After a series of high-profile supply chain and ransomware attacks, the federal government is ramping up its effort to improve the nation’s cybersecurity. In the past several months, multiple federal departments and agencies announced new policy initiatives and regulatory directives to drive their cybersecurity agenda forward, and state regulators are following the trend. It is unmistakably clear that companies in regulated sectors are entering a new era of cybersecurity regulatory compliance. And although much of this early action targets specific sectors (e.g., government contractors, pipeline operators, and public companies), these requirements will indirectly touch companies in other sectors and are a preview of broader regulation to come. Here, we discuss recent notable actions on cybersecurity by federal and state government agencies.
Policy Initiatives from the Top (and Elsewhere)
On May 12, 2021, President Joe Biden signed the Executive Order on Improving the Nation’s Cybersecurity. The order focuses on improving the executive branch’s cybersecurity posture in response to recent supply chain and ransomware attacks. The order calls for:
- Contractually obligating IT and OT service providers to share threat information with and disclose cyber incidents to their federal counterparts
- Accelerating the migration of federal IT systems to secure cloud services, promoting a zero-trust security model within federal networks, and mandating multi-factor authentication (MFA) and data encryption
- Calling for a national cyber incident review board (modeled on the National Transportation Safety Board, which investigates significant transportation incidents)
- Establishing baseline security standards for the development of software sold to the government by requiring developers to maintain greater visibility into their software and making security data publicly available
- Deploying endpoint detection and response (EDR) systems across federal networks
- Implementing enhanced logging at federal departments and agencies
The standards on software development are likely to have the greatest security impact (and impose the greatest burden) as they will impose new security and disclosure requirements on software developers that the National Institute for Standards and Technology (NIST) is now developing. Although these requirements will apply only to suppliers to the federal government, any improved security should benefit other organizations that use the same software (and suppliers should expect state governments and private organizations to copy procurement requirements).
The White House also published an open letter to U.S. business leaders and executives, urging them to implement protective measures against ransomware attacks. The letter confirms that disrupting ransomware actors is one of the Biden administration’s top priorities and recommends that private companies adopt the following security measures against ransomware attacks:
- Implementing technical safeguards such as MFA, encryption, and EDR.
- Ensuring the availability and integrity of backups by testing them regularly and keeping them offline
- Updating and patching systems regularly and promptly
- Regularly testing the company’s incident response plan and testing defenses through independent third parties
- Applying network segmentation where possible
The White House also emphasized cybersecurity and the need to impose consequences on criminal actors during meetings with foreign leaders. At the G7 summit, world leaders, including Biden, identified ransomware as one of the biggest threats to people and businesses around the globe and urged Russia to “identify, disrupt, and hold to account” cybercriminals operating from the country. Notably, the emphasis on cybersecurity at the G7 summit came soon after an in-person meeting between U.S. Secretary of State Antony Blinken and Russian Foreign Minister Sergei Lavrov, during which the pair reportedly discussed cybersecurity-related issues.
Biden continued this emphasis on July 9, 2021, several days after another massive ransomware attack by the REvil ransomware gang (believed to operate in Russia) affected more than 1,000 businesses over the July 4 weekend. Biden warned Putin that the U.S. will take “any necessary action” to defend U.S. infrastructure from cyberattacks. Importantly, Biden “made it very clear to [Putin] that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.” Following this remark, on July 13, all infrastructure tied to the REvil ransomware group, including its data leak and payment sites, went offline.
On July 14, the White House announced a new ransomware task force to coordinate both defensive and offensive actions against ransomware operators, which may include launching cyberattacks against foreign ransomware operators. This follows earlier remarks by Department of Homeland Security (DHS) Secretary Alejandro Mayorkas, who recently declared ransomware a national security threat and announced the department’s plan to create recommendations to slow the ransomware epidemic, including mandatory reporting of ransom payments. Some lawmakers and policymakers, such as Sen. Mark Warner, D-Va., and Energy Secretary Jennifer Granholm, are taking it a step further by suggesting that ransom payments should be made illegal for U.S. companies to remove financial incentives for cyber criminals.
Continued pressure and strong government action to create consequences for criminal actors will be critical to curb the current wave of ransomware attacks. The government must continue sending a clear message that no safe havens exist from which individuals can run global cybercrime operations without consequences.
Regulatory Pressure Mounting
On the regulatory side, the Transportation Security Administration (TSA) issued a new directive mandating critical pipeline owners and operators to report cybersecurity incidents—which the directive defines broadly—to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of identifying such an incident (both TSA and CISA fall within DHS). The directive also requires pipeline companies to designate a cybersecurity coordinator and conduct a one-time vulnerability assessment and report the findings to the TSA and CISA. This is a swift change from the voluntary reporting regime TSA introduced in March 2018 and was in direct reaction to the recent Colonial Pipeline attack. DHS has signaled that additional regulations governing cybersecurity for pipeline operators will be coming.
The Securities and Exchange Commission (SEC) is also signaling a more aggressive posture on cybersecurity. In June, the SEC announced its intention to propose rule amendments that would enhance issuer disclosure requirements regarding cybersecurity risk factors. In addition, the SEC recently settled charges against real estate settlement services company First American for an inadequate Form 8-K disclosure related to First American’s 2019 cyber incident, imposing an approximately $500,000 civil penalty. The SEC’s charges focused on an alleged failure in First American’s disclosure controls—that is, that its 8-K disclosure was deficient because it failed to accurately describe the current state of First American’s cybersecurity posture, as known at the time to the company’s information security team. This action highlights the need for strong disclosure controls to ensure that information security teams elevate material information to those making disclosures, which can be especially challenging during the early days of a cyber incident. The SEC also reportedly launched a large-scale probe into companies that were potentially affected by the SolarWinds supply chain attack, requesting information related to the SolarWinds incident and other cyber incidents the companies may have experienced. In all, the SEC’s recent moves signal that cybersecurity will remain high on the agency’s regulatory and enforcement agenda.
Not to be outdone, on June 30 the New York Department of Financial Services (DFS) issued an Industry Letter on ransomware to its regulated entities with ransomware prevention steps and guidance on when entities “should” report ransomware attacks to DFS. The letter cautions entities to “assume that any successful deployment of ransomware on their internal network should be reported to DFS” and that “any intrusion where hackers gain access to privileged accounts should be reported.”
Reading the SEC and DFS guidance together, we may see agencies seeking to lower the bar on when companies in various regulated industries must report or disclose network intrusions and other cyber incidents, which may be based on an expanded interpretation of materiality in the cyber context.
Meanwhile, the Department of Defense (DoD) continues moving in fits and starts toward its Cybersecurity Maturity Model Certification (CMMC) program. The CMMC program, as currently envisioned, will require all defense contractors and subcontractors to obtain a CMMC certification, based on DoD-approved third-party security assessments, when handling certain government information in connection with their contracts. The CMMC program establishes five certification levels tied to increasingly mature controls sets as companies move toward Level 5. Many companies will require certification at Level 3, which is an enhanced version of current requirements under NIST special publication 800-171, while certain companies that handle more sensitive information must obtain a higher level of certification designed to thwart more sophisticated attacks. Although the CMMC has experienced numerous delays and is currently undergoing an internal review at DoD, CMMC limited assessments may yet start later this year, with full implementation rolled out over five years under a November 2020 interim rule. Meanwhile, the interim rule now requires certain contractors to report their 800-171 self-assessment scores to DoD, and under new authority granted in the rule, the DoD has begun conducting targeted government-run assessments against the 800-171 framework.
Lastly, the Department of Labor (DOL) issued its first-ever cybersecurity guidance for companies managing employee retirement plans. The guidance provides (1) tips for hiring a service provider, including cybersecurity due diligence and leveraging contracts to ensure an adequate cybersecurity posture from service providers; (2) cybersecurity best practices; and (3) online security tips for plan participants and beneficiaries. According to the DOL, this guidance complements the existing regulations requiring that reasonable controls and safety measures be in place to protect electronic record-keeping systems of companies managing retirement plans.
DOJ Making Ransomware Top Priority
On the criminal side, the DOJ reportedly issued internal guidance elevating ransomware to the top of its enforcement priority list, assigning ransomware a priority similar to that of terrorism. The DOJ also created a procedure to centrally coordinate all ransomware investigations. Reflecting ransomware’s elevation on the priority list, the DOJ, in a surprise move, seized approximately $2.3 million in Bitcoin that was paid as a ransom in the Colonial Pipeline case. The DOJ looks poised to ramp up its investigative efforts to combat ransomware.
- Cybersecurity is a primary operational risk and must be a core part of every organization’s enterprise risk management. Events over the past six months highlight that no organization is immune from cyberattacks. Business executives and directors should ensure they are overseeing cybersecurity as a primary organizational risk. Boards that lack cybersecurity expertise should consider seeking independent advice to help them vet information and actions reported by the company’s management.
- Cybersecurity is becoming a top priority for every regulator. Given American companies’ growing reliance on data and network connectivity, as well as the ever-increasing number of cyberattacks they face, cybersecurity will continue to garner regulators’ attention. Business leaders should ensure they clearly understand the regulatory frameworks (U.S. and international) they are subject to, how their regulators are reacting to recent cyber incidents, and what the company is doing to address and anticipate regulatory requirements. For businesses that provide services to other businesses, it’s also critical they understand customers’ regulatory pressures, as meeting those requirements may be necessary to win new business and retain existing customers. Otherwise, they may find themselves scrambling when an industry regulator adopts new cybersecurity rules or, even worse, when the regulator comes knocking on the door asking about their cybersecurity posture after a cyberattack.
- Review cyber disclosures. With the SEC’s recent focus on cyber disclosures, public companies regulated by the SEC should:
- Review their existing cyber-risk factors to ensure they accurately reflect the company’s risk, considering the wave of direct and supply-chain attacks against companies over the past year
- Ensure their cyber-risk disclosures do not use hypothetical language (e.g., “we could experience a cyberattack”) in cases where the company has experienced an actual attack
- Review the company’s disclosure controls to ensure that events that may require disclosure are properly elevated to the company’s management, and that any disclosures made are accurate
- Security measures once considered advanced are now becoming the norm. Terms like “zero-trust architecture” and “endpoint detection and response” used to be obscure security terms only a few in the security industry understood. This is not the case anymore, when the entire federal government will soon be implementing those security concepts and safeguards and the White House, in an open letter, is urging companies to implement the same. As these advanced security concepts and measures are incorporated into the “state of the art,” companies that fail to implement them face more questions when the time comes to answer regulatory inquiries about their cybersecurity posture. At the same time, business leaders should understand that these measures require time to implement and will not be overnight changes. Instead, the immediate goal is to evaluate how a company should incorporate these measures into its cybersecurity program and develop a long-term plan to implement them.
- Understand new disclosure obligations. Along with the Biden administration’s diplomatic push to create consequences for ransomware attackers, we can also expect lawmakers and regulators (state, federal, and international) to continue the push for companies to disclose more details on cyberattacks, ransom demands, and ransom payments. This may be through new mandatory regulatory disclosures, mandatory reporting to law enforcement, and increased scrutiny by agencies such as Treasury’s Office of Foreign Assets Control. Many of these are likely to require notice on a short deadline. Companies should follow these developments closely to understand their reporting obligations and reporting channels, and build those into their incident response plans.
The authors are attorneys at BakerHostetler.