On January 11, 2022, the U.S. Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint advisory, warning of an increasing cybersecurity threat posed by Russian state-backed threat actors to U.S. critical infrastructure.
On December 11, 2021, the Cybersecurity and Infrastructure Security Agency, in partnership with the FBI and NSA, announced a critical remote code execution vulnerability had been identified in the Apache Log4j software library. This vulnerability allowed a successful threat actor to take control of a network system and cause a variety of damage, including the ability to launch ransomware, steal and destroy victim information, deploy malware, and disrupt internal and infrastructure operational control. Insurance regulators from four states have recently issued guidance in response to the threat, and it is likely more insurance commissioners will follow suit.
Cyber criminals are becoming increasingly sophisticated, and the costs to mitigate damage inflicted by a cyber breach are rising. With these threats in mind, cyber insurance has emerged as an attractive way for companies to mitigate risk. In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss sits down with Faegre Drinker’s David Porteous, an authority on the securities regulations related to cybersecurity, and Conrad Deneault, a cyber insurance executive and provider of consultative risk management, to discuss cyber insurance, what it protects and how best to obtain it.
According to numerous government and media sources, malicious cyber actors are targeting a new “zero day” vulnerability on a massive scale. This vulnerability, referred to as “Log4j” or “Log4Shell,” has resulted in widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library.
Read the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)’s guidance on the Log4j vulnerability here.
On December 6, 2021, in the Memorandum for the Heads of Executive Departments and Agencies, the Office of Management and Budget took a more aggressive position on strengthening the nation’s cybersecurity posture. Under this memorandum, federal agencies are now mandated to report “major” cyberattacks within one hour of discovery to the Cybersecurity and Infrastructure Security Agency (CISA) and to the Office of Management and Budget (OMB). It also directed that affected agencies update reports within one hour of determining that an already-reported incident is determined to be “major.”
In October, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published new guidance for the virtual currency industry focusing on compliance with the financial industry’s obligations related to U.S. economic sanctions.
OFAC administers and enforces economic sanctions against targeted and/or sanctioned foreign countries, geographic regions, entities, and individuals to further U.S. foreign policy and national security goals.
As noted in the new guidance, virtual currencies now playing an increasingly prominent role in the global economy. The growing relevance of virtual currency, both as an investment and as a payment method, brings greater exposure to sanctions risks. Specifically, there is an increased risk that a sanctioned entity or an entity in a jurisdiction subject to sanctions might use virtual currency as an alternative to fiat currency in an effort to avoid U.S. sanctions. As such, the OFAC guidance specifically targets technology companies, virtual currency exchanges, virtual currency administrators, virtual miners, digital currency wallet providers, and users.