WBA Membership Update: Cybersecurity in 2021 - Solarwinds Hack, The SAFETY Act, and Key Lessons Learned for Bank Directors and CEOs - Solarwinds ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
WBA Membership Update: Cybersecurity in 2021 Solarwinds Hack, The SAFETY Act, and Key Lessons Learned for Bank Directors and CEOs Brian E. Finch | Partner Cassie Lentchner | Senior Counsel Deborah S. Thoren-Peden | Partner
Speakers
Brian E. Finch | Partner Deborah S. Thoren-Peden |
Public Policy, Washington, DC Partner
+1.202.663.8062
Corporate, Los Angeles
brian.finch@pillsburylaw.com
+1.213.488.7320
deborah.thorenpeden@pillsburylaw.com
Cassie Lentchner | Senior
Counsel
Financial Industry Group, New York
+1.212.858.1211
cassie.lentchner@pillsburylaw.com
2 | WBA Membership Update: Cybersecurity in 2021
Cyber threat environment is as dangerous as ever • Foreign hackers have been extremely busy during the pandemic. • Government attention (foreign and domestic) focused on 2020 election interference. • That may have lead to one of the more successful attacks in recent memory. 3 | WBA Membership Update: Cybersecurity in 2021
What did the Russians do?
• US Government alleges Russian CIA
(SVR) launched a yearlong espionage
campaign against American.
• Initially detected by FireEye, SVR
used a compromised software
update (SolarWinds) to penetrate
computer systems.
“This adversary has been creative [and] it is
• BUT – it was not the only tactic they absolutely correct that this campaign should not
used: password stuffing, incorrect be thought of as the SolarWinds campaign.”
cloud configurations, more. - Dept. of Homeland Security
4 | WBA Membership Update: Cybersecurity in 2021
How companies are responding
• Increased scrutiny of third party service providers:
o Revisiting agreements to review security controls and obligations.
o Developing new obligations and expectations related to security measures.
o Revisit (meaning explore expanded) use of internal cybersecurity measures, meaning
tools to monitor lateral movement, behavioral analysis, and more.
• Expectations management needs to be a part of this as well – the C-suite needs
to be prepared for a successful penetration sometime in the future.
5 | WBA Membership Update: Cybersecurity in 2021
Don’t forget the rise of government audits • The Defense Department is implementing the “Cybersecurity Maturity Model Certification Framework (CMMC)”. • Contractual obligation to maintain a certain level of cybersecurity as determined by the DoD in its contracts. • Companies will be audited, and failure to meet specified cybersecurity goals could be terminated. • Applies to contractors AND their subcontractors, so expect to see this becoming the bar for U.S. companies in the future. 6 | WBA Membership Update: Cybersecurity in 2021
Regulatory Expectations
• Senior Level Engagement
• Communication internal and external
• Implementation of required incident response and resiliency plans
• Training and Awareness
• Testing and Monitoring requirements in regulations continue – need to confirm
that they new systems confirm with regulatory requirements in environment
o Access Rights and Controls including MFA
o Data Loss Prevention Programs
o Mobile Security, Privacy and Encryption Requirements
o Vendor Management Requirements
o Document Retention Requirements
7 | WBA Membership Update: Cybersecurity in 2021
Balancing Regulatory Requirements
• Cybersecurity laws including the NY SHIELD Act,
SEC Regulation SP, Gramm-Leach-Bliley Act, Privacy
Rule , Safeguards Rule, NYS DFS Part 500
Cybersecurity Regulation
• Data privacy regulations – reporting requirement
for breaches to regulators and impacted
consumers, GDPR – includes requirements to
maintain data security
• Supervisory Responsibilities and Expectations
• Reporting Requirements
8 | WBA Membership Update: Cybersecurity in 2021
NYS DFS - Guidance Cybersecurity Awareness
During COVID-19
• Reminder to report Cybersecurity Events to DFS within 72 hours at the latest.
• Remote Working
o Secure Connections. Require Multi-Factor Authentication and secure VPN connections
that will encrypt all data in transit. 23 NYCRR §§ 500.12 & 500.15.
o Company-Issued Devices. New devices must be properly secured.
o Bring Your Own Device (BYOD) Expansion. Expanded their BYOD policies must consider
security risks and consider mitigating steps.
o Remote Working Communications. Video and audio-conferencing applications should be
limited and employees must be given guidance on how to use them securely.
o Data Loss Prevention. Regulated entities should remind employees not to send
Nonpublic Information to personal email accounts and devices.
9 | WBA Membership Update: Cybersecurity in 2021
NYS DFS - Guidance Cybersecurity Awareness During COVID-19 • Reminders and training regarding Increased Phishing and Fraud] • Third-Party Risk. Regulated entities should coordinate with critical vendors to determine how they are adequately addressing the new risks. 23 NYCRR § 500.11. 10 | WBA Membership Update: Cybersecurity in 2021
The SHIELD Act: Cybersecurity Requirements • Designation and training of employees to coordinate cybersecurity compliance, • Use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract, • Risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage, • Processes and physical safeguards to detect, prevent and respond to attacks or system failures, 11 | WBA Membership Update: Cybersecurity in 2021
The SHIELD Act: Cybersecurity Requirements • Monitoring and testing of the effectiveness of the cybersecurity program, • Processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes, and • Updates to the program periodically to address changes in the business or circumstances that would require the program to be changed. 12 | WBA Membership Update: Cybersecurity in 2021
Understanding the SAFETY Act 13 | WBA Membership Update: Cybersecurity in 2021
The SAFETY Act • Supporting Anti-Terrorism by Fostering Effective Technologies Act • Enacted as part of the Homeland Security Act of 2002, the program is administered by DHS. • Congress passed the SAFETY Act to encourage the development and use of security products and services designed in part or in whole to protect against terrorism. • The law is explicitly intended to limit or eliminate third-party tort litigation following an “act of terrorism.” 14 | WBA Membership Update: Cybersecurity in 2021
Making the SAFETY Act Work for You
• What kinds of cybersecurity technologies can
obtain SAFETY Act protections?
o ANYTHING that deters, defeats, responds to, or
mitigates cyberattacks.
• That will include:
o Security policies
o Incident response policies
o Disaster recovery programs
o Employee training and testing programs
• The SAFETY Act applies to internal security programs and regulatory
compliance programs.
15 | WBA Membership Update: Cybersecurity in 2021SAFETY Act Benefits
Direct Benefits Ancillary Benefits
• Elimination (Certification) or • Strong evidence of the use of
minimization (Designation) of tort “reasonable” security measures.
liability stemming from an “Act of
• DHS “seal of approval” is a powerful
Terrorism.”
talking point in public relations
• Removal of suit to Federal Court; cap on discussions following an incident.
damages; bar on punitive damages and • Consistent evidence that the application
prejudgment interest; immediate process strengthens security programs.
dismissal of suits against customers.
• “Flow down” protections for customers.
• Strong evidence supporting
“reasonable” actions by Board members.
16 | WBA Membership Update: Cybersecurity in 2021Triggering SAFETY Act Protections
Under the SAFETY Act:
• An “act of terrorism” is an incident that:
o (i) is unlawful;
o (ii) causes harm, including financial harm, to a person, property, or entity,
in the United States; and
o (iii) uses or attempts to use instrumentalities, weapons or other methods designed
or intended to cause mass destruction, injury or other loss to citizens or institutions
of the United States.
• “Terrorist” acts that occur overseas but impact U.S. persons, property, or
economic interests are eligible for SAFETY Act protections.
17 | WBA Membership Update: Cybersecurity in 2021Important: “Act of Terrorism” = Cyber Attack
• Any cyber security product, service, and/or
policy is eligible for SAFETY Act protections
• Cyber attacks are encompassed under this
definition
• There is NO requirement that the attacker’s
identity or motivation be identified/proven:
o Only mention of “intent” potentially relates
to intent to cause injury or loss, NOT
traditional “terrorist” intent
• This means that ANY cyber attack could potentially trigger SAFETY Act liability
protections
18 | WBA Membership Update: Cybersecurity in 2021The Links Between the SAFETY Act and Insurance
SAFETY Act Insurance
• Jurisdictional defenses (Exclusive • Reimbursement for damages,
Federal jurisdiction, no punitive but no cap
damages, no prejudgment interest) • No jurisdictional defenses
• Cap on 3d party damages • No government “determination”
• Possible immunity re: security plans and technologies
• Government “review” of security • Less certainty as to coverage
plans and technologies • Tying SAFETY Act to insurance may
result in reduced premiums
19 | WBA Membership Update: Cybersecurity in 2021SAFETY Act: Key Questions and How To Use
Any costs for filing a SAFETY Act application? Can I realize SAFETY Act benefits just
• No. by purchasing and using SAFETY Act
approved cyber security solutions?
What kind of cybersecurity products and • Yes.
services are eligible for SAFETY Act protections?
• All products, services, and/or policies, Does a technology have to completely
including internal policies. eliminate/defeat a threat to merit
SAFETY Act protections?
What is the practical effect of obtaining SAFETY • No! If it did, there would be no need
Act protections? for the SAFETY Act.
• A cap on damages or immunity from
damages arising out of or related to cyber
attacks or “acts of terrorism”.
20 | WBA Membership Update: Cybersecurity in 2021How Can the SAFETY Act Be Used To Establish “Reasonable” Behavior? 21 | WBA Membership Update: Cybersecurity in 2021
FTC Investigation Into ASUS Routers
• FTC brought a complaint against ASUS, maker of internet routers.
• FTC said that ASUS routers were marketed as protecting “computers from any
unauthorized access, hacking, and virus attacks” and protecting “local network
against attacks from hackers.”
• However, FTC alleged that ASUS did not take “reasonable steps” to secure its routers,
including:
o pervasive security bugs in the router’s control panel to change any of the router’s security
settings without the consumer’s knowledge,
o numerous design flaws that exacerbated these vulnerabilities,
o the company set – and allowed consumers to retain – the same default login credentials on
every router: username “admin” and password “admin”.
• ASUS, like others, forced to sign a consent agreement.
22 | WBA Membership Update: Cybersecurity in 2021The SAFETY Act vs Alleged Design Flaws
• “Pervasive security bugs in the router’s control panel”
o The SAFETY Act expects flaws – an application will be successful so long as there is a
working process in place to identify and minimize those “bugs.”
• “Numerous design flaws that exacerbated these vulnerabilities”
o Again, the SAFETY Act does not expect perfection. So long as there is a process in place
to identify and mitigate those “flaws”, the technology can still be deemed “effective”
and useful.
• The company set – and allowed consumers to retain – the same default login
credentials on every router: username “admin” and password “admin”.
o This is a great example of where policy and economic trade-offs (here functionality
balanced with security) can be justified via the SAFETY Act.
23 | WBA Membership Update: Cybersecurity in 2021You can also read
