What to know about the SEC’s case against SolarWinds
Washington Post ($): The Securities and Exchange Commission (SEC) has sued software firm SolarWinds and its Chief Information Security Officer, Tim Brown, over alleged insufficient digital defenses and non-disclosure prior to a significant 2020 breach, which the U.S. attributed to Russian hackers in 2021. This lawsuit represents a series of firsts for the SEC: alleging deception towards investors, taking action against an individual, and claiming a company’s internal controls were inadequate. The SEC points to multiple internal warnings SolarWinds received about security gaps. SolarWinds countered the SEC’s charges, emphasizing potential national security risks. Brown’s attorney defended his client’s commitment to cybersecurity.
White House AI executive order adds safety requirements for next generation tech
CIO Dive: President Biden’s new executive order mandates that developers of high-risk AI systems report safety outcomes to the U.S. government. This order is part of a broader strategy to maximize AI benefits while minimizing risks. The disclosure requirement is triggered when an AI model exceeds a computational threshold far beyond current market offerings, suggesting a focus on future technologies. The National Institute of Standards and Technology is charged with establishing red teaming standards for model testing. However, the order does not impose penalties for non-compliance, leading to criticisms from industry experts who demand enforceable regulations rather than voluntary guidelines.
Boeing Breached by Ransomware, LockBit Gang Claims
Dark Reading: Ransomware group LockBit claims to have breached Boeing and threatens to release sensitive data unless their ransom demands are met by November 2nd. The group’s post stated they had extracted a significant amount of sensitive data, but would hold off on publishing details until the deadline. A countdown clock was included in their message. Boeing is currently evaluating the claim. LockBit alleges to have used a zero-day vulnerability to access Boeing’s systems. Experts expressed concerns over potential fallout and increased phishing attacks. Although LockBit has been active in the past year, targeting a company as large as Boeing is unusual for them. This approach differs from their past operations, like the breach of UK defense contractor, Zaun Ltd.
Nearly all companies—98%—have been negatively affected by a cybersecurity breach that occurred in their supply chain. (source)
U.S. healthcare ransomware attacks have cost the economy $78 billion in downtime since 2016. (source)
If you missed our #CybersecurityAwarenessMonth activities, check them out here. As November approaches, let’s highlight three pivotal lessons to carry forward:
1️⃣ Repetition – It is fervently recommended for organizations to sustain a high level of cybersecurity awareness and culture.
2️⃣ Understand the target audience – When planning content and activities for awareness, it’s crucial to take into account the needs and preferences of the intended audience.
3️⃣ Ensure it’s engaging – Awareness programs ought to be captivating. It’s essential not to make the subject mundane. Engage and hold the users’ interest.
Charlies is a 14 year cyber security expert. He started his career in the U.S. armed forces and then transitioned into commercial roles. A security engineer by training, he's well-versed in tool deployment and administration.
Ellen bring a decade of GRC expertise to the TalPoint community. She's knowledgeable on a variety of frameworks and employs a methodical approach to compliance. She's available for needs assessments, gap assessments, internal audits, and for certain frameworks running independent 3rd party audits.
Zachary bring a 20+ year career in risk management to the TalPoint community. He's worked across healthcare, finance, and supply chain manufacturing. His broad experience offers both a holistic view of risk as well as a common sense approach to risk management.