Monthly Archives: August 2023

Eu Taxonomy: How to Adapt

Adapting to the EU Taxonomy

As we are already halfway through 2023, businesses across the European Union (EU) have found themselves in a transitional phase, adjusting to the implementation of the EU Taxonomy Regulation. This regulation, designed to support sustainable economic activities and direct investments into those activities, have brought significant change to the business landscape. This blog post provides insights into understanding and adapting to these new norms.

The EU Taxonomy Regulations: An Overview

At the heart of the EU’s Taxonomy Regulation lies sustainability, accountability, and transparency. The regulations aim to create a classification system that will help investors, companies, and issuers align their portfolios with environmentally friendly activities. This is done in hopes of accelerating sustainable investments, which are pivotal in achieving the EU’s climate goals by 2050.

The Taxonomy Regulation applies to financial market participants, large public-interest entities with more than 500 employees, and the EU and its member states when setting up public measures, standards, or labels for green financial products or green bonds. The regulation obliges them to disclose how, and to what extent, their activities are aligned with the taxonomy.

Understanding the Taxonomy’s Six Objectives

The Taxonomy Regulation identified six environmental objectives: climate change mitigation; climate change adaptation; sustainable use and protection of water and marine resources; transition to a circular economy; pollution prevention and control; and protection and restoration of biodiversity and ecosystems. An economic activity is taxonomy-aligned if it contributes substantially to one or more of these objectives.

Adapting to the EU Taxonomy Regulations

Adapting to these new regulations may seem daunting, but with a planned and strategic approach, it can present exciting opportunities. Here’s how businesses can adapt:

1. Early Engagement

Start by familiarizing yourself with the Taxonomy Regulation’s framework. This involves understanding the criteria your business activities need to meet to be classified as ‘sustainable.’ Early engagement can allow businesses to anticipate regulatory expectations and proactively make strategic adjustments.

2. Gap Analysis

Undertake a gap analysis to understand where your business currently stands in terms of meeting the Taxonomy Regulation criteria. This will help identify what needs to change and what activities already align with the regulation.

3. Collaborative Planning

Once the gaps are identified, businesses should form a multidisciplinary team involving stakeholders from risk, compliance, legal, finance, and sustainability departments. This team will help plan necessary changes to operations, governance structures, and reporting mechanisms.

4. Invest in Sustainable Activities

Re-allocate investments toward activities that contribute to at least one of the six environmental objectives and do no significant harm to any of the others. Strive for activities that meet minimum social safeguards, such as respecting labor rights. This will not only align your business with the Taxonomy Regulation but will also put you on the path toward sustainable growth.

5. Transparency and Disclosure

Be transparent about how your business activities align with the Taxonomy Regulation. Prepare to disclose the percentage of your business activities and investments that are taxonomy-aligned, and explain how these activities contribute to the environmental objectives. Regular and transparent disclosure builds trust with investors, customers, and the wider public.

6. Regular Training and Awareness

Sustainable development is an evolving field. Keep your team up-to-date with the latest developments in sustainable activities, the Taxonomy Regulation, and other related regulations. Regular training and awareness sessions will ensure your business remains compliant and competitive.

7. Seek Professional Advice

Consider seeking advice from sustainability and legal professionals to ensure you fully understand the regulations and implement the necessary changes correctly. These professionals can also assist in assessing your sustainability risks and opportunities.

The Silver Lining: Opportunities Abound

While these changes may seem complex, they offer multiple opportunities. These regulations encourage businesses to be more sustainable, which can enhance their reputation and attract more investors interested in Environmental, Social, and Governance (ESG) factors. Moreover, aligning with the Taxonomy Regulation can drive innovation, opening new markets, and creating economic growth.

Investors are increasingly looking for businesses with strong ESG principles, and the Taxonomy Regulation provides an opportunity to showcase your commitment to sustainability. Businesses that have adapted successfully to the Taxonomy Regulations often find themselves at a competitive advantage, as their activities are perceived as lower-risk and more future-proof.

In conclusion, the EU Taxonomy Regulations bring a new era of sustainable business practices. While the journey of adaptation may be challenging, the benefits far outweigh the costs. Embrace the changes, seize the opportunities, and let sustainability be at the core of your business strategy. By doing so, your business will not only be compliant with the Taxonomy Regulation but also contribute to a sustainable future, creating value for all stakeholders in the long run.


Check Out Our Taxonomy eGuide

Who Is the EU Taxonomy For?

Who is the eu taxonomy for?

In recent years, the global community has witnessed an increasing concern for environmental sustainability and the urgency to combat climate change. To address these issues, the European Union (EU) introduced the EU Taxonomy in 2020, providing a framework to classify economic activities based on their environmental impact. As of 2023, the EU Taxonomy has evolved into a critical tool for businesses across various sectors. In this blog, I will delve into the EU Taxonomy’s purpose, its intended audience, and the businesses to which it applies.

Intended Audience

The EU Taxonomy is intended for a wide range of stakeholders, each with different roles and responsibilities in promoting sustainability. 

Enterprises:

One of the main audiences of the EU Taxonomy is businesses operating within the EU or conducting activities that impact EU member states. Businesses need to assess their operations against the Taxonomy criteria to determine whether their activities can be classified as environmentally sustainable. The EU Taxonomy applies to a wide range of businesses, from large multinational corporations to small and medium-sized enterprises (SMEs). The EU Taxonomy covers various sectors of economic activities, including energy, transportation, agriculture, manufacturing, and more. It encompasses both green activities, such as renewable energy production and energy-efficient technologies, and enabling activities, such as research and development in sustainable technologies.

Investors:

Investors, including financial institutions, asset managers, and private investors, are significant stakeholders in the implementation of the EU Taxonomy. They use the taxonomy as a guide to make sustainable investment decisions and ensure that their portfolios align with environmental objectives. As written by the European Union, “The EU Taxonomy is not a mandatory list for investors to invest in. It does not set mandatory requirements on environmental performance for companies or for financial products. Investors are free to choose what to invest in. However, it is expected that over time, the EU Taxonomy will encourage a transition towards sustainability in order to achieve the EU’s climate and environmental goals.” 

Regulators:

EU member state governments and regulatory bodies play a critical role in enforcing and implementing the EU Taxonomy. They use the Taxonomy as a basis for setting regulations and standards related to sustainable finance and reporting.

Non-Governmental Organizations (NGOs) and Advocacy Groups:

Putting aside past controversy with NGOs, environmental NGOs and advocacy groups closely monitor the implementation and effectiveness of the EU Taxonomy. They advocate for its continuous improvement and ensure businesses and policymakers remain accountable for their sustainability commitments. 

Compliance Requirements:

As of 2023, the EU Taxonomy is still being phased in gradually. Some businesses may have mandatory reporting obligations under the Taxonomy Regulation, while others might face voluntary reporting requirements. However, the trend indicates that the regulations will become more stringent in the future, affecting a broader spectrum of businesses.

Reporting and Disclosure:

Businesses falling under the scope of the EU Taxonomy need to disclose relevant information about their sustainable activities, investments, and environmental performance. This transparency helps investors and stakeholders assess their contributions to sustainable development.

Challenges of Complying with the EU Taxonomy

Before talking about the challenges it’s important to note the benefits. Businesses that comply with the EU Taxonomy can not only attract sustainable finance and investments from environmentally conscious investors, but also seize opportunities to fund and expand sustainable projects and initiatives. This, in turn, enhances their reputation among customers, investors, and other stakeholders, potentially leading to increased brand loyalty and market share. Moreover, aligning with the EU Taxonomy ensures regulatory compliance, safeguarding businesses against potential penalties and legal issues by keeping them in line with the latest sustainability regulations.


Now let’s take a closer look at the challenges

Complexity: The EU Taxonomy is a complex framework with evolving criteria. Complying with its requirements may be challenging for some businesses, especially smaller ones with limited resources.

Data Collection and Verification: To demonstrate compliance, businesses must collect and verify extensive environmental data. This process can be time-consuming and resource-intensive.

Adaptation to New Standards: As the Taxonomy evolves and additional criteria are introduced, businesses may need to adapt their operations continually to meet the changing requirements.

In a nutshell:

The EU Taxonomy stands at the forefront of the EU’s efforts to combat climate change and foster sustainability. In 2023, businesses across various sectors must familiarize themselves with the Taxonomy’s criteria and reporting requirements. Complying with the EU Taxonomy not only positions businesses for long-term success but also contributes to a more sustainable future for Europe and the world. Embracing the principles of the Taxonomy is not merely a legal obligation; it is a commitment to environmental stewardship and responsible corporate citizenship.

Remember, the EU Taxonomy is continuously evolving, so it is crucial for businesses to stay informed and proactive in their sustainability efforts to align with future developments. By doing so, businesses can play a significant role in building a greener and more resilient economy for generations to come.


Interested to learn more about EU Taxonomy?


EU Taxonomy Reporting Challenges

Findings.co challenges surrounding eu taxonomy regulations

 

The European Union’s commitment to fostering sustainable economic activities has led to the establishment of the EU Taxonomy, a regulatory framework aimed at promoting environmentally sustainable investments. As companies undertook the first round of reporting under this regulation, several challenges and misalignments have come to light, revealing the complexities that lie ahead. In this blog, I will explore the key observations and emerging best practices identified by the EU Platform on Sustainable Finance and the Sustainable Finance Advisory Committee of the German Federal Government (SFB). We also discuss the current challenges faced by organizations in complying with the EU Taxonomy regulations and the need for further guidance and clarity.

Usability Challenges and Misalignments

The EU Platform on Sustainable Finance’s report on data and usability of the EU Taxonomy provides valuable insights into the challenges faced by reporting entities. The usability challenges can be broadly categorized as structural, interpretive, and technical issues. Companies often struggle with incorrect templates, number formatting, and naming conventions, leading to inconsistencies in reporting. For instance, some entities may report “green share of revenues” instead of “Taxonomy-aligned turnover.” Interpretive issues arise when companies fail to follow the correct disclosure standards, reporting ambiguous terms instead of specific Key Performance Indicators (KPIs). Additionally, technical issues emerge in determining eligible activities and meeting the technical screening criteria, which can vary across sectors.

Despite the usability challenges, the report highlights some best practices that can enhance the reporting process. Utilizing correct reporting templates and naming conventions from the outset can simplify reporting and improve consistency across disclosures. The Platform specifically recommends using the Taxonomy activity and numbering conventions found in the Delegated Act and maintaining consistency between mitigation and adaptation activities. By adhering to these conventions, companies can facilitate the comparability of data and ensure transparency for investors and stakeholders.

To ease the transition to the new reporting framework, supplementary guidelines and advice from the European Commission are encouraged. These additional resources could offer clarifications on specific reporting requirements, technical screening criteria, and eligible activities, helping companies navigate the complexities of the EU Taxonomy with greater confidence.

Challenges Faced by Asset Managers and Insurers

While some asset managers and insurers have reported their Green Investment Ratio (GIR) under Article 8, they encounter specific challenges due to limited coverage and inconsistent terminology. Data availability remains patchy, hindering accurate reporting of taxonomy alignment figures. A significant hurdle during the initial practical implementation revolves around the incomplete availability of data necessary for complying with the Taxonomy Regulation reporting. However, the Sustainable Finance Advisory Committee (SFB) endorses the approach and aims to contribute to its effective implementation by offering practical insights from various perspectives.

To improve data availability and consistency, the involvement of non-EU issuers and entities not currently mandated to report relevant figures could be crucial. Encouraging voluntary reporting from such entities could contribute to a more comprehensive understanding of taxonomy alignment across the financial industry.

Time-Frame and Legal Ambiguity Issues

One of the critical challenges pertains to the time-frame for implementing the Taxonomy Regulation. Structurally, “the SFB points out that the time between publication of regulation and required application is too short for companies to adapt adequately.” In addition, the limited data availability is explained by the sequencing of EU regulations, where investors are required to report their alignment before non-financial companies under the Non-Financial Reporting Directive (NFRD) scope do the same. As a result, the lack of data from certain sectors could hinder the ability of investors to accurately assess their investment products’ alignment with the taxonomy.

The absence of a centralized contact point for clarification and the need for international compatibility are additional challenges faced by reporting entities. A dedicated contact point within the European Commission could offer support and guidance, ensuring a more consistent interpretation and application of the Taxonomy Regulation across member states. Furthermore, harmonizing the taxonomy with international standards would foster global alignment and enhance the EU’s role as a leader in sustainable finance.

Compliance Challenges for Organizations

For companies, compliance with the EU Taxonomy Regulation has been a real challenge, mainly due to the complexity in interpreting concepts and criteria. With the regulation’s continuous evolution and integration of delegated acts, organizations must adapt to include all activities contributing to the environmental objectives. The challenges faced by organizations include a short time frame for compliance, setting up suitable processes, difficulty in sourcing information, and room for interpretation of regulatory requirements.

The short time frame between the issuance of the regulation and the reporting deadline has placed significant pressure on companies to establish robust systems and processes for identifying, assessing, and reporting on their economic activities’ taxonomy alignment. Many organizations have had to allocate substantial resources to implement these processes effectively, including upgrading reporting systems, training employees, and engaging with stakeholders to obtain the required data.

Another challenge is the difficulty in sourcing information for reporting purposes. Although the EU Taxonomy initially required only eligibility reporting for disclosures in 2022, the required information was not always directly available and needed to be determined through additional information generated within the company or requested through manual processes. This sourcing process can be time-consuming and may introduce uncertainties in the reporting.

Furthermore, the regulatory documents of the EU Taxonomy have shown a level of scope for interpretation, leading to questions and challenges concerning the proper interpretation of the regulatory requirements. This can result in varying approaches and discrepancies in reporting practices across different organizations.

Ensuring Reliable Sustainability Reporting

To ensure the reliability of sustainability reporting and minimize greenwashing risks, independent and high-quality audits are crucial. Though not mandatory yet, conducting external audits by statutory auditors is advisable to enhance the credibility of sustainability reporting. Independent audits can provide assurance to investors and stakeholders that reported taxonomy alignment figures are accurate and in compliance with the regulation.

Cracking the Code

The EU Taxonomy Regulations represent a significant step towards promoting sustainable economic activities in the European Union. However, the initial round of reporting has revealed several challenges, ranging from usability issues to data availability and legal ambiguities. To overcome these obstacles and effectively implement the Taxonomy Regulation, companies, policymakers, and stakeholders must work collaboratively to provide clearer guidance and enhance reporting processes. Only through a concerted effort can the EU Taxonomy fulfill its intended purpose of fostering a sustainable future for Europe and beyond. As the regulation continues to evolve and expand, addressing these challenges will be crucial in achieving a robust and transparent sustainable finance ecosystem that benefits both investors and the planet.

 

 

The Evolving Landscape of Cybersecurity Compliance in North America

Blogs - The Evolving Landscape of Cybersecurity Compliance in North America

Cybersecurity compliance is a non-negotiable for organizations in a largely digital world. Without it, you could face severe financial penalties, damaged brand reputation, loss of customer trust, and detrimental operational disruptions. 

 

Whether you’re operating in the U.S., Canada, or Mexico, you want to remain compliant with your respective country’s regulations. After all, understanding the ever-changing regulatory trends in North America is essential for ensuring optimal security — and avoiding severe repercussions. 

 

This article will offer an in-depth exploration of the current cybersecurity compliance trends, North America’s unique regulatory landscape, potential upcoming changes, and how automated cybersecurity solutions are essential for maintaining compliance. 

North America’s regulatory landscape

The United States doesn’t have federal laws that regulate the collection and use of personal data. Instead, the U.S. has a multifaceted system of state laws and regulations that often overlap and contradict one another.

 

For example, California has the California Consumer Privacy Act (CCPA), which grants California residents novel rights regarding their personal information and affects companies across the United States that do business with Californians.

 

Rather than federal regulation, the U.S. allows each industry to regulate privacy. For instance, the Health Insurance Portability and Accountability Act (HIPAA) protects health information, while the Gramm-Leach-Bliley Act (GLBA) governs financial institutions.

 

In contrast, Canada has PIPEDA at the federal level, setting the baseline for how businesses handle personal information. 

 

Interestingly, numerous provinces also maintain their own privacy statutes, mirroring PIPEDA quite closely. It’s worth mentioning that Quebec, Alberta, and British Columbia stand out with their own private-sector privacy legislation, acknowledged as being largely akin to the federal mandate.

 

These regulatory landscapes force companies to plan and implement their cybersecurity strategies — because non-compliance could result in fewer sales and significant penalties. 

 

However, regulation laws aren’t static and are set to undergo changes. Artificial intelligence (AI) and machine learning (ML) pose a significant threat, prompting regulators to reassess current conditions and potentially create new ones. 

The comprehensive guide to cybersecurity compliance trends

In 2023, the trend in the cybersecurity landscape is toward an escalating wave of cybercrime, amplified vulnerabilities in open-source code bases, and an increased focus on human-centered design and board oversight. Amid this landscape, there’s a shared consensus: an organization’s cybersecurity strategy must balance people, processes, and technology.

 

AI and ML have taken center stage in 2023, and this trend extends into the cybersecurity landscape as the integration of AI and ML becomes commonplace. The International Data Corporation (IDC) attributes the impressive growth of the cybersecurity market to these technologies, with spending projections to hit $46.3 billion by 2027. But, alongside their benefits, AI and ML can be exploited by threat actors to identify and target vulnerabilities.

 

This creates an environment where AI and ML are double-edged swords. While these technologies enhance predictive analytics, facilitating faster and more efficient threat detection, they’re also used by threat actors to identify and exploit vulnerabilities. 

 

Additionally, open source vulnerabilities continue to pose a significant threat with at least one vulnerability found in 84% of code bases, according to Synopsys

 

This underlines the importance of regular penetration testing and effective patch management. Using a Software Bill of Materials (SBOM) can help organizations keep track of their software components and update outdated open-source components, mitigating their exposure to potential cyber threats. 

 

However, to navigate these advancements and vulnerabilities, compliance with trending regulations like Cybersecurity Maturity Model Certification (CMMC), the Directive on Security of Network and Information Systems (the NIS Directive), and the Zero Trust model are crucial. They guide organizations to secure their infrastructure and manage cyber threats adequately.

 

For example, the CMMC (a requirement for all Defense Industrial Base (DIB) and Department of Defense (DoD) contractors) ensures that these entities have sufficient security controls in place to protect sensitive data. This compliance regulation safeguards national security while also elevating the baseline level of cybersecurity measures. Likewise, the Zero Trust model is a proactive stance against data breaches, focusing on minimizing uncertainty — a growing trend for 2023 and beyond. 

 

On the other hand, the European Union’s NIS directive provides legal measures for high-level security of network and information systems. It facilitates increased collaboration between EU member states and promotes a culture of risk management and incident reporting.

 

Lastly, accounting and financial data have been attractive targets for cyber attackers. In the past 12 months, 34.5% of executives reported that their organizations’ financial data were targeted, with 22% experiencing at least one cyber event. The same poll also found only 20.3% of their accounting and finance teams work closely with their peers in cybersecurity, suggesting a disconnect that could increase vulnerability to attacks.

The inevitable changes to cybersecurity regulations

The imminent changes in cybersecurity regulations carry consequences for registered investment advisors (RIAs), funds, and publicly traded companies. The U.S. Securities and Exchange Commission (SEC) is inching closer to cementing new regulations that could shake up these groups significantly, especially considering that fewer than one in five companies (20%) are equipped to handle cyber risks.

 

The new rules coming into place have three main parts: written plans for handling cybersecurity risks, reporting and disclosing cyber incidents, and using specific formats for reporting data. These parts are going to need a good understanding and detailed planning to comply with.

 

Luckily, plenty of companies like Findings offer a similar, more comprehensive service. For example, Findings helps businesses make and review their cybersecurity assessments each year. 

 

Findings also helps businesses outline what a cyber incident looks like, set up practices for reporting them, and come up with a clear plan to protect against cyber threats and handle any incidents that do happen.

 

While these new SEC rules mainly affect financial and publicly traded companies, all organizations need to pay attention. Beyond just avoiding fines and penalties, having strong cybersecurity practices (e.g. ones that involve automation, AI, and ML) helps build trust with stakeholders.

The role of automation in building a cyber-resilient future

To stay ahead in cybersecurity, organizations are now leveraging automation for a more efficient and agile approach to risk assessment and management.

 

Automation enables faster, error-free decisions. It delivers real-time threat information, which empowers security teams to effectively manage threats. Not to mention, the systematic organization of data reduces the time between threat detection and mitigation. 

 

Additionally, automation helps harmonize data and collaboration within organizations. A centralized platform for data collection ensures consistent information across all departments, eliminating discrepancies and enabling effective collaboration. 

 

With accurate and comprehensive information at their fingertips, executives and managers can make better-informed decisions — improving cyber risk management strategies.

 

As organizations aim to protect their assets and maintain customer trust, automation is a must. 

 

Adopting automated security risk assessments enables organizations to maintain a proactive stance against cyber threats, ensuring a secure operational environment. With new compliance trends and the looming possibility of further regulatory changes, your business needs to be prepared — by implementing automation. 

 

When you integrate automation, you can improve response times, standardize data, enhance collaboration, and scale security risk assessment processes, turning this potential challenge into a strategic strength.

 



July Data Breach Roundup

Findings.co July 2023 cybersecurity and data breaches roundup

As we navigate the relaxing summer season, it’s important to note that just because half the world is on pause, doesn’t mean hackers are too. While those who are relaxing and not paying much attention, these attackers are sweeping their ways into their supply chains and causing damage. Luckily, automation helps, and catching vulnerabilities in your supply chain with our Assessment and Audit AI features will help you stay on track. 

 

This month’s blog arrives hot on the heels of an important announcement from the SEC. They have mandated that public companies must now report data breaches within 4 days of discovery. This new regulation comes at a critical time as the MOVEIT vulnerability continues to wreak havoc, causing significant disruptions in recent months.

 

July proved to be a challenging period for cybersecurity, with major players like Deutsche Bank, Genworth Financial, and Maximus falling victim to the consequences of data breaches. While numerous breaches occurred throughout the month, I will focus on the most noteworthy ones to glean valuable insights and lessons from.

 

Continue reading to discover other prominent names  that experienced security breaches, along with crucial information you should be aware of. Stay informed and learn from these incidents to protect your own data and systems.

 

  1. HCA Healthcare Experiences Breach

 

HCA Healthcare, a prominent hospital and clinic operator, recently announced that it has experienced a significant cyberattack, compromising the data of over 11 million patients. This unfortunate breach has raised concerns about the security of sensitive patient information and highlights the urgent need for better data protection measures in the healthcare industry. Just last week, IBM’s Cost of a data breach report came out proving that costs are escalating in healthcare breaches. The average cost of a studied healthcare breach reached nearly $11 million in 2023, a 53% increase since 2020. Cybercriminals targeting healthcare organizations have made stolen data more accessible to downstream victims, making medical records a high-value leverage point.

 

What Happened?

 

HCA Healthcare discovered the breach on July 5,2023, when a sample of stolen data was posted online by the suspected hacker. The company believes that the attack targeted an external storage location primarily used for email message formatting. As an immediate containment measure, the company disabled user access to this location.

 

Who Was Affected? 

 

Patients from 20 states, including California, Florida, Georgia, and Texas, have been affected by the breach, which ranks among the largest healthcare data breaches in history. The compromised data includes patients’ names, partial addresses, contact information, and upcoming appointment dates. Additionally, information such as email addresses, telephone numbers, date of birth, and gender was accessed by the hackers.

 

With the scale of this data breach impacting millions of patients, HCA Healthcare faces a significant challenge in safeguarding sensitive information. As investigations continue, it serves as a reminder to healthcare organizations to strengthen their cybersecurity protocols to protect patients’ data and maintain their trust in an increasingly digital world.

 

  1. Rite Aid Data Breach Exposes Customer Information

 

Rite Aid, a popular pharmacy chain in America, recently announced a data breach that may have exposed personal information of its customers. The breach, caused by an unknown third party exploiting a software vulnerability, occurred on May 27. Although sensitive data like Social Security numbers and credit card numbers were not accessed, Rite Aid is taking proactive steps to address the situation and notify affected customers.

 

The Breach Incident:

 

On May 31, one of Rite Aid’s vendor partners informed the company about the data breach. In response, Rite Aid took swift action by updating its systems and the vendor’s software to prevent further exploitation of the vulnerability. During this process, the company discovered that specific files containing customer information had been accessed during the breach. The information accessed by the unknown party included the following:

 

  • Patient First and Last Name

  • Date of Birth

  • Address

  • Prescription Information

  • Limited Insurance Information

  • Cardholder ID

  • Plan Name



The Rite Aid data breach serves as a reminder that security assessments are essential for catching vulnerabilities, whether it be your direct company, or your vendors. While the company has taken swift action to address the situation, affected customers should remain vigilant and take appropriate measures to protect their personal information. 



  1. A New Malware is Making Headlines

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported the discovery of a new malware strain known as Submarine, which was used to backdoor Barracuda ESG (Email Security Gateway) appliances on federal agencies’ networks. 

Barracuda provides services and products to over 200,000 organizations worldwide, including prominent entities like Samsung, Delta Airlines, Kraft Heinz, and Mitsubishi.

 

The attack was carried out by a suspected pro-China hacker group known as UNC4841 and involved exploiting a now-patched zero-day vulnerability.

 

In May, a series of data-theft attacks was detected on Barracuda ESG appliances, but it was later revealed that the attacks had been active since at least October 2022. The attackers utilized the CVE-2023-2868 remote command injection zero-day to drop previously unknown malware named Saltwater and SeaSpy, as well as a malicious tool called SeaSide. These were used to establish reverse shells for easy remote access.

 

Barracuda took an unconventional approach last month by offering replacement devices to all affected customers at no charge. The decision came after the company issued a warning that compromised ESG appliances needed immediate replacement, rather than just re-imaging them with new firmware, as they couldn’t guarantee complete malware removal.

 

Now, CISA has disclosed the existence of the Submarine malware, also known as DepthCharge by Mandiant, the incident response division of FireEye. Submarine is a multi-component backdoor residing in a Structured Query Language (SQL) database on the ESG appliance. It serves various purposes, such as detection evasion, persistence, and data harvesting.CISA’s malware analysis report stated, “SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.” The report also mentioned that sensitive information was found in the compromised SQL database.

 

In response to Barracuda’s remediation actions, the threat actors employed the Submarine malware as an additional measure to maintain persistent access on customer ESG appliances. Barracuda maintains that the malware was present on a small number of already compromised ESG appliances. Barracuda’s recommendation to customers remains unchanged. Those with compromised ESG appliances should discontinue their use and contact Barracuda support to obtain a new ESG virtual or hardware appliance.

 

CISA has warned that the Submarine malware poses a significant threat for lateral movement within affected networks. 

 

  1. Estée Lauder Faces Data Breach and Ransomware Attack

 

Estée Lauder recently experienced a data breach and ransomware attack, but the company has been tight-lipped about the specifics of the incident. The beauty giant acted proactively by taking down some systems to prevent further expansion of the attack on their network. It appears that the CL0P ransomware gang gained unauthorized access to Estée Lauder by exploiting a vulnerability in the MOVEit Transfer platform used for secure file transfers. The threat actor took advantage of the vulnerability when it was still a zero-day in late May and claimed to have breached numerous companies for the purpose of data theft and extortion.

 

On their data leak site, the Clop ransomware gang publicly listed Estée Lauder as one of their victims. The gang criticized the company, accusing them of neglecting their customers’ security. They claimed to have over 131GB of Estée Lauder’s data in their possession. Another ransomware group, BlackCat, also added Estée Lauder to their list of victims. However, unlike Clop, BlackCat expressed dissatisfaction with the company’s silence in response to their extortion emails. BlackCat attempted to initiate negotiations with Estée Lauder by reaching out to their corporate and personal email addresses but received no response from the company.

 

Notably, BlackCat claimed that they did not encrypt any of Estée Lauder’s systems, but they threatened to reveal more details about the stolen data unless negotiations were initiated. The potential exposure of sensitive information could affect customers, company employees, and suppliers. The attack has caused significant disruption to parts of the company’s business operations, as stated in their SEC filing.



  1. Google Cloud Build Vulnerability Raises Supply Chain Attack Concerns

 

A vulnerability in Google Cloud Build, known as Bad.Build, has raised concerns about potential supply chain attacks for organizations using the Artifact Registry as their primary or secondary image repository. Security researchers from Orca Security and Rhino Security Lab independently reported the issue.

 

Orca Security researcher Roi Nisimi highlighted that the vulnerability allows attackers to escalate privileges by exploiting the cloudbuild.builds.create permission. This could enable attackers to tamper with Google Kubernetes Engine (GKE) docker images using artifactregistry permissions and run code inside the docker container with root privileges.

 

After the issue was reported, the Google Security Team implemented a partial fix by revoking the logging.privateLogEntries.list permission from the default Cloud Build Service Account. However, this measure didn’t directly address the underlying vulnerability in the Artifact Registry, leaving the privilege escalation vector and the supply chain risk still intact.

 

Google Cloud Build customers are advised to modify the default Cloud Build Service Account permissions to match their specific needs and remove entitlement credentials that go against the Principle of Least Privilege (PoLP) to mitigate the privilege escalation risks.

 

Supply chain attacks have had far-reaching consequences in recent cybersecurity incidents like the SolarWinds, 3CX, and MOVEit attacks. Therefore, organizations using Google Cloud Build need to be vigilant and implement cloud detection and response capabilities to identify anomalies and reduce the risk of potential supply chain attacks.

 

In response to the discovery, a Google spokesperson expressed appreciation for the researchers’ efforts and confirmed that a fix based on their report had been incorporated in a security bulletin issued in early June. Google also emphasized its commitment to identifying and addressing vulnerabilities through its Vulnerability Rewards Program.



As I wrap up this month’s breach blog, I must address IBM Security’s annual “Cost of a Data Breach Report.” The report reveals that the global average cost of a data breach has reached an all-time high of $4.45 million in 2023, marking a 15% increase over the past three years. Below I’ve outlined key findings. 

 

Key Highlights From the Report:

 

AI and Automation Accelerate Breach Identification and Containment: Organizations extensively employing AI and automation experienced a significantly shorter data breach lifecycle, reducing it by 108 days compared to organizations not leveraging these technologies (214 days vs. 322 days). This reduction resulted in nearly $1.8 million in lower data breach costs, making AI and automation the most impactful cost-saving measures identified in the report.

 

Silence is Costly in Ransomware Attacks:

 

Ransomware victims who involved law enforcement in their response saved an average of $470,000 in breach costs compared to those who chose not to involve law enforcement. Despite this potential benefit, 37% of the ransomware victims studied did not engage law enforcement during an attack, leading to longer breach lifecycles and increased costs.

 

Detection Gaps Persist:

Only one-third of the studied breaches were discovered by the organization’s own security team, while 27% were disclosed by the attacker, and 40% were disclosed by neutral third parties like law enforcement. Breaches identified by the organizations themselves incurred nearly $1 million less in breach costs compared to those disclosed by the attackers. This is where conducting regular assessments comes into play. The report emphasizes that early detection and rapid response are crucial in reducing the impact of a breach. Organizations are encouraged to invest in threat detection and response approaches, to bolster their cybersecurity defenses.



While this month’s update is on the longer side, I hope you’ve learned and realized just how important conducting regular security checks is for your business and entire supply chain. Findings automates assessment and audit processes, to help you stay compliant, while ensuring that your supply chain is secure. 

 

 

 

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!