All Articles

A coalition of banking industry associations, including SIFA, the American Bankers Association (ABA), Bank Policy Institute (BPI), and several other lobbying groups have made a disgraceful appeal to the SEC to eliminate the rule requiring public disc

My article on Help Net Security highlighting how the banking industry is leveraging their powerful lobbying groups to try and undermine the U.S. Securities and Exchange Commission 4-day cybersecurity reporting rule, which has been in place for over a

Banking industry lobbyists are pressuring the SEC to gut the four-day breach disclosure rule — an essential safeguard for shareholders and potential victims. Their arguments are misleading, self-serving, and designed to protect profits over public tr

The SEC has fined four major companies for materially misleading investors regarding cyberattacks.

Tech in Trouble

Regulatory actions have been brought against Unisys, Avaya, Check Point, and Mimecast for their purposeful decisions to not clearly infor

A recent report by Trellix indicated that due to growing complexity, responsibility, and regulatory accountability, a majority of CISOs believe their role should be split into separate positions.

This finding struck me as a little odd. It seems counte

The National Public Data breach has been a nightmare, exposing names, addresses, birthdates, emails, phone numbers, and Social Security Numbers of countless individuals — including mine.

As a California resident, I have the legal right to demand that

The Supreme Court struck down the Chevron Doctrine, sharply cutting back the power of federal agencies to interpret the laws they oversee and ruled that courts should rely on their own interpretation of ambiguous laws. The ramifications will have rip

More SEC rules, this time mandating financial firms inform victims of data breaches within 30 days!

Why wasn't this already a requirement?

Last year, the SEC instituted requirements for publicly traded companies to inform investors of material cybersec

The SEC case against SolarWinds and their CISO continues to reverberate across the cybersecurity community. I talk with Edward Amoroso, the Founder and CEO of TAG Infosphere, to discuss different aspects of the case and recent SEC requirements for di

The White House just released an Executive Order intended to lay down some standards intended to manage the risks of Artificial Intelligence. I absolutely like the idea of establishing guardrails to make AI safe, secure, and trustworthy, but I am uns

I think the list of executives and board members genuinely interested in cybersecurity will increase greatly as regulations, such as the US SEC cybersecurity reporting requirements and the European Union's proposed Cyber Resilience Act (CRA), are est

I like the EU Cyber Resilience Act! There, I said it! Yes, this will make companies nervous in the short term, but this regulation is a watershed moment that will fundamentally shift how digital products are secured and maintained! This will FORCE th

I like the concept of ‘banning’ the sale of offensive cyber weapons to potential adversaries, but what defines technology as offensive versus defensive?

Israel just announced it will ban the sales of hacking and surveillance tools to 65 countries: htt

A new bill has been proposed to address Ransomware. Congressman Patrick McHenry recently introduced the Ransomware and Financial Stability Act of 2021.

Good Direction, but Falls Short

I believe it is the right direction for undermining ransomware attac

Industries must either take security, privacy, and safety seriously or find themselves burdened under the crushing blanket of regulatory oversight.

A recent announcement by the European Commission that the Radio Equipment Directive will be updated to

In the absence of a federal privacy law, that would establish unified privacy rights of citizens, I applaud Colorado, to the be latest state to enact legislature that protects its residents. States are leading the charge to protect American’s privacy

Avast was recently caught selling user's web browsing data.  Sensitive data like website destinations, search terms, and even what videos customers watched were collected by Avast software residing on customers' computers.  The data was repackaged an

It simply makes no sense to call for IoT devices to be certified safe-and-secure.  Before you get bent out of shape, hear me out. 

Regulations are unwieldy blunt instruments, best left as a last resort.  Cybersecurity regulations are not nimble, tend