Welcome to HSF’s June wrap up which features our top picks for cyber-related news in the UK, EMEA and US.
In a world overflowing with individual incidents and long-form analysis, our short articles are aimed at cutting through the noise, pointing you to key developments, providing you with learning points at a glance and signposting you to longer form content. If you would like to find out more, do reach out to one of our international team.
London hospitals declare critical incident after cyber attack
BBC – 04 June 2024
Hospitals in London have declared a critical incident following a cyber attack on Synnovis, a laboratory services provider. The attack affected the pathology departments of King's College Hospital and Guy's and St Thomas' NHS Foundation Trust, leading to cancellations of operations and delays in blood transfusion delivery. The incident has left hospitals disconnected from Synnovis' IT servers and could cause problems for emergency departments relying on quick blood test results.
SEC Announces New Cybersecurity Interpretations
Securities and Exchange Commission (SEC) – 24 June 2024
The SEC's Division of Corporation Finance released five new Compliance and Disclosure Interpretations (C&DIs) regarding Item 1.05 of Exchange Act Form 8-K, focusing on cybersecurity incidents. These interpretations emphasise that even if a ransomware attack ends with a payment before a materiality assessment, companies must still evaluate if the incident is material under securities law principles for disclosure on Form 8-K. They clarify that insurance covering ransom payments doesn't automatically make incidents immaterial and stress that the size of ransom payments alone doesn't determine materiality. Additionally, they require companies to assess whether a series of minor cybersecurity incidents, when considered together, become material and necessitate disclosure.
Sellafield pleads guilty to criminal charges over cyber security
ComputerWeekly – 24 June 2024
Following the first prosecution brought by the Office for Nuclear Regulation (ONR) since the Nuclear Industries Security Regulations were introduced in 2003, the Sellafield nuclear waste site has pleaded guilty to criminal charges relating to a four-year period during which there were significant cyber security failings. The charges relate to Sellafield's failure to protect sensitive nuclear information on its IT network and failures to conduct annual health checks although the site has denied any successful cyber attack taking place.
NIS2 Directive: New draft implementing regulations published
European Commission – 27 June 2024
With the October 2024 implementation deadline for the second EU directive on achieving a high common level of cybersecurity in the EU ("NIS2") rapidly approaching, the European Commission has published a draft implementing regulation setting out further details of (i) risk-management measures certain entities must implement; and (ii) when an incident affecting those entities is considered to be “significant”. The implementing regulation applies to entities in the digital infrastructure sector, ICT service management and digital service providers (e.g., cloud computing providers, electronic communications service providers, and online social networks) but the measures in the implementing regulation provide enough insight to allow all covered organisations to start planning how they can improve their technical and organisational measures. Interested parties have until 25 July 2024 to provide feedback.
European Commission – 19 June 2024
The first high-level meeting of the upcoming EU's AI Board took place on June 19, aiming to set the groundwork for the implementation of the AI Act. The agenda included discussions on the strategic vision, national approaches to AI Act governance, priorities, and the organization of the Board. The next meeting will be held after the AI Act's entry into force in early autumn. Key provisions related to the establishment and tasks of the AI Board are Article 65 and 66 of the AI Act.
EU Financial Watchdogs Team Up With Cybersecurity Agency
European Banking Authority – 04 June 2024
The European Union's three financial regulators, the European Insurance and Occupational Pensions Authority, the European Banking Authority, and the European Securities and Markets Authority, have signed an agreement with the EU cybersecurity agency to protect pensions, markets, and banking sectors from cyberattacks and similar risks. The agreement aims to strengthen cooperation and share information on policy implementation, incident reporting, and ICT third-party provider oversight.
Senator Wyden: UnitedHealth CEO, Board ‘Should Be Held Responsible’ for Hiring Unqualified CISO
WebProNews – 07 June 2024
Senator Ron Wyden has criticised UnitedHealth Group (UHG) for hiring an unqualified CISO after a ransomware attack in early 2024. The company failed to enforce multi-factor authentication (MFA) policy, leading to a compromised remote server. Wyden argues that the CEO and board should be held responsible for elevating someone without the necessary experience to an important role and failing to adopt basic cybersecurity defenses. He calls on the Audit and Finance committee of UHG's board to investigate the company's cybersecurity failures and hold senior leadership accountable. This latest call for accountability at the highest levels of management feeds into a global trend that is gaining momentum and has already started to be implemented in certain jurisdictions such as Article 20(1) of the EU's NIS2 Directive.
Invasive tracking ‘endemic’ on sensitive support websites
ComputerWeekly –04 June 2024
Commonly-used tracking tools are sharing site visitors' sensitive data with advertisers collected from websites offering support for sexual abuse, addiction, mental health and other topics accordingly to an article in ComputerWeekly. Privacy experts warn that the issue is "endemic" due to a widespread lack of user awareness about tracking technologies and the potential harms associated with allowing advertisers inadvertent access to such sensitive information; sometimes resulting in the companies with whom such information is shared, becoming aware that a person is looking to use support services before those services can even offer help to the user; akin to a person being monitored as they walk into a sexual health clinic. Experts are concerned that people may be discouraged from seeking help if they believe sensitive data is being sent to third parties.
ICO to investigate 23andMe data breach with Canadian counterpart and UK and Canada's data chiefs join forces to investigate 23andMe mega-breach
The Register – 11 June 2024
The UK and Canada's data protection watchdogs are collaborating to investigate the 23andMe data breach, which affected nearly 7 million individuals. The UK Information Commissioner, John Edwards, emphasized the importance of trusting organizations handling sensitive personal information and collaborating with Canadian counterparts to ensure protection. The breach was one of the year's most shocking incidents, with the number of affected individuals rising to nearly 7 million. The cybercriminal, using the alias "Golem," posted the data to BreachForums, targeting Ashkenazi Jewish customers of 23andMe. The cybercriminal accessed millions of users' data through the platform's DNA Relatives feature, allowing users to browse others with whom they may be related. In a surprise move, 23andMe previously sought to publicly blame its customers' own poor security habits for the breach; citing credential stuffing methods to gain access to the accounts.
97% of the FTSE 100 exposed to supply chain breaches
FTSE 100 – 03 June 2024
Data breaches involving third-party supply chains continue to be a significant threat faced by organisations in the UK. Leading cyber security entities, including SecurityScorecard, Infosec Europe, and Northern Europe's SecurityScorecard director Will Gray, provide constructive guidance aimed at helping organisations strengthen their cyber defences and mitigate the impact of such incidents.
Never assume a threat group has been defeated
Techradar.com – 25 June 2024
In February 2024, Operation Cronos, led by the UK’s National Crime Agency and the U.S. FBI, disrupted the Lockbit ransomware gang’s infrastructure, only to see them swiftly return with new operations. This resilience typifies modern cybercrime, where groups like Lockbit and BlackCat/ALPHV evade law enforcement takedowns through sophisticated backup strategies and adaptable attack infrastructures. Even Qakbot, despite a 2023 takedown, quickly reemerged with enhanced capabilities. These examples underscore the need for organisations to adopt continuous, multi-layered cybersecurity defenses and robust incident response plans to combat evolving cyber threats effectively.
Cybersecurity needs a seat on the board
Boardagenda.com – 24 June 2024
Generative AI has rapidly gained prominence in businesses, sparking significant discussions in boardrooms about its applications and potential impacts. The National Cyber Security Centre (NCSC) warns that AI will likely amplify both the frequency and severity of cyber-attacks in the coming years, underscoring the urgent need for enhanced cybersecurity strategies and heightened boardroom engagement. Despite these challenges, many boards are proactively advancing their cybersecurity defences, recognising the critical importance of safeguarding against increasingly sophisticated threats. Recent notable cyber-attacks serve as stark reminders of the devastating impact such incidents can have on targeted organisations.
Western Law Enforcement Agencies are Going on the Cyber Offensive
Wired-gov.net – 24 June 2024
Western law enforcement agencies have increasingly adopted pre-emptive cyber operations to combat transnational cybercrime, such as ransomware attacks. This shift includes tactics like hacking cybercriminals' infrastructure or devices to disrupt their activities. Recent successes, like takedowns of major ransomware groups, show promise in deterring cyber threats and building cross-border cooperation among law enforcement agencies. However, these operations are not without controversy. They raise sovereignty concerns and privacy issues, and their legality can be uncertain. Critics argue they may not effectively curb cybercrime long-term and could deter private sector cybersecurity efforts. Despite these challenges, proponents view proactive law enforcement action as a necessary and preferable approach compared to militarisation of cyber responses, advocating for increased resources and policy support to strengthen these efforts.
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.