At a glance.
- CISA forms the US Cyber Safety Review Board.
- Proposed European framework for cross-border financial cyber incident response.
- UK GDPR data transfer tools.
US Cyber Safety Review Board membership announced.
The US Department of Homeland Security has officially released the membership list of the long-awaited Cyber Safety Review Board (CSRB), a public-private advisory body aimed at investigating the causes and repercussions of major cyberincidents and providing recommendations for strengthening incident response practices. The community has been anticipating this announcement ever since President Joe Biden called for the creation of the CSRB in an executive order issued last May after the massive SolarWinds and Microsoft cyberattacks. As SC Media explains, the group will consist of up to twenty members selected by the director of the Cybersecurity and Infrastructure Security Agency (CISA) and must include at least one member from the Departments of Defense, Justice and Homeland Security, the Federal Bureau of Investigation, CISA and the National Security Agency, as well as “individuals from private sector entities to include appropriate cybersecurity or software suppliers.” (The full membership list can be found here.) Nextgov shares that the Department of Homeland Security undersecretary for strategy, policy and plans Rob Silvers will be the board’s chair, and Google’s senior director of security engineering Heather Adkins will serve as vice-chair.
EU coordination framework proposed for cross-border financial cyber incident response.
The European Systemic Risk Board is recommending a new systemic cyberincident coordination framework called EU-SCICF, designed to help strengthen the coordination of EU state members in responding to cross-border attacks impacting the financial sector. A public statement welcoming the proposal was released by the European supervisory authorities – the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Markets and Securities Authority. However, implementation of the framework must wait until the Digital Operational Resilience Act (DORA) goes into effect, expected later this year. A European Central Bank spokesperson told Gov Info Security: "Given the risk to financial stability in the Union stemming from cyber risk, preparatory work for the gradual establishment of the EU-SCICF should, to the extent feasible, start even before the required legal and policy framework for its establishment is fully applicable. This legal and policy framework would be completed fully and finalized once the relevant provisions of DORA and of its delegated acts become applicable."
Data transfer tools tailor-made for UK GDPR.
Cooley reports that final versions of new, UK-specific data transfer tools have been presented to the UK Parliament. The move is part of an effort to replace the old EU standard contractual clauses (SCCs) with transfer tools that are more specific to the UK General Data Protection Regulation (GDPR). The tools consist of a UK International Data Transfer Agreement (IDTA), and a UK addendum to the new EU SCCs that may be used as a supplement in cases where UK data transfers occur alongside EU data transfers. The tools can be used as a transfer mechanism under the UK GDPR starting in March, and by September one of the tools must be used for all new contracts governing UK data transfers.