The Securities and Exchange Commission (SEC) finalized a rule in July 2023, effective from September 5, 2023, mandating publicly traded companies to promptly disclose cyber incidents. The rule standardizes breach disclosures, impacting public healthcare entities and vendors serving the healthcare sector. It requires reporting material cybersecurity incidents within four days, except when national security is at risk. Critics argue the tight timeline may lead to unclear or inaccurate disclosures. The rule also demands periodic disclosures on cyber risk management, aiding vendor assessment. Non-compliance may result in penalties, emphasizing the need for improved cybersecurity practices.
Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
A suspected Chinese advanced persistent threat (APT) group exploited CVE-2025-22457, a previously unexploitable buffer overflow bug, to compromise devices running Ivanti Connect Secure (ICS) and
