At a glance.
- New UK and EU cybersecurity requirements for IoT products.
- Report on the state of corporate cybersecurity for Latin American companies.
- FDA releases cybersecurity rules for medical devices.
New UK and EU cybersecurity requirements for IoT products.
JD Supra offers an overview of impending cybersecurity regulations for IoT devices in the UK and the EU. The UK Product Security and Telecommunications Infrastructure (PSTI) Act became law in December 2022, and the key requirements will likely follow three baseline principles taken from the UK Code of Practice for Consumer Internet of Things Security and provisions of the European ETSI EN 303 645. These include requiring companies to ban universal default device passwords, implement a highly-visible vulnerability reporting system for customers, and clearly convey the minimum length of time IoT devices will be supported by security updates. As well, new guidelines are coming down the pike in the EU for internet-connected radio equipment. The European Commission passed a Delegated Regulation stating that manufacturers must set cybersecurity safeguards focused on improving network resilience, protecting consumer personal data and privacy, and reducing the risk of monetary fraud. These requirements come into effect in August 2024.
Report on the state of corporate cybersecurity for Latin American companies.
CSO Online shares a new report that offers new insights into cybersecurity regulations in Latin America. More than a dozen cybersecurity companies collaborated to work on the LATAM CISO Report 2023: Insights from Industry Leaders. Conducted by Duke University, the report gathers perspectives from over 200 CISOs in the region, as well as the Inter-American Development Bank, Latin American Federation of Banks, and the World Economic Forum, and identifies cybersecurity gaps in Latin American organizations and provides recommendations for addressing them. The report reveals that, for some countries, the financial cost of cyberattacks could exceed 1% of the country’s GDP, increasing to 6% if critical infrastructure is targeted. Just seven of thirty-two countries examined have plans in place to defend critical infrastructure, and only twenty have computer emergency response teams. 70% of respondents said they’ve seen an increase in cyberattacks over the past year, with phishing and ransomware among the threats most frequently impacting the region. The report goes on to offer recommendations for governments to improve their country’s cybersecurity posture. For instance, experts advise government officials to develop customized budgets that supply funding for network and data protection. It’s also recommended that governments offer support for organizations seeking to implement ongoing vulnerability testing.
FDA releases cybersecurity rules for medical devices.
Vulnerabilities have recently been discovered in medical devices from high-profile medtech companies like BD, Insulet, and Zoll Medical, and the US Food and Drug Administration (FDA) has responded by issuing new cybersecurity requirements for medical device makers. Alongside their applications for regulatory clearance of their devices, these companies will also be required to submit details about their cybersecurity efforts. Device manufacturers will be queried to submit a plan for tracking and addressing cybersecurity vulnerabilities and establish internal procedures for releasing patches and updates. Fierce Biotech notes that device makers will also be required to provide a software bill of materials to the FDA, listing all of a device’s software components. A final portion of the bill calls for manufacturers to “comply with such other requirements as the Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cybersecure,” leaving the door open for future guidelines. Although the new requirements came into effect yesterday, the FDA will not begin enforcing them until October 1 in order to allow device makers time to implement the new rules.