On September 30, 2022, the White House kicked off Cybersecurity Awareness Month by reminding citizens of the impacts cyberattacks can have on critical infrastructure such as “electric grids and fuel pipelines … and many other critical services,” and the importance of partnering with private industry and exchanging information about cyber threats.1
A few days after the above proclamation, a jury convicted the former Chief Security Officer of Uber of concealing from the FTC a 2016 data breach that exposed the personal information of about 57 million users and was linked to other data breaches.2 The former CSO awaits sentencing, which could be up to five years in federal prison.
During his trial, the former CSO claimed he was being scapegoated, that Uber’s legal team and others knew about the 2016 data breach and failed to timely report it. Ironically, about a month ago Uber was hacked again after an employee was tricked into providing access to its network. This time Uber reported the incident to law enforcement.
So what are the takeaways from last week’s conviction of Uber’s former CSO when raised awareness is not tracking with threat levels, and the effectiveness of unscrupulous adversaries is only increasing, as evidenced by incidents involving the Los Angeles Unified School District, Australian telecommunication companies, American Airlines, DoorDash, and U-Haul?
The Basics
To demonstrate good faith efforts to keep pace with an ever-evolving threat landscape and expanding cybersecurity legal obligations, organizations should develop, implement and maintain the following:
Refine your Cybersecurity Incident Response Plans (IRP)
-
Update response processes to make sure they articulate communication, documentation and evaluation activities
-
For example, compare the NIST Computer Security Incident Handling Guide which has 20 recommendations for an incident response plan
-
If you are a critical infrastructure organization,3 stay tuned for new IRP recommendations as NIST revises its Framework for Critical Infrastructure Cybersecurity4
-
-
Empower your IRP Team by defining clear roles, responsibilities and levels of decision-making authority;
-
Ensure your IRP’s external and internal communications and information sharing policies and procedures are up to date;
-
Address documentation and reporting for cybersecurity events and related incident response activities based on new requirements;5 and
-
Make sure any training for revisions to the IRP after an incident is provided to the IRP team and leadership teams as soon as practical.
Revisit your Cybersecurity Risk Assessment (RA)
-
Conduct an assessment to analyze your alignment with industry standards and ensure vulnerabilities targeted by ransomware have been addressed.
-
According to the New York Department of Financial Services, an RA should:
-
Articulate any reasonably necessary changes, and then the plans to address any issues raised in the RA;
-
Address any and all plans for revisions of controls to respond to technological developments and evolving threats, which should all consider the particular risks of the business’s operations related to cybersecurity, personal or sensitive information collected or stored, the information systems utilized and the availability and effectiveness of controls to protect personal and sensitive information and information systems;
-
Describe any and all plans for updating or creating written policies and procedures to include criteria for:
-
Evaluation and categorization of identified cybersecurity risks or threats facing an organization;
-
Assessment of the confidentiality, integrity, security and availability of an organization’s information systems and personal and sensitive information, including the adequacy of existing controls in the context of identified risks; and
-
Describing how identified risks will be mitigated or accepted based on the RA and how the cybersecurity program will address the risk.
-
-
Realign your Written Information Security Program (WISP)
-
Ensure your organization’s WISP includes updated administrative, technical and physical safeguards by incorporating industry standards;
-
Leverage laws and regulations that promote specific industry standards, for example:
-
Utah’s Cybersecurity Affirmative Defense Act states that a WISP that reasonably conforms to an industry recognized cybersecurity framework provides a safe harbor from lawsuits;
-
Ohio’s Data Protection Act lists certain industry organizations (e.g., the Payment Card Industry Data Security Standard (PCI)) and regulatory schemes (e.g., the Health Insurance Portability and Accountability Act (HIPAA)) as examples, and
-
New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) includes specific agencies such as the New York State Education Department and its Department of Motor Vehicles.
-
-
Analyze regulatory decisions for guidance on when to update a WISP, for example, the FTC requires parties it has entered into settlement agreements with to:
-
Evaluate and adjust a WISP in light of any changes to operations or business arrangements, including new or more efficient technological or operational methods to control for risks, or any other circumstances that an organization knows or has reason to know may have an impact on the effectiveness of the WISP.
-
FOOTNOTES
3 https://www.cisa.gov/critical-infrastructure-sectors
4 https://www.nist.gov/cyberframework/framework
Romaine C. Marshall also contributed to this article.