked, and a State Department cable now requires student applicants to set accounts public for vetting.

From CISO to Chief Risk Architect: Rethinking Cybersecurity

🔐 The article argues that the traditional CISO role must evolve into a Chief Risk Architect, shifting focus from purely technical controls to enterprise resilience and business continuity. It emphasizes anticipating disruptions, minimizing operational impact, and demonstrating recovery capabilities to regulators, partners, and shareholders. Required skills now include risk quantification, ERM, threat detection, geopolitical awareness, and fluency with regulations like NIS2, DORA and the AI Act. It also stresses reporting to the board or CEO to gain strategic influence and attract future talent.

EU Authorized to Sign UN Cybercrime Convention Agreement

🔐 The Council of Europe has authorized the European Commission and EU member states to sign the United Nations Convention against Cybercrime, adopted by the UN General Assembly in December 2024, which sets common global standards for cybercrime and the cross-border exchange of electronic evidence. The treaty requires harmonization of criminal offenses, including computer fraud, illegal interception and measures targeting online child sexual abuse, grooming and non-consensual dissemination of intimate images, while including explicit safeguards to protect human rights. The Convention will be open for signature from October 25, 2025 until December 31, 2026 and enters into force ninety days after the fortieth ratification; the EU Presidency will prioritize finalizing a Council decision to enable conclusion of the instrument and seek the European Parliament's consent.

Move Beyond the CIA Triad: A Layered Security Model

🔐 The article contends that the Cold War–era CIA triad (confidentiality, integrity, availability) is too narrow for modern threats driven by cloud, AI, and fragile supply chains. It proposes the 3C Model—Core, Complementary, Contextual—to elevate authenticity, accountability, and resilience as foundational pillars rather than afterthoughts. The framework aims to harmonize standards, reduce duplication, and help CISOs speak in terms of survival, trust, and business impact instead of only uptime and technical controls.

Protecting Your Car from Hacking: Practical Guidance 2025

🚗 Modern vehicles increasingly rely on interconnected electronics and external services, creating multiple remote attack vectors — from CAN, LIN and OBD ports to Wi‑Fi, Bluetooth and cellular links. The article notes that attackers now often target manufacturer servers (e.g., Toyota’s 2024 data loss) and references UN R155/R156 and ISO/SAE 21434. It describes vehicle risk categories, practical buyer and setup checks, and step‑by‑step advice if you suspect a compromise.

Reassignment of CISA Staff Raises National Cyber Risks

🔔 The US Department of Homeland Security has reassigned hundreds of cybersecurity personnel from the Cybersecurity and Infrastructure Security Agency to non-cyber roles supporting immigration and border enforcement, reports say. This shift has most impacted CISA’s Capacity Building team, which writes emergency directives and oversees protections for the government’s highest-value assets; refusal to accept new roles reportedly risks termination. Analysts warn that reductions in specialized threat hunting, vulnerability scanning, and coordinated advisories will slow response times and create exploitable gaps. Enterprises are urged to tighten patch cycles, adopt phishing-resistant MFA, review privileges, and rely on sector ISACs and private intel sharing while federal capacity is strained.

UK Upper Tribunal Upholds ICO Claim Against Clearview

🔍 The UK Information Commissioner’s Office (ICO) won an Upper Tribunal ruling that bolsters its authority to enforce the UK GDPR against Clearview AI and increases the likelihood of a previously issued £7.5m penalty being upheld. The tribunal found that Clearview’s scraping and global database usage involved monitoring the behavior of UK residents and is not beyond the reach of UK law even when services are provided to foreign law‑enforcement customers. The UT has directed the First‑Tier Tribunal to reconsider its earlier decision in light of this jurisdictional clarity, though Clearview may still appeal.

NCSC urges better observability, threat hunting in UK

🔍 The NCSC, led by CTO Ollie Whitehouse, has urged UK organisations to strengthen observability and threat-hunting capabilities to improve national cyber resilience. It warns many lack comprehensive visibility across accounts, devices, networks, applications and cloud services, and often cannot apply advanced analytics. The centre advises maximising cross-asset visibility, pressing vendors to build monitorable systems, and moving beyond simple IOCs to detect TTPs. It also recommends the NCSC Assured incident response list and CyAS for validation.

Why Successful Businesses Are Built on Cyber Protection

🔒 Company leaders must treat cyber risk as a strategic priority rather than a discretionary cost. The piece highlights a persistent budget-perception gap between CISOs and boards and notes SMBs often remain reactive, prioritizing firefighting over prevention. It cites high-profile breaches and the IBM Cost of a Data Breach to quantify losses and recommends technologies such as SIEM and SOAR, alongside governance measures like board oversight and appointed CISOs. Practical advice stresses framing security as business risk, using financial metrics, and reporting regularly to embed security-by-design.

Europol Urges Stronger EU Data Laws to Aid Investigations

🔐 At Europol’s 4th Annual Cybercrime Conference in The Hague, officials warned that criminals are exploiting encryption, anonymization and emerging technologies faster than law enforcement and regulators can adapt. Speakers including Europol executive director Catherine De Bolle and European commissioner Magnus Brunner urged stronger cooperation, updated laws and enhanced cross-border data-sharing to ensure lawful access to digital evidence while respecting privacy.

Five Critical Questions for Selecting AI-SPM Solutions

🔒 As enterprises accelerate AI and cloud adoption, selecting the right AI Security Posture Management (AI-SPM) solution is critical. The article presents five core questions to guide procurement: does the product deliver centralized visibility into models, datasets, and infrastructure; can it detect and remediate AI-specific risks like adversarial attacks, data leakage, and bias; and does it map to regulatory standards such as GDPR and NIST AI? It also stresses cloud-native scalability and seamless integration with DSPM, DLP, identity platforms, DevOps toolchains, and AI services to ensure proactive policy enforcement and audit readiness.

AI's Role in the 2026 U.S. Midterm Elections and Parties

🗳️ One year before the 2026 midterms, AI is emerging as a central political tool and a partisan fault line. The author argues Republicans are poised to exploit AI for personalized messaging, persuasion, and strategic advantage, citing the Trump administration's use of AI-generated memes and procurement to shape technology. Democrats remain largely reactive, raising legal and consumer-protection concerns while exploring participatory tools such as Decidim and Pol.Is. The essay frames AI as a manipulable political resource rather than an uncontrollable external threat.

US Government Shutdown Threatens Federal Cybersecurity

⚠️ The US government shutdown will sharply reduce federal cybersecurity capacity, with CISA set to furlough approximately 1,651 of its 2,540 staff (about 65%), leaving only 889 employees, and NIST estimated to retain roughly 34% of its workforce. Core functions such as vulnerability management, guidance, the CVE program and website operations will be curtailed until appropriations resume. The pause raises immediate operational risks, complicates incident response and increases opportunities for threat actors and fraud.

Expiry of CISA 2015 Leaves US Intelligence Sharing Exposed

🔒 The 2015 Cybersecurity Information Sharing Act (CISA 2015) has expired after lawmakers failed to extend legal safe-harbors for voluntary threat sharing via the Automated Indicator Sharing program (AIS). Amid a congressional funding standoff and a resulting partial government shutdown, industry leaders warn the lapse exposes companies to litigation and may deter intelligence exchange. Security executives say reduced sharing could create blind spots, elevate software supply-chain risk and slow development of AI-driven defenses.

ICO: Imgur UK Exit Will Not Stop Potential Regulatory Fine

⚖️ The ICO has confirmed that Imgur’s decision to block UK access does not absolve the company from scrutiny over alleged past data protection breaches. The regulator issued a notice of intent to fine parent company MediaLab on 10 September and says its findings are provisional while the investigation continues. The concerns relate to potential breaches of the Age Appropriate Design Code, including failures to request or verify ages, lack of high-privacy defaults for children, and serving targeted adverts to minors. The ICO stressed that exiting the UK market is a commercial choice and does not prevent regulatory action for prior infringements.