Welcome to HSF's November wrap up; our top picks for cyber-related news in the UK, EMEA and US. Our short summary and commentary is aimed at giving you the awareness and insights you need, with minimum time investment. Below you will find:

  • Developments in regulatory requirements and guidance;
  • Wider cyber industry news; and
  • Particularly noteworthy (reported) cyber incidents.

1) Regulatory requirements and guidance

ICO consultation on draft Data Protection Fining Guidance

The ICO has been consulting on new guidance (Data Protection Fining Guidance) which seeks to provide insight into:

  • the legal framework underpinning the power of the ICO to impose fines under the UK data protection regime;
  • circumstances which the ICO would consider as appropriate to issue a penalty notice; and
  • the calculation of the appropriate amount of fines.

The draft guidance, once finalised, will replace parts of the statutory guidance set out in the Regulatory Action Policy.

Clients often are concerned about where enforcement action may lead and the ICO's transparency in this regard is a welcome approach.

New York financial regulator rolls out updated cyber security standards

Following the New York Department of Financial Services' (NYDFS) updates to regulations, banks, insurers and financial services providers based in NY state will have to take certain mandatory measures including the use of multifactor authentication, expanding cyber security governance duties and conduct consistent threat testing. The New York agency is a national leader in cyber security regulation, with other state and federal regulators adopting its approach. The changes, announced 1 November 2023, are most significant for large companies, with the DFS assigning several new provisions to companies making at least $20 million annually. Businesses with fewer than 20 employees and that make under $7.5 million annually are exempt. Large companies must now independently audit their cyber security once a year, implement a breach detection system, and centralize how they log security incidents under the updated rule.

The new rules are complimentary to the recent changes introduced by the Securities and Exchange Commission (SEC); intensifying cyber governance requirements for covered entities. Compliance with the updated NYDFS rules will be expected in 180 days, but the notice requirement took effect 30 days from the day it entered into force. The NYDFS also added a section to the rule describing how its process for determining penalties for violations will account for cooperation in investigations, history of prior offenses, and other factors; a welcome source of insight and transparency for covered businesses.

However, the NYDFS has demonstrated agility and an ability to listen to the market in bringing forward further proposed adjustments to the new rules that have just been put in place. The revised regulations set out several changes including a requirement that each "class A" company conduct independent audits of its cyber security program, no longer annually, but rather at a frequency based on its cyber risk assessments, with further requirements including limitation of access privileges to information systems. The amendment also updates the oversight requirements for the senior governing body of a covered entity with respect to the covered entity's cyber security risk management, which include having "sufficient understanding" of cyber security matters to permit effective oversight. Entities may instead be required to confirm that their management has allocated sufficient resources to implement and maintain a cyber security program. To socialise these changes, the NYFDS will host briefings and seminars over the coming months so covered entities should stay tuned.

European Data Protection Supervisor (EDPS) and UK ICO Sign Memorandum of Understanding (MoU)

The ICO and the EDPS have signed an MoU, which sets out how the authorities will continue to share experiences and best practices. Included in the MoU is a non-exhaustive list of ways in which the two parties may collaborate, such as the implementation of joint research projects and joint publications, convening bilateral meetings and secondment of staff.

Both authorities already collaborate in other forums such as the Global Privacy Assembly and the G7 Data Protection Authorities Roundtable but this latest MoU is a welcome indication that, despite Brexit, there is a desire for a high degree of cooperation and alignment in approach between the two authorities.

2) Wider cyber industry news

Review of the Computer Misuse Act 1990 (CMA): Analysis of responses

The Home Office has published their response to the submissions received to the consultation paper, in respect of reviewing the Computer Misuse Act 1990 (CMA). The review of the CMA was launched to identify whether the current offences under the CMA sufficiently cover the range of harmful activity that has increased in complexity and volume since the introduction of the act.

From the 50 responses received, respondents felt more can be done to protect the UK and take action against offenders. Responses included requests for new powers to enable law enforcement agencies to better investigate offences, to whether new technology such as AI is adequately covered under the CMA. The Home Office has committed to developing some of these proposals in detail and provides past and future victim organisations with some level of reassurance that the UK agencies are taking cybercrime seriously.

NCSC Annual Review 2023: Key developments and highlights

The National Cyber Security Centre has published its Annual Review 2023 looking back at its key developments and highlights. There is special mention in the review of security the UK's Critical National Infrastructure and securing democratic processes. Also highlighted are the issuance of fresh guidance to help organisations following the recent rise in supply chain cyber attacks and the launch of a flagship new service to help small organisations stay safe online as the latest phase of its campaign.

3) Noteworthy (reported) cyber incidents

Ransomware gang files SEC complaint over victim's undisclosed breach

In a novel twist, the ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission (SEC) complaint against one of their alleged victims, MeridianLink, for not complying with recently-introduced rules requiring disclosure of a "material" cyberattack within four days.

MeridianLink is a publicly traded company that provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders. Reports state that the breach occurred on 7 November 2023 and that the alleged lack of response from MeridianLink is what likely prompted the hackers to try this new approach.

As mentioned above, the SEC's new cyber security rules will only take full effect on 15 December 2023 but while other ransomware and extortion gangs have historically only threatened to report breaches, for perhaps the first time, we are seeing a threat actor action their threats in this regard.

This builds on other innovations in high-pressure tactics observed in recent times such as ransomware threat actors contacting not just the ransomed organisation but also contacting the customers of such organisations, the C-suite & employees as well as their families; both to heap pressure on the victim organisation unilaterally but to also leverage affected customers expressing their concern to exert further pressure on the organisation via a different channel. Also on the table is whether the customer would be prepared to pay the same or a reduced ransom in respect of their portion of the data.

MSP Provider, CTS Compromise: Potential impact on hundreds of UK Law firms

CTS, a trusted provider of IT services to the legal sector in the UK has announced that it is investigating a cyber attack that caused a service outage which has potentially impacted a large number of UK law firms. It is understood that vulnerability targets Citrix NetScaler ADC/Gateway devices and U.S. officials have warned of exploitation by both state-sponsored and cybercriminal groups.

MSPs such as CTS present an attractive "one-to-many" opportunity for affecting multiple high-value targets. With increasing consolidation in the space and the complex nature of supply chains, we can expect to see further attacks on MSPs.

This incident comes at an unfortunate time given that the UK Government opted not to introduce legislation aimed at updating the Network and Information Systems regulations, which cover MSP cyber security, despite earlier indications that it would do so at the first available opportunity. It remains to be seen whether this attack pushes this initiative up the legislative agenda.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.