The Brave New World of Cybersecurity Compliance
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
The Brave New World of
Cybersecurity Compliance
Key Takeaways from Recent Government Action on Cybersecurity
By Andreas T. Kaltsounis and Seungjae Lee
After a series of high-profile supply chain and ransomware attacks, the federal government is
ramping up its effort to improve the nation’s cybersecurity. In the past several months, multiple
federal departments and agencies announced new policy initiatives and regulatory directives to drive
their cybersecurity agenda forward, and state regulators are following the trend. It is unmistakably
clear that companies in regulated sectors are entering a new era of cybersecurity regulatory
compliance. And although much of this early action targets specific sectors (e.g., government
contractors, pipeline operators, and public companies), these requirements will indirectly touch
companies in other sectors and are a preview of broader regulation to come. Here, we discuss
recent notable actions on cybersecurity by federal and state government agencies.
A Establishing baseline security standards for the development
Policy Initiatives from the Top (and of software sold to the government by requiring developers to
maintain greater visibility into their software and making security
Elsewhere) data publicly available
On May 12, 2021, President Joe Biden signed the Executive A Deploying endpoint detection and response (EDR) systems
Order on Improving the Nation’s Cybersecurity. The order focuses across federal networks
on improving the executive branch’s cybersecurity posture in A Implementing enhanced logging at federal departments and
response to recent supply chain and ransomware attacks. The agencies
order calls for:
A Contractually obligating IT and OT
service providers to share threat
information with and disclose cyber
incidents to their federal counterparts
A Accelerating the migration of federal
IT systems to secure cloud services,
promoting a zero-trust security model
within federal networks, and mandating
multi-factor authentication (MFA) and
data encryption
A Calling for a national cyber incident
review board (modeled on the National
Transportation Safety Board, which
investigates significant transportation
incidents)
1
The standards on software development are
likely to have the greatest security impact
(and impose the greatest burden) as they
will impose new security and disclosure
requirements on software developers that
the National Institute for Standards and
Technology (NIST) is now developing.
Although these requirements will apply
only to suppliers to the federal government,
any improved security should benefit
other organizations that use the same
software (and suppliers should expect state
governments and private organizations to
copy procurement requirements).
The White House also published an
open letter to U.S. business leaders and
executives, urging them to implement
protective measures against ransomware
attacks. The letter confirms that disrupting On July 14, the White House announced a new ransomware task
ransomware actors is one of the Biden administration’s top force to coordinate both defensive and offensive actions against
priorities and recommends that private companies adopt the ransomware operators, which may include launching cyberattacks
following security measures against ransomware attacks: against foreign ransomware operators. This follows earlier
remarks by Department of Homeland Security (DHS) Secretary
A Implementing technical safeguards such as MFA, encryption, Alejandro Mayorkas, who recently declared ransomware a national
and EDR. security threat and announced the department’s plan to create
A Ensuring the availability and integrity of backups by testing them recommendations to slow the ransomware epidemic, including
regularly and keeping them offline mandatory reporting of ransom payments. Some lawmakers and
A Updating and patching systems regularly and promptly policymakers, such as Sen. Mark Warner, D-Va., and Energy
A Regularly testing the company’s incident response plan and Secretary Jennifer Granholm, are taking it a step further by
testing defenses through independent third parties suggesting that ransom payments should be made illegal for U.S.
companies to remove financial incentives for cyber criminals.
A Applying network segmentation where possible
The White House also emphasized cybersecurity and the need Continued pressure and strong government action to create
to impose consequences on criminal actors during meetings with consequences for criminal actors will be critical to curb the
foreign leaders. At the G7 summit, world leaders, including Biden, current wave of ransomware attacks. The government must
identified ransomware as one of the biggest threats to people and continue sending a clear message that no safe havens exist from
businesses around the globe and urged Russia to “identify, disrupt, which individuals can run global cybercrime operations without
and hold to account” cybercriminals operating from the country. consequences.
Notably, the emphasis on cybersecurity at the G7 summit came
soon after an in-person meeting between U.S. Secretary of State
Antony Blinken and Russian Foreign Minister Sergei Lavrov, during
which the pair reportedly discussed cybersecurity-related issues.
Regulatory Pressure Mounting
On the regulatory side, the Transportation Security Administration
Biden continued this emphasis on July 9, 2021, several days after (TSA) issued a new directive mandating critical pipeline owners and
another massive ransomware attack by the REvil ransomware operators to report cybersecurity incidents—which the directive
gang (believed to operate in Russia) affected more than 1,000 defines broadly—to the Cybersecurity and Infrastructure Security
businesses over the July 4 weekend. Biden warned Putin that the Agency (CISA) within 12 hours of identifying such an incident (both
U.S. will take “any necessary action” to defend U.S. infrastructure TSA and CISA fall within DHS). The directive also requires pipeline
from cyberattacks. Importantly, Biden “made it very clear to [Putin] companies to designate a cybersecurity coordinator and conduct
that the United States expects when a ransomware operation is a one-time vulnerability assessment and report the findings to
coming from his soil, even though it’s not sponsored by the state, the TSA and CISA. This is a swift change from the voluntary
we expect them to act if we give them enough information to act reporting regime TSA introduced in March 2018 and was in direct
on who that is.” Following this remark, on July 13, all infrastructure reaction to the recent Colonial Pipeline attack. DHS has signaled
tied to the REvil ransomware group, including its data leak and that additional regulations governing cybersecurity for pipeline
payment sites, went offline. operators will be coming.
2
The Securities and Exchange Commission (SEC) is also signaling while certain companies that handle more sensitive information
a more aggressive posture on cybersecurity. In June, the SEC must obtain a higher level of certification designed to thwart more
announced its intention to propose rule amendments that would sophisticated attacks. Although the CMMC has experienced
enhance issuer disclosure requirements regarding cybersecurity numerous delays and is currently undergoing an internal review at
risk factors. In addition, the SEC recently settled charges against DoD, CMMC limited assessments may yet start later this year, with
real estate settlement services company First American for an full implementation rolled out over five years under a November
inadequate Form 8-K disclosure related to First American’s 2020 interim rule. Meanwhile, the interim rule now requires certain
2019 cyber incident, imposing an approximately $500,000 civil contractors to report their 800-171 self-assessment scores to DoD,
penalty. The SEC’s charges focused on an alleged failure in First and under new authority granted in the rule, the DoD has begun
American’s disclosure controls—that is, that its 8-K disclosure conducting targeted government-run assessments against the
was deficient because it failed to accurately describe the current 800-171 framework.
state of First American’s cybersecurity posture, as known at the
time to the company’s information security team. This action Lastly, the Department of Labor (DOL) issued its first-ever
highlights the need for strong disclosure controls to ensure that cybersecurity guidance for companies managing employee
information security teams elevate material information to those retirement plans. The guidance provides (1) tips for hiring a service
making disclosures, which can be especially challenging during the provider, including cybersecurity due diligence and leveraging
early days of a cyber incident. The SEC also reportedly launched contracts to ensure an adequate cybersecurity posture from
a large-scale probe into companies that were potentially affected service providers; (2) cybersecurity best practices; and (3) online
by the SolarWinds supply chain attack, requesting information security tips for plan participants and beneficiaries. According
related to the SolarWinds incident and other cyber incidents to the DOL, this guidance complements the existing regulations
the companies may have experienced. In all, the SEC’s recent requiring that reasonable controls and safety measures be in
moves signal that cybersecurity will remain high on the agency’s place to protect electronic record-keeping systems of companies
regulatory and enforcement agenda. managing retirement plans.
Not to be outdone, on June 30 the New York Department of
Financial Services (DFS) issued an Industry Letter on ransomware DOJ Making Ransomware Top Priority
to its regulated entities with ransomware prevention steps and
On the criminal side, the DOJ reportedly issued internal guidance
guidance on when entities “should” report ransomware attacks to
elevating ransomware to the top of its enforcement priority list,
DFS. The letter cautions entities to “assume that any successful
assigning ransomware a priority similar to that of terrorism.
deployment of ransomware on their internal network should be
The DOJ also created a procedure to centrally coordinate all
reported to DFS” and that “any intrusion where hackers gain
ransomware investigations. Reflecting ransomware’s elevation on
access to privileged accounts should be reported.”
the priority list, the DOJ, in a surprise move, seized approximately
Reading the SEC and DFS guidance together, we may see $2.3 million in Bitcoin that was paid as a ransom in the Colonial
agencies seeking to lower the bar on when companies in various Pipeline case. The DOJ looks poised to ramp up its investigative
regulated industries must report or disclose network intrusions efforts to combat ransomware.
and other cyber incidents, which may be based on an expanded
interpretation of materiality in the cyber context.
Meanwhile, the Department of Defense
(DoD) continues moving in fits and starts
toward its Cybersecurity Maturity Model
Certification (CMMC) program. The
CMMC program, as currently envisioned,
will require all defense contractors and
subcontractors to obtain a CMMC
certification, based on DoD-approved
third-party security assessments, when
handling certain government information
in connection with their contracts.
The CMMC program establishes five
certification levels tied to increasingly
mature controls sets as companies move
toward Level 5. Many companies will
require certification at Level 3, which is an
enhanced version of current requirements
under NIST special publication 800-171,
3
Takeaways
A Cybersecurity is a primary
operational risk and must be a
core part of every organization’s
enterprise risk management. Events
over the past six months highlight
that no organization is immune from
cyberattacks. Business executives
and directors should ensure they are
overseeing cybersecurity as a primary
organizational risk. Boards that lack
cybersecurity expertise should consider
seeking independent advice to help them
vet information and actions reported by
the company’s management.
A Cybersecurity is becoming a top
priority for every regulator. Given
American companies’ growing reliance and the White House, in an open letter, is urging companies to
on data and network connectivity, as well as the ever-increasing implement the same. As these advanced security concepts and
number of cyberattacks they face, cybersecurity will continue measures are incorporated into the “state of the art,” companies
to garner regulators’ attention. Business leaders should ensure that fail to implement them face more questions when the time
they clearly understand the regulatory frameworks (U.S. and comes to answer regulatory inquiries about their cybersecurity
international) they are subject to, how their regulators are posture. At the same time, business leaders should understand
reacting to recent cyber incidents, and what the company is that these measures require time to implement and will not be
doing to address and anticipate regulatory requirements. For overnight changes. Instead, the immediate goal is to evaluate
businesses that provide services to other businesses, it’s also how a company should incorporate these measures into
critical they understand customers’ regulatory pressures, as its cybersecurity program and develop a long-term plan to
meeting those requirements may be necessary to win new implement them.
business and retain existing customers. Otherwise, they may find A Understand new disclosure obligations. Along with the
themselves scrambling when an industry regulator adopts new Biden administration’s diplomatic push to create consequences
cybersecurity rules or, even worse, when the regulator comes for ransomware attackers, we can also expect lawmakers and
knocking on the door asking about their cybersecurity posture regulators (state, federal, and international) to continue the
after a cyberattack. push for companies to disclose more details on cyberattacks,
A Review cyber disclosures. With the SEC’s recent focus on ransom demands, and ransom payments. This may be through
cyber disclosures, public companies regulated by the SEC new mandatory regulatory disclosures, mandatory reporting to
should: law enforcement, and increased scrutiny by agencies such as
Treasury’s Office of Foreign Assets Control. Many of these are
» Review their existing cyber-risk factors to ensure they
likely to require notice on a short deadline. Companies should
accurately reflect the company’s risk, considering the wave of
follow these developments closely to understand their reporting
direct and supply-chain attacks against companies over the
obligations and reporting channels, and build those into their
past year
incident response plans.
» Ensure their cyber-risk disclosures do not use hypothetical
language (e.g., “we could experience a cyberattack”) in cases
where the company has experienced an actual attack
» Review the company’s disclosure controls to ensure that
events that may require disclosure are properly elevated to
the company’s management, and that any disclosures made
bakerlaw.com
Recognized as one of the top firms for client service, BakerHostetler is a leading law
are accurate firm that helps clients around the world address their most complex and critical
A Security measures once considered advanced are now business and regulatory issues. With six core practice groups – Business, Digital
Assets and Data Management, Intellectual Property, Labor and Employment,
becoming the norm. Terms like “zero-trust architecture” and
Litigation, and Tax – the firm has nearly 1,000 lawyers located coast to coast. For
“endpoint detection and response” used to be obscure security more information, visit bakerlaw.com.
terms only a few in the security industry understood. This is Baker & Hostetler LLP publications inform our clients and friends of the firm about recent legal developments. This publication is for informational
not the case anymore, when the entire federal government will purposes only and does not constitute an opinion of Baker & Hostetler LLP. Do not rely on this publication without seeking legal counsel.
soon be implementing those security concepts and safeguards © 2021 The Brave New World of Cybersecurity
21.07.21.12.31
Compliance_p04
4You can also read
