Thursday, April 21, 2022

The Russians Are Coming! The Russians Are Coming? Or Maybe the FTC

As we watch the televised Russian invasion of Ukraine with horrific destruction and casualties caused by missiles, tanks, and other conventional warfare, the hostilities may seem far away and distant. As Russia continues to suffer setbacks in their conventional military approach, we are likely to see cyberattacks that could spread beyond the Russian-Ukrainian conflict.

In a meeting with business leaders on March 21, Joe Biden gave the following warning:

“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks…….

If you have not already done so, I urge our private sector partners to harden your cyber defenses, immediately implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow.”

The FBI has warned businesses, banks and local governments about the increased risk of cyberattacks, and the Cybersecurity & Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security has issued a “Shields Up” warning to counter possible Russian attacks.

Businesspeople may want to check their cyber insurance policies for any “act of war” exclusions. It is not time to panic, but it is a great time for a business to review its data security program and practices to make sure they are ready for any cyber-attack—no matter where it comes from.

Just to make sure I actually sound like a lawyer, if fear of a Russian cyberattack is not reason enough to update your data security practices, consider the possibility of an enforcement action from a regulator such as the Federal Trade Commission (“FTC”).

On October 27, 2021, the FTC announced the final amendments to the Safeguards Rule of the Gramm Leach Bliley Act. These amendments expand the definition of financial institutions covered by the law and impose new burdensome requirements related to data security. While the requirements do not become effective until later this year (October 27, 2022), businesses covered should already be taking steps to prepare to comply.

Motor vehicle dealers and colleges are just two examples of non-banking financial institutions that fit the expanded definition of so-called “finders.” These parties are required to implement and maintain a comprehensive data security system that protects customer information.

In general, the amendments impose a wide array of more specific requirements on the covered business or organization, including encryption, employee training, secure development practices, multi-factor authentication, information disposal procedures, vendor management, reporting to boards of directors, and assigning a person to implement and manage the data security program. By adopting these FTC mandated data security safeguards, a business will not only comply with the new Safeguards law but will be better positioned to defend against cyberattacks, including any initiated by Russia.

In addition to taking steps to comply with the new Safeguards Rule the following are best practices for all businesses to mitigate risk and be prepared for cyberattacks:
  1. Assess your risk
  2. Upgrade and test backups
  3. Practice your incident response plan
  4. Block unwanted traffic
  5. Implement multi-factor authentication (MFA)
  6. Patch vulnerabilities
By taking action now and not waiting for a cyber-attack a business can avoid significant business loss and disruption. To those businesses who feel comforted by fact that they have never experienced ransomware, cyberattacks, data breach, or other forms of unauthorized access to data I say: It is not a matter of if you will experience such unauthorized access but when such attack or data breach will occur.

No comments :

Post a Comment