US cyber security reflections on 2021 and predictions for 2022
January 2022 | EXPERT BRIEFING | RISK MANAGEMENT
financierworldwide.com
2021 was a notable year for cyber security, and as such it is important to reflect on recent cyber security events to be better prepared for 2022.
Vendor risk management
The increasing risks presented to supply chains were one of the top cyber security concerns in 2021. The attention paid to supply chain risk was ignited in December 2020 when news of the SolarWinds attack, which saw IT resource management software used by many organisations, including the US government, compromised. The fact that rogue code inserted into the software updates of a popular network monitoring tool could lead to thousands of organisations being compromised opened a lot of eyes to the potential risks posed by third-party suppliers.
Other cyber attackers are following suit. For example, Microsoft disclosed on 2 March 2021 that a hacking group operating out of China known as ‘Hafnium’ exploited a vulnerability in Microsoft Exchange, a popular email software programme, for the purpose of extracting data from a number of industry sectors. According to reports, at least 30,000 organisations in the US were impacted by the attack, including private companies, government agencies and universities.
On 7 May 2021, Colonial Pipeline, an American oil pipeline system that carries oil & gas mainly to the Southeastern US, suffered a ransomware cyber attack that impacted computerised equipment managing the pipeline. These are just some examples of cyber attacks which rocked 2021 and which serve as constant reminders to decision makers around the world that cyber attacks are becoming increasingly sophisticated and can have drastic consequences.
Regulators have also taken notice of these threats. For example, the US Securities and Exchange Commission (SEC) has indicated in its 2021 cyber security priorities that it will review whether firms have taken appropriate measures to oversee vendors and service providers. Likewise, the US Financial Industry Regulatory Authority (FINRA) has indicated that it will review whether organisations are “implementing and documenting formal policies and procedures to review prospective and existing vendors’ cybersecurity controls and managing the lifecycle of firms’ engagement with all vendors (i.e., from onboarding, to ongoing monitoring, through off-boarding, including defining how vendors will dispose of non-public client information)”. We expect vendor risk management to be an important area of focus in 2022, with greater regulatory scrutiny and higher disclosure expectations. Accordingly, organisations should consider ranking vendors by risk level to better ensure that security controls are appropriately tailored to the services provided and the sensitivity of the data which may be accessed or handled by such vendors.
Impact from president Biden’s executive order on cyber security
On 12 May 2021, president Biden signed an executive order, EO 14028, entitled ‘Improving the Nation’s Cybersecurity’, which is intended to bolster cyber threat intelligence and the federal government’s cyber security practices, as well as help government agencies make better decisions about responding to cyber threats and incidents. According to the White House, EO 14028 was issued in response to the SolarWinds, Microsoft Exchange and Colonial Pipeline cyber security incidents, which were, according to the statement, “a sobering reminder that US public and private sector entities increasingly face sophisticated malicious cyber-activity from both nation-state actors and cyber-criminals”.
President Biden’s executive order covers various topics, including the removal of barriers to the sharing of threat intelligence between the government and the private sector, the move of the federal government to secured cloud services and a zero-trust architecture (ZTA), the generalisation of multifactor authentication and encryption, the establishment of baseline security standards for the development of software sold to the government, and so on.
Although the new measures announced by EO 14028 are primarily applicable to federal governmental agencies, EO 14028 still has a significant impact for organisations that do business with the federal government and for the private sector in general. For example, EO 14028 directs the federal government to prepare a standard set of operational procedures (playbook) to be used in planning and conducting a cyber security vulnerability and incident response activity. Even if organisations have no obligation to implement the playbook, it is likely to have a trickle effect on the private sector. The fact sheet from the White House appears to acknowledge this possibility, stating that “the playbook will also provide the private sector with a template for its response efforts”.
Perhaps one of the most far-reaching requirements of EO 14028 is that it requires developers of software sold to the US government to provide greater visibility into their software and publish a software bill of materials (SBOM). A SBOM is defined in EO 14028 as “a formal record containing the details and supply chain relationships of various components used in building software” – in other words, an inventory of third-party components and supply-chain relationships of components used to build software, like a list of ingredients on food packaging – and the SBOM should either accompany each product individually or be published on a public website. The goal of the SBOM is to help organisations manage risk by letting them quickly determine what vulnerable software component is in a product. A second important component is a ‘labeling programme’ that is similar to Singapore’s Cybersecurity Labelling Scheme (CLS) which provides a grade on the cyber security of each IoT device according to their levels of cyber security provisions, enabling consumers to identify products with better cyber security provisions and make informed decisions.
Although EO 14028 requires a SBOM only to sell software to the US government, it is likely that organisations in the private sector will start to ask for the same type of information to work with governmental agencies and software vendors working with them.
Greater focus on cyber security disclosures
On 16 August 2021, the SEC announced that Pearson plc, a London-based public company that provides educational publishing and other services to schools and universities, agreed to pay $1m to settle charges that it misled investors about a 2018 cyber incident involving the theft of student data and administrator credentials.
According to the SEC, the company made a reference in its semi-annual report filed in July 2019 to a data privacy incident as a hypothetical risk, when the cyber incident had in fact already occurred. The SEC further alleged that the company subsequently indicated in a media statement that the breach may include dates of birth and email addresses when such records were in fact known to have been stolen, and that the company did not patch a critical vulnerability for six months after being notified of it. The SEC also held that the company’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the incident.
Notably, this was not an isolated incident. In June 2021, the SEC held that another company, First American Financial Corporation, made inaccurate disclosures regarding a cyber security incident reflecting inadequate disclosure controls and procedures. If anything, these cases show the increased focus on cyber security issues and the importance of disclosure controls and procedures to escalate cyber incidents and support any cyber security response plans in a timely manner. Likewise, in August 2021, the SEC announced it had sanctioned eight firms in three actions for failures in their cyber security policies and procedures that resulted in cloud-based email account takeovers exposing customers’ personal information, and for issuing breach notifications with misleading language suggesting that the notifications were issued much sooner than they were after discovery of the incidents.
It appears that this will be an area that the SEC will focus on going forward. In October 2021, the SEC indicated during its annual SEC Speaks seminar, that it remains vigilant in pursuing public companies that do not reasonably disclose material cyber security incidents, including charging public companies for misleading disclosures about cyber security events, or for inadequate controls related to such disclosures. On this basis, companies should exercise caution and care in their cyber security disclosures, ensuring that they are accurate and timely, do not contain any language that could potentially be misleading, and do not overstate their cyber security programme and procedures.
So, what can we expect for 2022 and beyond?
Looking forward, software supply chain risk management will likely emerge as a leading area of focus for organisations as they realise the extent to which they lack visibility into the software components that they use or rely upon which have access to critical information.
We also expect to see an increased amount of discussion and sharing of cyber-threat information, as evidenced by EO 14028 removing barriers to threat information sharing between the US government and the private sector, or the recent signing of a Memorandum of Understanding (MOU) between the US and Singapore to expand cooperation on cyber security.
Ransomware attacks are likely to increase in frequency and severity. At the same time, cryptocurrency volatility and adoption are likely to continue their growth, which in turn makes cryptocurrency even more attractive for attackers as a means of payment for ransoms.
Cyber insurance providers will likely reevaluate how much coverage they can offer and how much it will cost clients. Underwriters will be demanding to see more detailed proof of clients’ cyber security measures and procedures than they had previously. For example, not using multifactor authentication, which requires a user to verify themselves using more than one method, could result in a rejection of the application, given that it is one of the security measures listed in EO 14028.
Regulatory scrutiny will likely further increase and penalties imposed may extend beyond incident disclosure to cover other lack of transparency areas, such as software vulnerabilities.
Finally, states and federal agencies will continue to be more proactive in creating, revising and enforcing privacy and cyber security requirements, which would ultimately result in an increase in litigation against organisations that do not maintain and follow appropriate policies for vulnerability and patch management, as well as cyber incident response.
Paul Lanois is a director at Fieldfisher. He can be contacted on +1 (650) 313 2361 or by email: paul.lanois@fieldfisher.com.
© Financier Worldwide
BY
Paul Lanois
Fieldfisher