// #compliance
5 articles
CISA KEV June 2026 Tracker: Vulnerability Additions, BOD 22-01 Deadlines, and Remediation Priorities
The CISA Known Exploited Vulnerabilities catalogue added three entries in the first week of June 2026, including the Oracle WebLogic deserialization vulnerability (CVE-2024-21182) and the Mirasvit Magento RCE (CVE-2026-45247). This tracker consolidates the June additions with their remediation deadlines and documents the patch availability status for each.
FTC Bans Kochava Subsidiary from Selling Sensitive Location Data in Landmark Enforcement Settlement
The US Federal Trade Commission has reached a settlement banning Kochava and its Collective Data Solutions subsidiary from selling sensitive location data derived from consumer mobile devices — marking the FTC's most significant enforcement action against the location data broker industry. The settlement establishes a precedent with direct implications for any organisation that monetises or purchases precise consumer location data, including advertising technology companies, retail analytics firms, and financial services using location data for fraud detection.
CISA Adds Four Exploited Flaws to KEV — SimpleHelp RMT and Samsung MagicINFO Head New Additions
CISA's Known Exploited Vulnerabilities catalogue has grown by four entries including critical flaws in SimpleHelp remote management tooling and Samsung's MagicINFO digital signage platform. Federal agencies face a May 2026 remediation deadline. Enterprise operators of RMM tools and display infrastructure should treat these as urgent.
NIS2 Moves From Grace Period to Enforcement — Germany's BSI Registration Deadline Is Now
Eighteen months after the NIS2 transposition deadline, EU member states are moving from legislative implementation to active supervisory enforcement. Germany's BSI has set April 2026 as the registration deadline for essential and important entities under the national NIS2 implementation (NIS2UmsuCG). Organisations still treating NIS2 as a future requirement face immediate regulatory exposure as national competent authorities begin audit and penalty activity.
March 2026 Patch Cycle: The Governance and Risk Metrics That CISOs Should Be Reporting
March 2026 has been an unusually demanding patch cycle — 83 Microsoft CVEs, three new CISA KEV additions across F5, Citrix, and Active Directory, and concurrent exploitable vulnerabilities across Linux, PAN-OS, and Dell hardware. CISOs face board-level questions about patching velocity and exposure windows. This analysis provides the governance framework and risk metrics to answer those questions accurately.
Commentary tagged #compliance
BitLocker Gives You Compliance, Not Security Against Determined Attackers
The YellowKey BitLocker bypass demonstrates what practitioners have known for years: BitLocker deployed in its default TPM-only configuration satisfies regulatory checkboxes but does not protect against an adversary with physical access or WinRE trigger capability. The compliance requirement and the security requirement are not the same thing, and conflating them leaves organisations with an expensive false assurance.
CipherWatch Editorial
Security Intelligence Platform
Patch Tuesday Is Not a Patching Programme
Every second Tuesday, the industry runs a collective sprint to triage, test, and deploy hundreds of Microsoft patches before the next cycle begins. We call this a patching programme. It isn't. It's a treadmill — and the real security question is whether we're measuring the right thing.
CipherWatch Editorial
Security Intelligence Platform