The year 2021 continues to reveal an alarming rise in ransomware attacks. Two of the most notable of such attacks include the ransomware attack on CNA Financial Corp., with resulting payment of $40 million in ransom, and the attack on Colonial Pipeline Co., with a ransom payment of $4.4 million.
With these two recent ransomware attacks—and subsequent payments—receiving massive publicity, congressional law makers have begun to question whether ransom payments should be permitted or remain legal, or if federal law makers should step in to prohibit such ransom payments as a means to curtail these forms of attacks. Although no bill taking that approach has been introduced yet, recent discussions of such a law have given rise to debate on the issue.
Continue reading “Federal Legislation Considers Banning Ransom Payments to Hackers”
The National Institute of Standards and Technology, commonly referred to as NIST, recently published a new computer framework for users to consider as a cyber-framework security model — the Zero Trust Architecture Model (ZTA). This new model was officially published in NIST SP 800-207 in late 2020.
Continue reading ““Zero Trust Architecture” Is Officially Here: NIST Publishes New Cybersecurity Framework”
The Homeland and Cyber Threat Act (HACT) was introduced in the U.S. House on March 12, 2021. This bill would allow U.S. citizens to sue foreign governments, agents and officials and to collect monetary damages for personal injury, damage or loss of property resulting from a cyberattack with foreign origins.
This bipartisan bill was introduced because cybersecurity activity and cyber incidents continue to rise, leading to increasing concerns of data security. Rep. Bergman, R-MI, a key sponsor of both this bill and a similar bill introduced in 2019, describes HACT as a tool of accountability for foreign states. The other bill sponsors (Reps. Allred, D-TX; Fitzpatrick, R-PA; Herrera Beutler, R-WA; Neguse, D-CO; and Kim, D-NJ) echo this theme of accountability and point to HACT as a way for Americans to “fight back against foreign cyberattacks.”
Continue reading “New Bill Proposes that Americans Should Be Able to Sue Foreign Hackers”
On April 15, 2021, the New York Department of Financial Services (NYDFS) issued a report on the recent SolarWinds cyberattack. A copy of the report is available here. NYDFS called the attack a “wake-up call” to regulated financial institutions and insurers that should cause them to immediately assess and, if necessary, improve their own cybersecurity posture in order to avoid victimization in future attacks.
NYDFS characterized the SolarWinds attack as a “widespread, sophisticated espionage campaign” by Russian foreign intelligence actors that resulted in “the most visible, widespread, and intrusive information technology supply chain attack” successfully completed to date. According to the report, the attack opened back doors into thousands of organizations around the United States and involved the theft of sensitive data from over 100 private sector companies, as well as at least nine federal agencies. NYDFS noted ominously that the attack highlighted the obvious “vulnerability to supply chain attacks” within the financial services industry.
Continue reading “New York Department of Financial Services Issues Report on SolarWinds Cyberattack”
Earlier this month, the New York State Department of Financial Services (NYDFS) announced a settlement and consent order with National Securities Corporation (National Securities) for $3 million in connection with National Securities’ violations of NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500).
National Securities sells life insurance, accident and health insurance, and variable life/variable annuities insurance. As part of its day-to-day operations, National Securities collects personal data from its customers.
Continue reading “New York Department of Financial Services and National Securities Corporation Agree to $3 Million Settlement in Cybersecurity Enforcement Action”
Due diligence is at the heart of negotiating and finalizing any major deal, and parties’ cybersecurity practices have become a focal point in the M&A due diligence process. In the latest episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss and guests Paul Luehr and Dori Cain discuss the importance of cybersecurity due diligence in the mergers and acquisitions field, what criteria professionals evaluate in this process, and how “cybersecurity hygiene” can impact the deal-making process. The podcast covers a number of questions, including:
- What does the cybersecurity due diligence aspect of a merger or acquisition look like? Why is “cyber diligence” so important in the deal-making process?
- What insights or hard facts are cybersecurity professionals looking for when evaluating cybersecurity at the outset of the mergers and acquisition process? What “cyber hygiene” criteria should be assessed at every step of deal negotiations? Are there any common deal-breakers in this process?