Important Changes in Cybersecurity and Data Governance
In recent months, we have seen a dramatic increase in the interest of regulators, government agencies, and legislators in matters of cybersecurity and data governance. Below is a discussion of recent agency guidance, proposed legislation, and policy statements pertaining to cybersecurity and how they may affect your organization. Small and mid-sized businesses should take note, as these actions, pronouncements, and proposals are not just applicable to only tech or large companies.
From a practical perspective, the greatest overall risk (when you combine size and probability) faced by most companies today is a financial loss due to a cyber incident. So, it makes sense that company boards and senior management take notice of what is going on and adjust their risk management focus accordingly. A cyber incident post-mortem that documents a failure on the part of a company’s board or management to provide oversight of a cyber governance framework that includes board level policies for implementing data privacy and protection measures and appropriate monitoring of these programs will likely result in litigation or fines, on top of the actual losses incurred. In addition, those board members may find themselves facing shareholder litigation or regulatory fines for failing to properly meet their fiduciary duties by failing to protect company assets.
For all of these reasons, we encourage you to either begin or continue active discussions in your organization about your cyber governance policies and procedures
Department of Labor
On April 14, 2021, the Department of Labor announced new cybersecurity guidance directed at plan sponsors1 and fiduciaries2 regulated by the Employee Retirement Income Security Act, and plan participants and beneficiaries. This guidance was provided in three forms:
Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires. This includes the questions that sponsors, and fiduciaries should ask regarding their services and the criteria to consider in making the determination.
Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
Plans’ service providers should:
Have a formal, well documented cybersecurity program.
Conduct prudent annual risk assessments.
Have a reliable annual third-party audit of security controls.
Clearly define and assign information security roles and responsibilities.
Have strong access control procedures.
Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
Conduct periodic cybersecurity awareness training.
Implement and manage a secure system development life cycle (“SDLC”) program.
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
Encrypt sensitive data, stored and in transit.
Implement strong technical controls in accordance with best security practices.
Appropriately respond to any past cybersecurity incidents.
Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
Register, set up and routinely monitor your online account
Use strong and unique passwords
Use multi-factor authentication
Keep personal contact information current
Close or delete unused accounts
Be wary of free wi-fi
Beware of phishing attacks
Use antivirus software and keep apps and software current
Know how to report identity theft and cybersecurity incidents
Federal Legislation
On September 28, 2021, Senator Gary Peters introduced the Cyber Incident Reporting Act of 2021 which, if implemented, would:
Require critical infrastructure companies to comply with a 72-hour-reporting requirement similar to that already imposed upon defense contractors;
Require reporting on ransomware events by requiring organizations, including businesses with more than 50 employees, nonprofits, and state and local governments, to notify the Cybersecurity and Infrastructure Security Agency (“CISA”) if they make a ransom payment;
Require evaluation of alternative options before making a ransom payment, as the U.S. government currently advises organizations not to pay ransomware gangs to unlock their data due to concerns it will further incentivize those groups;
Provide CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments; and
Require CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and direct the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.
Department of Justice
On October 6, Deputy Attorney General Lisa O. Monaco announced the Department of Justice’s (“DOJ”) new “Civil Cyber-Fraud Initiative” which will “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.” The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Among the many other benefits that are cited by the DOJ, included in the act is a whistleblower provision which allows private parties to assist in the pursuit of fraudulent conduct while remaining protected from retaliation.
U.S. Treasury Department
On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released additional ransomware response guidance to impose sanctions on those who engage in a cryptocurrency exchange for making or facilitating ransomware payments, even if the company did not know that the entity receiving the payments were a threat actor on or with a substantial nexus to an entity on the sanction list.
The OFAC’s new guidance also provides companies with “meaningful steps” that can be taken to reduce the risk of extortion through improved cybersecurity practices ⎯ as a result, reducing the likelihood of enforcement actions. These steps include:
Developing incident response plans;
Maintaining offline backups of data; and
Employing authentication protocols.
OFAC noted—and companies should do the same—that taking those steps could be a “significant mitigating factor” in enforcement responses.
If you have any questions or concerns about these regulatory actions or require assistance in implementing any of these objectives, please contact Kennedy Sutherland.
1 29 U.S. Code § 1002 (16) (B) The term “plan sponsor” means (i) the employer in the case of an employee benefit plan established or maintained by a single employer, (ii) the employee organization in the case of a plan established or maintained by an employee organization, (iii) in the case of a plan established or maintained by two or more employers or jointly by one or more employers and one or more employee organizations, the association, committee, joint board of trustees, or other similar group of representatives of the parties who establish or maintain the plan, or (iv) in the case of a pooled employer plan, the pooled plan provider.
2 Under ERISA section 3(21), a fiduciary is a person who, with respect to employee pension plans, has discretionary authority or control over the plan or its assets.