Week of October 6th, 2023
The first week of October has been a notable one for cyber-related news.
Here are this week’s top takeaways:
New US SEC Cyber Rules Are Putting on Pressure
Although the new US Securities and Exchange Commission cyber rules will not be officially in place until December 2023, organizations are already feeling the pressure.
Why? Well, let’s look back at August of this year for context:
On August 14th, cleaning product company Clorox filed a form 8-K with the SEC regarding a cyber incident that had negatively impacted the company’s business operations.
One month later, Clorox filed another 8-K; in their report, they stated that the damage to its IT infrastructure was continuing to wreak havoc on its production systems, which, in turn, was triggering processing delays and an elevated level of product outages–all of which were reported to have a significant effect on its quarterly financials.
Clorox’s SEC filings were the first reports of a material cyber incident following the SEC's release of its new cyber incident reporting rules, which were announced in July. Under these new rules, starting on December 18th, 2023, publicly traded companies will be mandated to do the following:
Leading authorities warn that the Clorox incident highlights what experts say is a new sense of urgency by SEC-regulated companies to report data breaches. Furthermore, they state that, once the new rules take effect, companies will be under renewed pressure to have close working relationships between CISOs and management to determine reasonable financial materiality.
Recommended by LinkedIn
Attention, Ontario! 3.4 Million Have Been Affected by the Ontario Pregnancy and Newborn Care Registry Breach
In over 39% of healthcare organizations, disclosure of a breach only occurred months after the initial incident. Ontario’s latest healthcare-related data breach reflects this.
Recently, The Better Outcomes Registry & Network (BORN)– an Ontario government agency that manages the data of pregnancy and newborn children across the province– reported that the personal health information of about 3.4 million people was impacted by a data breach.
Although the news release was made public on September 25th, 2023 the cybersecurity incident first occurred on May 31st, 2023 and was linked to the global privacy breach of the file transfer system MoveIt– the same software that exposed the personal information of over 100,000 Nova Scotians last Spring.
Anyone who gave birth between April 2010 and May 2023 is “likely” affected by the breach, representatives of BORN said in the release. Individuals who received pregnancy care between January 2012 and May 2023 are also likely affected, in addition to those who had in-vitro fertilization (IVF) or egg banking in Ontario between January 2013 and May 2023.
Automation Giant Johnson Controls Hit By Significant Ransomware Attack
Originating last weekend, a significant ransomware attack has targeted the building automation giant Johnson Controls–and, after first breaching its Asia offices, has spread to shut down a portion of its IT systems.
From there, a bulk of its subsidiaries, including Simplex and Ruskin, have begun to display technical outage messages on website login pages and customer portals.
"We are currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal," reads a message on the Simplex website. "We are actively mitigating any potential impacts to our services and will remain in communication with customers as these outages are resolved."
Who do you think will be hit next? Let us know in the comments section.