1 min
Public Policy
Incident Reporting Regulations Summary and Chart
A growing number of regulations require organizations to report cybersecurity incidents. This chart summarizes 11 proposed and current cyber incident reporting regulations and breaks down their common elements, such as who must report, what incidents must be reported, deadlines, and more.
9 min
Public Policy
Avoiding Smash and Grab Under the SEC’s Proposed Cyber Rule
The SEC proposed a rule to require companies to publicly report cybersecurity incidents. This post explains why public disclosure of an incident before mitigation or containment raises the risk of harm, and suggests a solution that avoids harm while still promoting disclosure.
4 min
Public Policy
New US Law to Require Cyber Incident Reports
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will require critical infrastructure owners and operators to report cyber incidents and ransomware payments. This post will walk through highlights from the new law.
6 min
Ransomware
How Ransomware Is Changing US Federal Policy
The increased stakes of the ransomware threat are pushing regulators to take a harder look at whether regulatory requirements for cybersecurity safeguards are effective.
3 min
Compliance
Simplifying Complex Cybersecurity Regulations
Cybersecurity regulations often require similar baseline security practices, even though the legislation may structure compliance requirements differently.
4 min
Public Policy
Thawing Out the Chilling Effect Of DMCA Section 1201
The Copyright Office issued the latest rules on security research under DMCA Section 1201. Good news: researchers' legal protections have been strengthened with the removal of the "all other laws" requirement.
4 min
Public Policy
Update to GLBA Security Requirements for Financial Institutions
The FTC updated cybersecurity requirements for financial institutions under GLBA. This includes access controls, regular penetration testing and vulnerability scanning, and incident response, among other things. Here we'll detail the changes in comparison to the previous rule.
4 min
Public Policy
Cybersecurity in the Infrastructure Bill
This post provides highlights on cybersecurity in recent infrastructure legislation. Cybersecurity is essential to ensure modern infrastructure is safe, and Rapid7 commends Congress and the Administration for including cybersecurity in the Infrastructure Investment and Jobs Act.
3 min
Public Policy
Rapid7 Joins Statement On DMCA Lawsuits Against Security Tools
Rapid7 joined a statement from cybersecurity community members urging against suppression of security tools and technologies using Section 1201 of the DMCA.
9 min
Public Policy
Proposed security researcher protection under CFAA
Rapid7 views independent cybersecurity research and the security community as important drivers for advancing cybersecurity for all, a core value for Rapid7. One way we take action on this value is by supporting protection for security researchers acting in good faith.
2 min
Public Policy
Supreme Court narrows CFAA
The Supreme Court interprets the CFAA narrowly. This avoids over-criminalizing cybersecurity research and commonplace internet activity, though may raise concerns about insider threats.
6 min
Public Policy
How the Biden Administration's cybersecurity order will affect companies
The Biden Administration's Executive Order will create new software security and cyber incident reporting requirements for federal contractors.
7 min
Public Policy
Calling for cybersecurity in infrastructure modernization
Rapid7 issued a group letter urging the Biden Administration and Congress to work together to integrate cybersecurity into infrastructure legislation.
6 min
Public Policy
Overview of the EU’s draft NIS 2 Directive
The EU Commission proposed revisions to its NIS Directive that would enhance cybersecurity requirements on critical infrastructure-like organizations in the EU. This post provides an overview of the proposed revisions.
4 min
Public Policy
Principles for personal information security legislation
Rapid7's principles for laws to protect personal information: 1) Strong but flexible security requirements; 2) Security exemptions from privacy restrictions; 3) State preemption without undermining cybersecurity.