The United States Congress recently passed legislation that includes new cybersecurity provisions requiring critical infrastructure providers to report cyber security incidents, including the payment of ransom, to the federal government. The bill, also known as the “Strengthening American Cybersecurity Act of 2022,” passed the Senate by unanimous vote on March 1. It then passed the House of Representatives and was signed into law by President Biden on March 15, 2022.
Recognizing that cyberattacks have already commenced and could spread beyond the Russian-Ukrainian battlefield, organizations can take several steps to protect themselves. They can recognize the risk. Then organizations can assess likely cyber threats and vulnerabilities, build resilience and take preventive actions, to avoid becoming another casualty in a conflict that already has too many.
With cyberattacks continuing to plague the financial services industry, the New York Department of Financial Services (NYDFS) recently released new guidance for regulated entities related to the use of Multi-Factor Authentication (MFA) and cybersecurity frameworks.
On December 7, 2021, NYDFS issued a formal Industry Letter entitled Guidance on Multi-Factor Authentication. According to the Industry Letter, MFA “is an essential part of cybersecurity hygiene . . . which is why it was one of the few technical controls explicitly required by” the NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (the Cybersecurity Regulation). However, the Industry Letter goes on to note that “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” most often due to MFA “being absent, not fully implemented, or configured improperly.” Specifically, NYDFS noted that, from January 2020 to July 2021, more than 18.3 million consumers were impacted by cybersecurity incidents reported to NYDFS that were linked to an MFA failure.
On December 6, 2021, in the Memorandum for the Heads of Executive Departments and Agencies, the Office of Management and Budget took a more aggressive position on strengthening the nation’s cybersecurity posture. Under this memorandum, federal agencies are now mandated to report “major” cyberattacks within one hour of discovery to the Cybersecurity and Infrastructure Security Agency (CISA) and to the Office of Management and Budget (OMB). It also directed that affected agencies update reports within one hour of determining that an already-reported incident is determined to be “major.”
Ransomware incidents continue to be on the rise, wreaking havoc for organizations globally. Ransomware attacks target an organization’s data or infrastructure, and, in exchange for releasing the captured data or infrastructure, the attacker demands a ransom. This creates a dilemma for organizations — the decision to pay the ransom, relying on the attacker to release the data as they say, or to reject the ransom demand and try to restore the data or operations on their own.
A bipartisan group of 14 United States senators recently introduced proposed legislation that would require federal contractors and operators of critical infrastructure to disclose any cyber intrusion within 24 hours. A copy of the proposed legislation can be found here.
Currently, there is no federally mandated reporting requirement for cyberattacks on American infrastructure targets. The newly proposed legislation is designed to prevent these attacks from going unreported and uninvestigated.