IN THE PROFESSION
Triple Extortion & Sophistication
Part of the increase in concern is the array of methods of holding companies or governments hostage so they have less of a chance to mitigate damages or even to effectively negotiate with hackers . While previously the threat was an encryption of a company ’ s systems until a ransom payment was made , companies now face the possibility that its networks will be locked down while at the same time the company ’ s sensitive data will be exfiltrated . This is further exacerbated by the new market of “ ransomware-as-a-service ,” through which any individual with an ability to access the dark web can hire professional attackers to perform a job for the right price . In fact , some hackers are using penetration tools to customize attacks on the fly . All of this leads to an exponential number of possible threat vectors instead of an attack likely only coming from a relatively small number of professional organizations . Further compromised are customers and business partners of companies subject to an attack , necessitating a fully holistic and shared approach to mitigating and handling attacks .
Supply Chain Attacks
Devastating cyberattacks on governmental , technology and supply chain sectors marked 2021 . The SolarWinds , Codecov and Kaseya hacks spring immediately to mind . Attackers have exploited the uncertain environment and unique risks stemming from the COVID-19 pandemic , leading to a 29 % increase in global cyberattacks . Many apps and other systems developed for the purposes of assisting people with COVID- 19-related issues have been impersonated or simply hacked , leading to further damage . Over 50 % percent of the malicious apps intended to exploit COVID-19 risks are related to TikTok .
Government Response
Last year also saw a significant increase in government regulations and initiatives set on curbing the damage caused by cyberattacks , culminating in President Biden issuing an executive order regarding the country ’ s cybersecurity as a whole . In May , President Biden ’ s executive order responded to a series of concerning incidents by mandating new guidance on cybersecurity requirements from several federal agencies , in addition to spurring government software and hardware providers to step things up to retain their government contracts . Other U . S . government agencies and states followed suit :
• OFAC : In September , US Department of Treasury ’ s Office of Foreign Assets Control ( OFAC ) issued an updated advisory on paying ransoms and the risk of potential sanctions that companies face in making such payments .
• SEC and FINRA : The US Securities and Exchange Commission ( SEC ) and the Financial Industry Regulatory Authority ( FINRA ) have each published reports outlining regulatory examination priorities for 2021 that include a notable emphasis on cybersecurity issues .
• NYDFS : The New York Department of Financial Services ( NYDFS ) issued industry guidance on ransom payments and how this fuels additional attacks . NYDFS further recommended against paying ransoms and instructed companies to adopt a defense in depth strategy layering multiple security controls within their environment .
Mitigation Strategies
It is an adage , but like most adages , it has a kernel of truth to it : it is not a matter of if , but when . What can you do now to mitigate your risk ?
• Inventory and Map Your Data : You must know what data you touch , where it comes from , where it goes and how long you keep it . Particularly important here is the question of where any personal data subjects are resident , as this will drive jurisdiction-specific breach notification requirements if there is a data breach .
• Review Data Security Controls : If you are trying to put controls in place after the fact , it is too late ! Review your current controls and processes now , identify any gaps and take steps to remediate them .
Cybersecurity is increasingly an indispensable and unavoidable aspect of any corporate counsel ' s of business attorney ' s portfolio .
• Implement and / or Evaluate an Incident Response Plan : An incident response plan is key , and no business is too small to have one . Again , the last thing you want to do when you are hit with a security incident is to be trying to come up with a plan on the fly . You need to have one now . There are many standard-setting organizations out there that can provide you with guidance and best practices , and consultants and outside counsel abound to advise on implementation .
• Cyber Insurance : If your business accesses or uses personal data , you need to talk to an insurance professional about buying coverage to protect against losses from a security event . Fair warning , though : coverage is increasingly expensive , and costs do not appear to be going down any time soon . Year-over-year premium increases of 2x , 3x or even higher are not uncommon given the current threat environment . Key issues of
( continued on page 25 )
www . atlantabar . org THE ATLANTA LAWYER 23