The global “ransomware” cyberattack in early May 2017 resulted in tens of thousands of computer systems being taken hostage by hackers and, in the instances involving hospitals, put lives at risk.1 Companies that suffered breaches are exposed to liability, and many of the breaches reportedly could have been solved with an act as simple as downloading the latest updates to Windows operating systems.2
By now, everyone knows—even as they hope to be spared—that cyberattacks are a big problem. One recent estimate projected that cybercrimes cost the global economy $445 billion in 2016 alone.3 Other projections anticipate that the cost of cybercrimes will be close to two trillion dollars globally by 2019.4 Beyond the integrity of an employee’s office computer, industry leaders recently spoke about the serious cybersecurity risks created by the “Internet of Things”—that is, the dissemination of Internet-connected “smart devices,” now present in everything from cars to thermostats and healthcare equipment.5 And, as the May 2017 ransomware attacks demonstrated, no individual or entity is immune to a cyberattack.
The New York Department of Financial Services (“DFS”) already has implemented a regulatory scheme for the imposition of penalties on businesses that do not comply with cybersecurity guidelines. As of March 1, 2017, New York financial institutions subject to DFS oversight have been required to comply with new cybersecurity rules, or face stiff penalties. And, the Securities and Exchange Commission (“SEC”) has recently cautioned that companies with deficient cybersecurity disclosures may soon face SEC enforcement actions. What is clear is that cybersecurity is an issue that no business can afford to ignore—regardless of industry.
The New Cybersecurity Regulations Implemented by DFS Introduce Measures That Exceed Existing Guidance
The new DFS cybersecurity regulations require New York financial institutions to, among other things, adopt a cybersecurity program, implement and maintain a cybersecurity policy, and designate a qualified chief information security officer. These new measures are a “sea change in how government approaches cybersecurity.”6 Indeed, in a press release announcing the implementation of the new rules, Governor Andrew Cuomo characterized the measures as “the first-in-the-nation cybersecurity regulation.”7 According to some reports, the new measures well exceed current general practices among financial institutions.8 For instance, the new regulations will require data encryption measures, enhanced multi-factor authentication, annual certification, and incident reporting. Deadlines for compliance are coming as soon as August 28, 2017. All of this means that businesses should start taking steps to comply with these measures now.
Although the SEC Has Not yet Brought a Cybersecurity-Related Enforcement Action, It Soon May
It is not only financial institutions doing business in New York that need to be aware of regulators’ focus on cybersecurity. In response to questions, the SEC’s Acting Enforcement Director, Stephanie Avakian, recently stated that, under the right circumstances, the SEC “absolutely” would bring an enforcement action against a company with inadequate cybersecurity disclosures.9 Although the SEC has not yet brought an enforcement action based on insufficient cybersecurity disclosures, it appears ready to do so. And, arguably, with an increasing number of front page stories on devastating cyberattacks, the pressure is mounting for the SEC to act. This means that public companies and securities firms, in addition to banks and other financial institutions subject to the oversight of New York’s DFS, must ensure that their cybersecurity measures, and disclosures about those measures, are robust.
The Government Is Taking More Aggressive Steps to Prevent Cyberattacks, Both Offensive and Defensive
The U.S. Senate Committee on Homeland Security and Governmental Affairs recently heard testimony that the government is not doing enough to stop cyberattacks, both by private hacker groups and by other nation-states.10 One view is that the government’s strategy of shining a spotlight on companies that suffer cyberattacks, without also seeking to prosecute the offenders who committed the cyberattacks, was akin to blaming the victim. Another view is that the government should focus its energy on doing the things that corporate America cannot do—such as filing criminal charges or retaliating against foreign powers that sponsor hackers.
Also, President Trump recently signed an executive order designed to fortify the cybersecurity of the federal government by mandating that the government’s information technology follow the “Framework for Improving Critical Infrastructure Cybersecurity,” which was developed by the National Institute of Standards and Technology.11 While the order applies only to the federal executive branch, some consider it to be a positive first step for more robust cybersecurity technology.12 But, the new measures in the executive order are already being criticized for being insufficient.13 The takeaway is that, although the federal government is improving its own cybersecurity, even those measures may not be enough, and the measures do not extend to the private sector. It remains to be seen whether the government changes its strategy as to investigating and prosecuting cybercriminals in its effort to protect businesses.
Companies Need to Take Action Now
While the federal government is making overtures toward protecting companies, financial institutions, and individuals from cyberattacks, any new measures will take time to implement and prove effective. Thus, the onus remains on companies and employees to work with their internal information security team, outside counsel, and security consultants to ensure that they are not only in compliance with governing regulations, but that they have also put themselves in the best position to defend against a cyberattack and respond if they find themselves the victim of one.
Regardless of industry, it is critical that companies assess and address data security risks and ensure compliance with applicable regulations, particularly in light of increased focus by regulators. Implementing robust cybersecurity protocols should be at the forefront in 2017.
- Allison Grande, “Global Cyberattack Exposes Big Liabilities for Simple Fixes,” Law360 (May 14, 2017, 4:55 PM), http://www.law360.com/privacy/articles/923818/global-cyberattack-exposes-big-liabilities-for-simple-fixes.
- Harriet Taylor, “An Inside Look at What’s Driving the Hacking Economy,” CNBC (Feb. 5, 2016, 10:02 AM), http://www.cnbc.com/2016/02/05/an-inside-look-at-whats-driving-the-hacking-economy.html.
- Steve Morgan, “Cyber Crime Costs Projected to Reach $2 Trillion by 2019,” Forbes (Jan. 17, 2016, 11:01 AM), http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#23a224e3bb0c.
- Jimmy Hoover, “AT&T, Cisco Leaders Warn of Privacy, Safety Threats,” Law360 (Apr. 27, 2017, 1:49 PM), http://www.law360.com/technology/articles/918076/at-t-cisco-leaders-warn-of-privacy-safety-threats.
- James E. Lee, “Will New Cybersecurity Legislation Offer Better Protection for Consumers?”, Infosecurity Magazine (May 9, 2017), http://www.infosecurity-magazine.com/opinions/will-new-cybersecurity-legislation/.
- Press Release, Governor Cuomo Announces First-in-the-Nation Cybersecurity Regulation Protecting Consumers and Financial Institutions From Cyber-Attacks to Take Effect March 1, Department of Financial Services (Feb. 16, 2017), http://www.dfs.ny.gov/about/press/pr1702161.htm.
- See, e.g., Clarke Cummings, et al., “Cyber: New York Regulator Moves the Goalposts,” Financial Crimes Observer (Sept. 2016), http://www.pwc.com/us/en/financial-services/financial-crimes/publications/assets/NY-DFS-proposes-cybersecurity-regulations.pdf.
- Jimmy Hoover, “SEC Suits over Cyber Reporting Could Be on Horizon,” Law360 (Apr. 20, 2017, 1:25 PM), http://www.law360.com/privacy/articles/915377/sec-suits-over-cyber-reporting-could-be-on-horizon.
- Allison Grande, “Feds Need to Dial up Cyberattack Responses, Senate Told,” Law360 (May 10, 2017, 10:22 PM), http://www.law360.com/privacy/articles/922140/feds-need-to-dial-up-cyberattack-responses-senate-told.
- Alfred Ng, “Trump’s Cybersecurity Order: Out with ‘Antiquated Systems’,” CNet (May 11, 2017, 1:11 PM), http://www.cnet.com/news/president-trump-signs-cybersecurity-executive-order/.
- Bob Ackerman, “Trump’s Cybersecurity Executive Order is a Good First Step,” TechCrunch (May 13, 2017), http://techcrunch.com/2017/05/13/trumps-cybersecurity-executive-order-is-a-good-first-step/.