Cybersecurity

Subscribe to Cybersecurity

As a part of National Cybersecurity Month, last week the Federal Trade Commission (FTC) launched a campaign to help educate and assist small businesses with cybersecurity.  In conjunction with the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), the FTC has published a collection of materials for small businesses about cybersecurity. These materials include information about the following:

  • Cybersecurity Basics;
  • Understanding the NIST Cybersecurity Framework;
  • Physical Security;
  • Ransomware;
  • Phishing;
  • Business Email Imposters;
  • Tech Support Scams;
  • Vendor Security;
  • Cyber Insurance;
  • Email Authentication;
  • Hiring a Web Host; and
  • Secure Remote Access.

Additional information about the cybersecurity campaign and access to the materials can be found here.

2018 Best Legal Blog Contest - Click to Vote

On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds.  In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.

Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures. Continue Reading SEC Report Reiterates Cybersecurity Implications for Internal Control Requirement

CTIA, a trade association representing the wireless communications industry, recently announced a new cybersecurity certification program for IoT cellular-connected devices. The announcement comes shortly after NIST hosted a workshop in July regarding Considerations for Managing IoT Cybersecurity and Privacy Risks.

CTIA states, “[t]he program will protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth and other IoT applications.” Tom Sawanobori, SVP and Chief Technology Officer at CTIA states that, “[t]he IoT Cybersecurity Certification Program harnesses CTIA’s network of authorized labs and reflects our commitment to securing networks and devices in an increasingly connected wireless world.”

According to CTIA, the Cybersecurity Certification Program is built upon NTIA and NIST IoT security recommendations. The Program will begin accepting devices for certification testing in October 2018.

More information about the Cybersecurity Certification Program can be found here.

On August 14, 2018, President Trump signed into law S. 770, the “NIST Small Business Cybersecurity Act.”  This Act requires the National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks. The Act states that the resources should be:

  • “Generally applicable and usable by a wide range of small business concerns;
  • Vary with the nature and size of the implementing small business concern, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing small business concern;
  • Include elements, that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist small business concerns in mitigating common cybersecurity risks;
  • Include case studies of practical application;
  • Technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and
  • Based on international standards to the extent possible, and are consistent with the Stevenson-Wydler Technology Innovation Act of 1980.”

The eighteen month transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expires on September 4, 2018. These requirements apply to entities, “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  In less than a month, these Covered Entities subject to Part 500 are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

These requirements include:

  • Implement and maintain audit trail requirements (500.06);
  • Adopt written application security requirements (500.08);
  • Adopt written data retention requirements (500.13);
  • Implement monitoring/unauthorized access requirements (Section 500.14(a)); and
  • Implement encryption requirements (500.15).

The final compliance deadline is March 1, 2019.  In addition to those aforementioned Covered Entities, credit reporting agencies with significant operations in New York were recently required to comply with the cybersecurity regulations.  More information about the Cybersecurity Requirements can be found here.

The U.S. Treasury recently released a report identifying improvements that would support nonbank financial institutions but also embrace innovation and technology.  Among other things, the report recommends the creation of a national data breach notification standard and the development of effective national and international Fintech policies, including Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) efforts.

In addition to the aforementioned, the report outlines roughly 80 suggestions meant to:

• “Embrace the efficient and responsible use of consumer financial data and competitive technologies;
• Streamline the regulatory environment to foster innovation and avoid fragmentation;
• Modernize regulations for an array of financial products and activities; and
• Facilitate ‘regulatory sandboxes’ to promote innovation.”

A copy of the report can be found here.

This post originally appeared in our sister publication, Insurance Recovery Blog.

For the second time in ten days, a federal appeals court ruled a crime insurance policy provides coverage for losses arising from a business email compromise. In American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, No. 17-2014, 2018 WL 3404708 (Sixth Circuit July 13, 2018), the Sixth Circuit held that Travelers was obligated to provide coverage for a loss the insured suffered when it wired $834,000 to a thief’s bank account, believing that it was transmitting a payment to one of its Chinese subcontractors.

Losses arising from business email compromise exceeded $12.5 billion between October 2013 and May 2018. Business email compromise is a form of social-engineering fraud that targets both businesses and individuals who make payments by wire transfer. Thieves accomplish business email compromise by accessing e-mail accounts of vendors or customers of the insured or by invading the computer system of the insured. The thief then provides fraudulent instructions to the insured to wire funds to the thief’s bank account, usually for the stated purpose of paying legitimate invoices.

Continue Reading Sixth Circuit Finds Coverage Under Crime Policy for Business Email Compromise

On August 1, 2018, NIST will withdraw eleven SP 800 publications that are considered out of date.  These publications will not be revised.  According to NIST the following publications will be withdrawn:

  • SP 800-13 (October 1995), Telecommunications Security Guidelines for Telecommunications Management Network
  • SP 800-17 (February 1998), Modes of Operation Validation System (MOVS): Requirements and Procedures
  • SP 800-19 (October 1999), Mobile Agent Security
  • SP 800-23 (August 2000), Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
  • SP 800-24 (April 2001), PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
  • SP 800-33 (December 2001), Underlying Technical Models for Information Technology Security
  • SP 800-36 (October 2003), Guide to Selecting Information Technology Security Products
  • SP 800-43 (November 2002), Systems Administration Guidance for Securing Windows 2000 Professional System
  • SP 800-65 (January 2005), Integrating IT Security into the Capital Planning and Investment Control Process
  • SP 800-68 Rev. 1 (October 2008), Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
  • SP 800-69 (September 2006), Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist

More information about these publications and the reason for withdrawal can be found here.

It seems that most employees and plan participants “think” their retirement money and data are not at risk.  This is due, in part, because:

  • there are few published incidents of breaches or potential hacks;
  • there has been not a single legal decision involving a cybersecurity breach and a retirement plan; and
  • there is no comprehensive federal regulation that protects qualified retirement plans and service providers.

This blog discusses whether retirement plans are really at risk; and if so why. It concludes with some helpful hints and practical advice to reduce such risks, some of which are tips employers (or plan sponsors) can share with retirement plan participants.

Continue Reading Cybersecurity & Retirement Plans

South Carolina has become the first state to enact cybersecurity legislation for the insurance industry.

On May 3, Governor McMaster signed a bill requiring South Carolina insurers to “develop, implement, and maintain a comprehensive information security program” for their customers’ data. 2017 SC H.B. 4655 (NS). Based on the insurance industry model rules, the South Carolina Insurance Data Security Act has three primary aims: it requires “licensees” to prevent, detect and remediate insurance customer data breaches.

Continue Reading South Carolina Requires Cybersecurity Program for Insurance Licensees