Incident Reporting Regulations Summary and Chart
A growing number of regulations require organizations to report cybersecurity incidents. This chart summarizes 11 proposed and current cyber incident reporting regulations and breaks down their common elements, such as who must report, what incidents must be reported, deadlines, and more.
Avoiding Smash and Grab Under the SEC’s Proposed Cyber Rule
The SEC proposed a rule to require companies to publicly report cybersecurity incidents. This post explains why public disclosure of an incident before mitigation or containment raises the risk of harm, and suggests a solution that avoids harm while still promoting disclosure.
Navigating the Evolving Patchwork of Incident Reporting Requirements
Rapid7 is supportive of CIRCIA and cyber incident reporting, but we encourage regulators to ensure reporting rules do not impose unnecessary burdens.
New US Law to Require Cyber Incident Reports
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will require critical infrastructure owners and operators to report cyber incidents and ransomware payments. This post will walk through highlights from the new law.
Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict
Fending off an attack from a well-resourced nation state is a nightmare scenario for cybersecurity teams. Here are some steps your organization can take to bolster its defenses.
How Ransomware Is Changing US Federal Policy
The increased stakes of the ransomware threat are pushing regulators to take a harder look at whether regulatory requirements for cybersecurity safeguards are effective.
2022 Planning: Simplifying Complex Cybersecurity Regulations
Cybersecurity regulations often require similar baseline security practices, even though the legislation may structure compliance requirements differently.
3 Strategies That Are More Productive Than Hack Back
Hack back, as used by non-government entities, is problematic for many reasons. Here are 3 alternative strategies to thwart the attackers.
Thawing Out the Chilling Effect Of DMCA Section 1201
The Copyright Office issued the latest rules on security research under DMCA Section 1201. Good news: researchers' legal protections have been strengthened with the removal of the "all other laws" requirement.
Update to GLBA Security Requirements for Financial Institutions
The FTC updated cybersecurity requirements for financial institutions under GLBA. This includes access controls, regular penetration testing and vulnerability scanning, and incident response, among other things. Here we'll detail the changes in comparison to the previous rule.
Ransomware: Is Critical Infrastructure in the Clear?
Is critical infrastructure in the clear, is it a specific target of ransomware attackers, or is it simply on the same footing as any other organization?
Rapid7 Statement on the New Standard Contractual Clauses for International Transfers of Personal Data
Rapid7 is committed to upholding high standards of privacy and security for our customers, and we are pleased to be able to offer the New SCCs.
Cybersecurity in the Infrastructure Bill
This post provides highlights on cybersecurity in recent infrastructure legislation. Cybersecurity is essential to ensure modern infrastructure is safe, and Rapid7 commends Congress and the Administration for including cybersecurity in the Infrastructure Investment and Jobs Act.
Reforming the UK’s Computer Misuse Act
The CMA is the UK’s anti-hacking law, and we've provided feedback on the issues we see with the legislation.
Hack Back Is Still Wack
The appeal of hack back is easy to understand, but that doesn't make the idea workable. Here, we outline why Rapid7 is against the authorization of private-sector hack back.