Ransomware attacks—the use of malicious software to deny users access to data and information systems to extort ransom payments from victims—are prevalent. A recent notable example is the May 2021 ransomware attack that temporarily shut down the Colonial Pipeline Company’s network, affecting gasoline availability and prices. This attack is but one of many; in 2020 alone, the Federal Bureau of Investigation (FBI) received nearly 2,500 ransomware complaints with losses exceeding $29 million.

Federal law provides several potential approaches to combat ransomware attacks. First, federal criminal laws, such as the Computer Fraud and Abuse Act (CFAA), can be used to prosecute those who perpetrate ransomware attacks. These laws and others, such as the statutes criminalizing conspiracy and aiding and abetting, might also be used to prosecute individuals who help to develop ransomware that is ultimately used by others. Victims who pay ransoms might also be subject to criminal or civil penalties in some cases—for example, where a ransom payment is made knowingly to an entity either designated as a foreign terrorist organization or subject to sanctions by the Department of Treasury. Nevertheless, policy considerations, mitigating factors, and prosecutorial discretion may weigh against enforcement in such instances.

Second, federal cybersecurity laws play an important role in both preventing and responding to ransomware attacks. Cyber preparedness laws require federal agencies to secure their networks and authorize the Cybersecurity and Infrastructure Security Agency (CISA) and Office of Personnel Management (OPM) to establish federal network security requirements. Other cyber preparedness laws authorize federal agencies to assist private entities operating in critical infrastructure sectors in securing their systems. Moreover, many data protection laws include requirements for covered entities to safeguard customer or consumer data. If a ransomware attack or other cyber incident occurs, federal law requires CISA and other federal agencies to work together to mitigate harm to federal networks and authorizes them to assist private entities in incident response and damage mitigation.

Click to download

The long-expected and widely-concerned Personal Information Protection Law of the People’s Republic of China (“PIPL”) was adopted on 20 August 2021, at the 30th Session of the Standing Committee of the 13th National People’s Congress.

As a basic law for personal information protection in China, the PIPL clarifies the rules for processing personal information, the obligations of personal information handlers (and processors), and the rights of personal information subjects. Notably, the PIPL provides serious punishment for violations of this law, which includes a fine of up to CNY 50 million (about USD 7,690,000) or 5% of annual turnover of the previous year.
The PIPL will come into effect as of 1 November 2021. During the grace period, organizations operating in China and those established outside China but having to be subject to the extraterritorial effect of the PIPL, are suggested to carry out data compliance work in accordance with the PIPL to get prepared for the upcoming law.

This Guide aims to highlight the main principles and provisions under the PIPL. It is intended to be used by organizations as an aid to find gaps in compliance and take possible steps required in practice

Each section of this Guide describes an important rule or requirement under the PIPL. We also provide “Actions” suggested to be considered and/or adopted for ensuring compliance. Please note that the relevant supporting rules and regulations of the PIPL are expected to be promulgated and implemented accordingly, which is advisable to be paid close attention to. Also, other relevant laws and regulations, as well as department rules shall be taken into consideration when assessing compliance.

Click to download

2021 was supposed to become the year for ISO 20022. However, it was never meant to be. The Covid-19 pandemic threw a spanner in the works – causing SWIFT to delay its migration by a year and further market infrastructures (MI) to follow suit. What was originally planned to be the “go-live year” has turned out to be “the year of delivery”.

Since the release of our previous edition of the Guide just before Sibos 2020, some MIs, such as the Philippines’ RTGS system, have managed to keep to their original migration strategies and the ISO 20022 vision has become a reality this year. Elsewhere, other MIs, remain committed to their respective, revised timelines, with direct participants in Europe on track to begin industry testing in December 2021, and those in the UK deep in preparations for the fast-approaching like-for-like phase in June 2022.

Click to download

Cloud Workload Protection Platform (CWPP) as defined by Gartner is a “workload-centric security solution that targets the unique protection requirements” of workloads in modern enterprise environments. Workloads in modern environments have evolved to include physical servers, virtual machines (VMs), containers, and serverless workloads.

(more…)

The Australian National Audit Office (ANAO) has undertaken nine previous cross agency protective security audits. The AGD, which is responsible for promulgating Australian Government protective security policy, has indicated its support for the conduct of these audits and acknowledged their contribution to improving the management and delivery  of protective security practices in the Australian Government sector. (more…)