Home Latest Biden Administration Beseeches Business Leaders – Better Cybersecurity Now – Technology – United States

Biden Administration Beseeches Business Leaders – Better Cybersecurity Now – Technology – United States

0
Biden Administration Beseeches Business Leaders – Better Cybersecurity Now – Technology – United States

[ad_1]


United States:

Biden Administration Beseeches Business Leaders – Better Cybersecurity Now


To print this article, all you need is to be registered or login on Mondaq.com.

Last week, after weeks and months of advisories and admonitions
relating to recent ransomware attacks, the White House
issued an extraordinary letter to “Corporate Executives and
Business Leaders” urging them:

To understand your risk, immediately convene
their leadership teams to discuss the ransomware threat and review
the corporate security posture
 and business
continuity plans to ensure you have the ability to continue or
quickly restore operations.

(Emphasis added).

The letter also stated that the private sector has a critical
responsibility to protect against threats and to “ensure [the]
corporate cyber defenses match the threat.” Referring back to
the recent Executive Order on Improving the Nation’s
Cybersecurity
, the letter strongly urged business leaders
to implement these “high impact” best practices:

  • Multifactor authentication – because
    passwords alone are routinely compromised.

  • Endpoint Detection and Response – to
    support proactive detection of cybersecurity incidents.

  • Encryption – for data at rest and in
    transit, so if data is stolen it is unusable.

  • A skilled, empowered security team to share and analyze threat
    information.

  • A security team to administer an effective patch management
    program.

That the letter was specifically directed at business leaders is
not unusual. Federal agencies have repeatedly urged business
leaders that adherence to cybersecurity ‘industry
standards’ is a legal obligation. 

In July 2019, the Federal Trade Commission (FTC) announced
$700 million settlement with Equifax for
deficient cybersecurity practices. As part of the settlement, the
FTC mandated that Equifax’s directors and officers:

  • be informed about any material evaluations or updates to its
    information security program every 12 months;

  • evaluate, assess and identify gaps and weaknesses in
    Equifax’s information security program; and

  • certify every year for 20 years that Equifax is in compliance
    with the FTC’s settlement.

In January 2020, the FTC announced that it would be implementing
a “new and improved” approach to cybersecurity
enforcement actions that requires “Board[s] or similar
governing bodies” and “senior managers” to
“gather detailed information about the company’s
information security program, so they can personally corroborate
compliance” with the organization’s written information
security program (WISP).

Based on research that suggested the FTC’s efforts to
improve corporate governance on cybersecurity issues was timely and
well founded, the FTC stated that it would create
further incentives for high-level oversight of, and appropriate
attention to, cybersecurity. 

In April 2021, the FTC issued detailed guidance on the
role business leaders must play in cybersecurity. In a post
titled Corporate boards: Don’t underestimate your role
in data security oversight
, the FTC stated that
“[c]ontrary to popular belief, data security begins with the
Board of Directors, not the IT Department.”

The FTC then listed strategies that business leaders should
consider implementing which included:

  • Build a team of stakeholders from across your
    organization
     – the team “should incorporate
    stakeholders from business, legal, and technology departments
    across the company – both high-level executives and
    operational experts.”

  • Establish board-level oversight – this
    helps to “ensure that cybersecurity threats, defenses, and
    responses have the attention of those at upper echelons and get the
    resources needed to do the job right.”

  • Hold regular security briefings –
    cybersecurity is dynamic, therefore, “[r]egular briefings
    prepare boards to carry out their oversight responsibility,
    navigate the security landscape, and prioritize threats to the
    company.”  

In addition to the letter, the White House issued a memorandum
that requires federal prosecutors involved with ransomware or
digital extortion investigations to:

  • utilize enhanced notification requirements to relevant federal
    taskforces of findings and developments; and

  • coordinate with federal agencies and taskforces, including with
    the Department of Justice’s Criminal Division’s Computer
    Crime and Intellectual Property Section (CCIPS).

Despite the United States Supreme Court’s ruling last
week
 limiting certain aspects of the federal
government’s authority to prosecute cybersecurity incidents,
the letter, recent FTC guidance, and the memorandum demonstrate the
central role of the federal government and business leaders in
preventing and investigating cybersecurity attacks. 

Originally Published 11 June 2021

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Smart Supply Chains Using Smart Contracts

Foley & Lardner

Although the term “smart contract” sounds like a legal instrument, a smart contract is actually a computer program that performs a task when triggered by the occurrence of a predetermined event.

OFAC Imposes New Sanctions To Thwart Ransomware

WilmerHale

On September 21, 2021, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) levied its first sanctions against a Russian-operated virtual currency exchange involved in ransomware payments…

[ad_2]

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here