U.S. and Foreign Cybersecurity and Intelligence Agencies Recommend Measures to Counteract Threat of Russian Cyberattacks

On January 11, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recently released a joint Cybersecurity Advisory warning critical infrastructure operators about the threat of Russian state-sponsored cyberattacks and recommended best practices to minimize disruption from such an attack (the “Advisory”).

The advisory was promptly endorsed by the National Cyber Security Centre, a division of Government Communications Headquarters (“GCHQ”), a UK intelligence agency. Within a few days, data security experts at Microsoft, Palo Alto Networks (“PANW”), and Mandiant confirmed reports of increasing Russian cyberactivity and offered their own recommendations for hardening measures (many of which overlap with the Advisory). (more…)

5 Global Data Protection Trends To Watch In 2022

*This article was first published by Law360 on January 3, 2022.

A recent discussion with Elizabeth Denham and Claudia Berg of the U.K. Information Commissioner’s Office provided ample food for thought on the direction in which data protection regulation both in the U.K. and internationally is headed, including key trends to watch for in data protection.

View article.

A Software Primer For Attorneys After Cyber Executive Order

When President Joe Biden issued his major cybersecurity executive order on May 12, a White House press briefing said the order would invoke:

“the power of federal procurement to say, “If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.” (more…)

U.S. Federal Bank Regulators Require Notifications For Material Cybersecurity Incidents

On November 18, 2021, a group of federal bank regulators announced a final rule requiring banks to notify their primary federal regulator of any “significant computer-security incidents.” Regulators must be notified no later than 36 hours after the bank has determined that the incident triggers the rule’s notification requirement. Further, bank service providers are now required to promptly notify all affected banks whenever a cybersecurity disruption lasts for four or more hours. (more…)

DOJ Deploys the FCA on Cybersecurity Fraud

This article originally appeared in Law360 on November 3, 2021.

Sidley lawyers Brenna Jenny and Sujit Raman recently published an article in Law360 entitled How To Minimize FCA Cyber Fraud Enforcement Risk, which analyzes the implications of DOJ’s recent formation of a Civil Cyber-Fraud Initiative to use the FCA to pursue cybersecurity-related fraud.  Although the Initiative focuses generally on government contractors and grant recipients—and does not, by its terms, impose any new cybersecurity requirements—the project promises in particular to attract whistleblowers in the defense industry, as recent years have witnessed high-profile FCA cases implicating alleged cybersecurity non-compliance in that sector.  The healthcare industry may also see a marked increase in cybersecurity-related qui tams, especially in light of a recent Department of Health and Human Services Office of Inspector General report taking the Centers for Medicare & Medicaid Services to task for failing to hold hospitals accountable for the cybersecurity of their networked devices.  Healthcare providers and medical device manufacturers, in addition to other government contractors and grantees, would do well to heed DOJ’s warning that “cybersecurity failures…are prime candidates for potential False Claims Act enforcement.”

(more…)

How to Mitigate Corporate Risk and Respond to Crises

Recent events have given the term “corporate crisis” a whole new meaning. From cyberattacks and pandemic disruptions to political divisions and tweets that go viral, companies are being challenged in ways they never have before. How should they respond in a fast-moving crisis? (more…)

The U.S. Federal Government Continues Its Focus on Ransomware Attacks: CISA, FBI, and NSA Publish Technical Advisory on the Conti Group

On September 22, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) published a cybersecurity advisory (the “Advisory”) outlining the Conti ransomware group’s tactics, techniques, and procedures (“TTPs”) to help companies protect against their attacks. This Advisory is especially notable because it is an example of the type of information sharing promised by the Biden administration, which includes technical details about the Conti group’s TTPs. It also heralds the launch of new website called: StopRansomware.gov. (more…)

Data Breaches are More Expensive than Last Year, New IBM Security Report Finds

Death, taxes and data breaches. Cybersecurity incidents have grown in frequency, scale and seriousness. As articulated in President Biden’s May 2021 Executive Order, Improving the Nation’s Cybersecurity, “[t]he United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” These threats lead to direct costs on victims, and these costs have also grown exponentially in recent years, as readers of the famed annual Ponemon data breach report well know.  This year’s report is out, and confirms the continuation of a troubling trend. (more…)

Five Key Considerations Regarding New U.S. Sanctions to Address Ransomware Threats

On September 21, 2021, the U.S. Department of the Treasury (Treasury) Office of Foreign Asset Control (OFAC) imposed sanctions on a virtual currency exchange called Suex OTC, S.R.O. (Suex), and published an updated advisory on potential risks for those who facilitate ransomware payments. These coordinated actions represent significant moves by OFAC to target key aspects of the global ransomware ecosystem and to advance the U.S. government’s broader counter-ransomware strategy. By recommending strengthened cybersecurity measures and emphasizing reporting to law enforcement, OFAC’s updated advisory also reflects increasingly tighter collaboration among federal government agencies in their fight against the ransomware threat.

(more…)

Regulatory Update: NAIC Summer 2021 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Summer 2021 National Meeting (Summer Meeting) August 14-17, 2021. As a result of the continuing COVID-19 pandemic, the NAIC met in a hybrid format with attendees participating both in person and virtually. This post summarizes the highlights from this meeting in addition to interim meetings that were held during July in lieu of taking place during the Summer Meeting. Highlights include, among others, adoption of revised risk-based capital bond factors for life insurers, amendments to SSAP No. 71, and an amendment to the purposes and procedures manual to add instructions for review of funds.

(more…)