BankInfoSecurity.com

Security by Design or Be Fined, Committee Suggests
A U.K. parliamentary committee is recommending a new statute forcing software publishers to hew to secure-by-design principles or else face financial penalties. The committee called for "enforcement agencies" empowered to levy fines to monitor industry for compliance.

Cyber Advisory Cites Abuse of Linked Devices to Monitor Sensitive Communications
The U.S cyber defense agency issued an alert outlining how commercial spyware and state-aligned groups are abusing messaging-app features through malicious QR-based linking and zero-click exploitation to monitor U.S. government, military and other high-profile figures.

JP Morgan Chase, Citi and Morgan Stanley Among Banking Customers Impacted
Major U.S. banks are assessing their exposure to a cybersecurity incident at real estate financial technology company SitusAMC, which disclosed Saturday that a breach may have affected client data. The New York firm uncovered the incident on Nov. 12.

Mindpath Health Settles Claim for $3.5M; Delta Dental Notifies 146,000 of Breach
Email breaches continue to plague the healthcare sector, resulting in data compromises that often affect the sensitive information of scores of patients. Two recent incidents illustrate the risks email breaches pose to patients, and the potential legal fallout for providers.

Israeli Startup Plans to Integrate AI Agent Guardrails Into Cloud Platform
Sweet Security secured $75 million in Series B funding to integrate AI security into its CNAPP platform. With runtime protection as its differentiator, the startup plans to address growing CISO concerns over shadow AI and attack vectors involving intelligent agents.

Lawmakers Say Reversal Strips One of Few Enforceable Standards for Major Carriers
The U.S. FCC's move to scrap its short-lived interpretation of the Communications Assistance for Law Enforcement Act - the 1994 statute known as CALEA - sparked warnings that the agency just eliminated one of the few enforceable cybersecurity tools for the telecom sector.

HSCC 'Model Contract' Calls for Shared Cyber Risks for Providers and Device Makers
Newly revised "model contract language" guidance from the Health Sector Coordinating Council provides an updated reference document to help healthcare providers and medical device makers better articulate and evaluate cyber considerations when negotiating purchases of products and services.

High-Profile Case Ends After Judge Guts SEC’s Cyber Fraud Allegations
The SEC has dropped its remaining claims against SolarWinds and CISO Tim Brown, ending a controversial cyber fraud lawsuit that aimed to expand securities law to cover operational security failures tied to the 2020 Russian hacking campaign.

Experts Detail Upsides of Bug Bounties and Getting Devices Into Researchers' Hands
As fresh vulnerabilities in hardware keep coming to light, one question remains: What vendors can do to better prevent, identify and eradiate flaws? One shortlist offered by veteran hardware hackers centered on the upsides of engagement, including bug bounty programs.

3-Year Espionage Campaign Targeted Taiwanese Firms
Chinese nation-state group APT24 targeted multiple Taiwanese companies as part of an espionage operation that went undetected for three years. The hacking group continually updated its malware infrastructure and tactics, enabling it to stay under the radar, Google Cloud said.

Also: Akira Ransomware Targets Healthcare, AI's Sycophancy Becomes a Security Risk
In this week's ISMG Editors' Panel, four editors discussed the staffing crisis confronting America's cyber defense agency, the escalating Akira ransomware threat putting more pressure on healthcare, and growing concerns over whether AI models used in security can actually be trusted.

Leaked Executive Order Would Strip States of Power to Regulate AI Tech Firms
A leaked draft executive order would empower federal agencies to override state AI laws, threatening federal funds for noncompliance and creating a litigation task force - drawing sharp backlash over executive overreach and potential harm to consumers.

Class Action Litigation and Criminal Case Focus on Actions of an Ex-Tech Worker
A federal court has granted preliminary approval of a $5 million settlement in class action litigation filed against Pennsylvania-based Geisinger Health and Nuance Communications - now part of Microsoft - involving a 2023 insider data breach affecting more than 1 million Geisinger patients.

European Cybersecurity Agency Can Assign CVE IDs and Publish CVE Records
The European Union Agency for Cybersecurity is poised to take on a greater role in coordinating vulnerability disclosures across the trading bloc with its elevation as a "Root"-level participant in the Common Vulnerabilities and Exposures program.

Salesforce Revoked Gainsight Authentication Tokens
Customer relationship management giant Salesforce is again notifying customers that hackers may be stealing their data through a third-party app. The San Francisco company late Wednesday disclosed that apps published by Gainsight connected to Salesforce instances may have "enabled unauthorized access."

Fortinet's Rashish Pandey on Security Leadership, Regulation and IT-OT Convergence
AI is transforming businesses, but it is also expanding the attack surface and accelerating risk. Rashish Pandey, VP of marketing at Fortinet, explains why CIOs and CISOs must share accountability, unify platforms and prepare for a future defined by regulatory complexity and AI-powered threats.

Company to Warn Customers, Disable Insecure Options by Default
Cisco says it will proactively alert network administrators when insecure configurations are detected and will eventually disable insecure features by default. The move comes after Chinese hackers exploited known vulnerabilities in Cisco equipment during major telecom breaches.