Mar 242020

COVID-19: Key EU And U.S. Cybersecurity Issues and Risk-Remediation Steps

William RM Long, Clayton G. Northouse, Alan Charles Raul and Vishnu Shankar
, , , , ,

The COVID-19 crisis has created significant cybersecurity risks for organizations across the world, particularly arising from remote working, scams and phishing attacks, and weakened information governance controls. These risks warrant attention by legal counsel and information security officers in light of potentially significant adverse legal, financial and reputational consequences that could arise – all while the organization is dealing with effects of a global pandemic.

In addition to identifying the cybersecurity risks, we also consider key measures that organizations can consider adopting to reduce such risks, including measures recommended by the UK’s National Cybersecurity Centre (NCSC), EU’s Agency for Cybersecurity (ENISA) and the US Federal Bureau of Investigation.  The speed at which the COVID-19 crisis has evolved has meant that many organizations have not been able to deploy effective risk-reducing measures in a timely manner.

Potential sources of COVID-19-related cybersecurity risks include:

  • Vulnerabilities arising from remote access: Employees may work remotely using personal laptops or BYOD devices that are less “hardened” to protect against cyber attack. These devices may also be without up-to-date anti-malware software be vectors of malware that infect their employer’s systems. In addition, employees who access their employer’s systems from home WiFi networks are more at risk of being hacked (particularly, if passwords and endpoint security are weak, or if 2-factor authentication has not been implemented), eavesdropped and subject to “man-in-the-middle” attacks.
  • Phishing attacks and scams: A number of “phishing” attacks and scams are being mounted by “bad actors” taking advantage of COVID-19 anxieties. For example, the World Health Organization has warned of fake emails being sent in its name. Also, “bad actors” appear to be “phishing” individuals to sign-up to fake COVID-19 products and services (such as COVID cures or tax refunds) to perpetrate ransomware attacks. And also because employees may not be present in their offices, it may be easier to impersonate them to carry-out (for example) fraudulent bank or wire transfers or securities trades.
  • Removal of data and physical devices from offices: Employees may have removed – either with or without the organization’s permission – laptops, removable media (such as USB/thumb drives) or physical copies of confidential and personal information from their employer’s offices. In turn, such laptops (particularly, if unencrypted), devices and information are at risk of being stolen, lost or exposed in such circumstances.
  • Use of unofficial unsecure communication channels: While working remotely, employees are more at risk of using unofficial communication channels (such as personal instant messaging or e-mail platforms) to conduct official business. The organization may be unable to comply with its record keeping obligations (such as with respect to securities trades) because material information may be stored outside of the organization’s official systems. And such unofficial communication channels may also be less secure and at higher risk for cyber attack.
  • Dispersed incident response decision-makers and IT staff: In the event of a cyber-incident, some organizations may find it more challenging to timely and effectively respond: key incident response decision-makers and IT staff may be difficult to contact or may be unavailable (if they are in isolation or sick). As a result, any pre-agreed incident response plan may be difficult to implement.
  • Supply chain cybersecurity risks: Many suppliers to organizations (including IT suppliers) may be themselves subject to significant cybersecurity vulnerabilities because of the COVID-19 crisis (including the risks identified above). As a result, even if an organization does not directly suffer a cyber incident, it may be exposed to the consequences of an incident affecting its suppliers.

To counteract these increased risks, EU and US regulators and law enforcement agencies, and cybersecurity professionals are recommending that organizations adopt additional measures to ensure sufficient cybersecurity protections. Some of these measures include:

  • Consider conducting a cyber security vulnerability review to consider the organization’s exposure to specific COVID-related cyber risks, and drafting and implementing a plan to address those vulnerabilities, including the measures outlined below.
  • Where possible implement 2-factor authentication for any remote access to emails and remote log-in capabilities to employer resources.
  • Consider developing a series of “how to” guides and send out regular reminders regarding best practices for working remotely to ensure conformity with employer policies and procedures. Such guides should focus on, for example, how to log into and use online collaboration tools; discourage use of personal accounts for conducting business activities and discourage emailing documents to employee personal email accounts; and reminding employees to not disclose sensitive documents in public policies and not to use public WiFi networks without sufficient security controls such as VPN.
  • Carefully vet third-party applications and platforms to ensure conformity with employer security controls. When entering into new vendor agreements, organizations should ensure proper controls are in place to ensure protection of material or sensitive confidential information or personal information.
  • Implement – and take steps to enforce where feasible – written “remote working policies”, (including employees’ use of BYOD devices), and regularly reminding employees of their confidentiality obligations (including the removal of documents from the organization’s offices)
  • Regularly update patches regarding VPN technologies and other associated software utilized for remote access to company IT resources.
William RM Long

London

wlong@sidley.com

Clayton G. Northouse

cnorthouse@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Vishnu Shankar

vshankar@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).