The “Whole of the US Government” is interested in your organization’s cybersecurity practices, are you ready to defend them?

Understanding your organization’s cybersecurity posture is more important than ever

Cybersecurity used to be more of a hypothetical problem for many US regulators. Data breaches, both large and small, took years to discover, and malicious hackers’ most common strategy in a network was to avoid detection, and ideally never alert the corporate victim to the fact that their networks were breached. Times have changed thanks to the popularization of ransomware as a method for monetizing a malicious hacker’s unauthorized access into a network. This method of monetization, holding a company’s data hostage through encryption, is one that requires the victim company, and oftentimes the public, to be made aware of the threat actor’s breach into the network.

With the various regulatory notice regimes in place, both in the US and abroad, this means that regulators are seeing (through reporting or regulatory examination) more and more reports of successful or nearly successful ransomware attacks, and have very good data as to what controls would have prevented such attacks, and what the implications are of a successful attack. And regulators will continue to gain more visibility; just last month, US federal regulators finalized a new reporting requirement for banks, with a compliance date of May 1, 2022, requiring regulatory notice of certain significant computer security incidents within 36 hours. Federal Register notice: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (federalreserve.gov)

The very public nature of ransomware attacks and the disruption they cause has, thankfully, grabbed the attention of law enforcement, legislatures, and regulators, who appear to understand the need to tackle the problem holistically. For instance, the DOJ announced its Ransomware and Digital Extortion Task Force (Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside: Signed Memorandum Ransomware and Digital Extortion) in connection with a seizure of ransomware payments destined for a Darkside affiliate this summer, as well as a November announcement of multiple indictments related to REvil associates, including an arrest in Poland. Attorney General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco and FBI Director Christopher Wray Deliver Remarks on Sodinokibi/REvil Ransomware Arrest | OPA | Department of Justice

However, as noted in the recent press release regarding the REvil arrest, as well as in virtually every public statement by US Government officials discussing this problem, the US understands that the ransomware problem “requires a whole-of-government approach.” Attorney General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco and FBI Director Christopher Wray Deliver Remarks on Sodinokibi/REvil Ransomware Arrest | OPA | Department of Justice

What does that mean? Well, in part, it means that the US Government understands that it is not just about catching bad actors. The “whole of government” in this context means using whatever incentives or disincentives the Government can to ensure that US organizations, or organizations subject to their jurisdiction, have a reasonable cybersecurity program. And there is little doubt that the US Government is developing a sophisticated understanding of what “reasonable cybersecurity” means. Below are some recent actions and statements by US law enforcement and regulators, which we believe signal a larger strategy; one focused on ensuring the development and maturation of cybersecurity practices and controls.

• Senior management and the Board are expected to fully understand cybersecurity risk
  • First American SEC action – This summer, the SEC announced a settlement with First American Financial Corporation for failing to maintain adequate disclosure controls in connection with its filing of a Form 8-K disclosure related to a 2019 data breach.  The breach was associated with an application called EaglePro, and led to the exposure over of 800 million title and escrow document images dating back to 2003. According to the SEC, “First American’s senior executives responsible for the press statement and Form 8-K were not apprised ... that the company’s information security personnel had identified a [relevant] vulnerability several months earlier in a January 2019 manual penetration test of the EaglePro application …, or that the company had failed to remediate the vulnerability in accordance with its policies.” First American Financial Corporation (sec.gov)
    
    
  • SEC Enforcement Priorities – This October, Gurbir Grewal, recently named Director of the SEC’s Enforcement Division, indicated that the SEC’s enforcement priorities include “public company disclosures of and controls for cybersecurity incidents.”  SEC.gov | Remarks at SEC Speaks 2021
    
    
  • MUFG Union Bank OCC Cease and Desist Order – This September, the OCC announced a cease and desist order relating to MUFG Union Bank for deficiencies in its information security program. The order outlines a series of compliance steps that the bank would be required to undertake. We view this order as a good indication of what the US government identifies as necessary components to a reasonable cybersecurity compliance program. Consistent with our guidance here, and accepted principles of good cybersecurity, the order requires, among other things, direct Board involvement, management, and oversight over information security, as well as a cybersecurity risk assessment (referred to as a “Technology Risk Assessment” in the order). Cease and Desist Order -- C&D (occ.gov)
    
    
  • DOJ Whistleblower Initiative – This October, the DOJ announced its new Civil Cyber-Fraud Initiative, designed to incentivize employees of government contractors to inform the government of failures to disclose breaches or other failures to follow “cybersecurity standards.” Deputy Attorney General Lisa O. Monaco noted: “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it …. Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk.” Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative | OPA | Department of Justice
    
    
• Good cybersecurity can get you out of a sanction
  • OFAC’s Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Updated Ransomware Sanctions Advisory”) – In connection with the first of two recent sanctions by OFAC against crypto exchange providers, OFAC announced in September its Updated Ransomware Sanctions Advisory. The fact that OFAC took action against a number of crypto exchange providers for providing material support for criminal ransomware actors, might have suggested to some that the US Government is focused on the payment side of the ransomware economy, and that certainly appears to be at least partially true. But even when announcing the first of these two actions, OFAC made an interesting update to its guidance regarding ransomware sanctions risk. In its 2020 advisory, OFAC indicated that, while sanctions liability is strict (i.e., good faith mistakes are not a defense), OFAC would consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome.” ofac_ransomware_advisory_10012020_1.pdf (treasury.gov) The Updated Ransomware Sanctions Advisory retains this mitigating factor, but goes on to explicitly “strongly discourage[] the payment of cyber ransom or extortion demands.” ofac_ransomware_advisory.pdf (treasury.gov)  Most important to our point, however, is that, in addition to treating the self-initiated, timely, and full report to law enforcement of a ransomware attack as a mitigating factor, the Updated Ransomware Sanctions Advisory notes that OFAC will now consider “[m]eaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices.”
    
    
• The US government has a sophisticated understanding of what good cybersecurity is, and expects your organization to have one as well
  • The White House Executive Order on Improving the Nation’s Cybersecurity (the “Order”) – We have previously written about this May 2021 Order, and noted both that it represented a modern understanding of cybersecurity principles, and that, although the Order applies to federal contractors, that it would soon form at least part of the basis for what is considered “reasonable cybersecurity.” Why everyone should care about the Executive Order on Improving the Nation’s Cybersecurity | DigiLinks | Blogs | Insights | Linklaters Within a week of our post, the White House’s Deputy National Security Advisor sent a memo to industry leaders regarding the threat of ransomware, and urging them to implement the practices/principles outlined in the Order. Memo-What-We-Urge-You-To-Do-To-Protect-Against-The-Threat-of-Ransomware.pdf (whitehouse.gov)

In light of the legal and regulatory landscape, it is more important for those on the frontlines of regulatory and legal risk exposure to have a good understanding of what is under the hood of their information security program. Do you?

What you can do to actually understand your organization’s cybersecurity posture

Due to the ever-changing nature of technology, security controls, and the cyber threat landscape, a good cybersecurity program takes a risk-based approach to addressing threats and requires continuous assessment and change. This practice is commonly referred to as an “information security risk assessment” or “cybersecurity risk assessment,” and is too often either not conducted at all by organizations, or involves the retention of an independent consultant, but without the involvement of counsel.

A good information security risk assessment starts by understanding the inherent risks to the enterprise. These are different for each company. For some, it may be for-profit hackers, for others it may be espionage (theft of trade secrets), or attacks by nation-states. Of course, other risks exist, and companies should catalog those risks. After identifying the risks that are relevant to the enterprise, an assessment is undertaken to determine whether current security and data privacy controls, as well as the governance around them, address such risks, and identifies actionable objectives for closing any gaps. This practice is valuable to an organization, in and of itself, because it ensures that security controls are adequate and resourced to provide an optimal return for an organization.

However, when counsel are involved, the risk assessment can do much more: 

• First off, outside counsel are able to provide an overlay of the regulatory and legal risk associated with a technical review of an organization’s cybersecurity posture.
  
  
• Second, counsel can independently review and assess the governance framework and compliance policies complementing technical controls, oftentimes from the lens of regulators who may be interested in the organization’s cybersecurity posture after learning of a cybersecurity incident.
  
  
• Third, counsel’s advice regarding these assessments can provide the candor necessary for senior management to hear the unvarnished truth within the confines of the attorney-client privilege.
  
  
• Finally, and most importantly, a risk assessment run by qualified cybersecurity counsel can provide actual visibility, in plain English, into the cybersecurity posture of your organization by cutting through the technical jargon and identifying key issues that present real regulatory or legal risk. As seen in the recent First American SEC enforcement action, disconnects between the information security function and senior management are not acceptable, as cybersecurity is truly seen by the US government and cybersecurity experts worldwide as a top-tier risk for senior management to contend with.

How to get organizational buy-in

Chances are, that if you have had a ransomware tabletop exercise that actually involves members of senior management, including the CEO (unless there is someone else who would be making the tough call of whether or not to pay a ransom), you’ve obtained some support for cybersecurity. In fact, this is one of the most valuable aspects of a tabletop exercise. 

The unfortunate reality is that most organizations that conduct cybersecurity tabletop exercises test the people and functions that handle incidents on a regular basis. That is a good practice, no doubt. But why test those that deal with these issues regularly, but fail to test those that have to be involved in crisis-level incidents? When an incident hits the fan, those technical functions, normally entrusted with the issue from front to end, now need to get senior executives, whose day-to-day jobs can be as far removed from issues of cybersecurity as you can imagine, to make key decisions and, more importantly, to understand the full impact of those decisions and when and why they need to be made. 

At the same time, technical personnel may likely not be in a position to truly push back against poor decision making, made in good faith, or may themselves act in a self-interested manner when deciding what facts are relevant for their bosses to know.

Those with key decision-making authority for the most severe incidents are the ones that benefit from tabletop exercises the most, as they often dispel very commonly held misconceptions regarding cyber threats, best practices, and how their organization manages cyber risk. To the extent that your organization does not do enough to minimize cyber risk, these exercises can help senior management understand that and commit resources to help address such concerns. 

However, once buy-in is obtained, it is important to ensure that money is not simply thrown at a problem without senior management truly understanding what threats their information security functions are dealing with, how they are dealing with them, and whether or not a regulator would find that defensible.