Cyber Attacks Are Rising, New Cyber Security Legislation
The latest statistics from the Federal Bureau of Investigation (FBI) demonstrate that no industry is exempt from cyber attacks which are increasing in frequency and impact. Per the FBI, Business Email Compromise (BEC) attacks surpassed $43 billion globally and are rising.
These losses, which the FBI calls “exposed losses,” include both actual and attempted losses reported between June 2016 and December 2021. The FBI noted an increase of 65 percent during that time and it was most likely spurred by the COVID-19 pandemic which forced many individuals to shift to virtual work from remote environments that are typically less secure than their corporate network.
Ransomware attacks continue to be a significant problem as well. Ransoms are increasing and data is no longer merely encrypted and held for ransom. Recent research has shown that roughly 40 percent of all newly discovered ransomware includes data exfiltration as part of the attack process.
The exfiltrated (stolen) data is “dumped” on “shame” sites where hackers post names of corporate ransomware victims along with samples of stolen information to increase the likelihood the victim will pay a ransom. This is known as “Double Extortion”. In some cases, the hackers will demand ransoms from individuals whose data was among those stolen, which is known as the “Triple Extortion” ransomware threat.
What Is the Strengthening American Cybersecurity Act?
The Strengthening American Cybersecurity Act (S. 3600) was signed into law by President Biden earlier this year to help combat these and other cybersecurity related issues.
Key points of the new law include:
- It only applies to particular companies that it calls covered entities. The rules for what is considered a covered entity are still being finalized, but, in general, it applies to companies that are part of the U.S. critical infrastructure (finance, transportation, energy and other sectors).
- Covered entities are required to report cyberattacks to the federal government within 72 hours of the incident’s start — or within 24 hours if a ransom has been paid.
- Covered entities must also preserve all data related to any cyber incident or ransom payment and provide the Cybersecurity and Infrastructure Security Agency (CISA) with updates on incidents until they are fully resolved.
- CISA, a division of the Department of Homeland Security (DHS), will be at the helm of the federal government’s response to major cyber incidents within four years.
- Specific guidelines for which companies are covered entities, what data must be preserved and other details related to this law are still being defined — a process called rulemaking that may take as long as two years.
If your company is likely to be considered a public entity, you should monitor the rulemaking process and take steps now to prepare for the new disclosure obligations and the potential for overlapping obligations.
Whether or not your company is considered a covered entity, you should take the opportunity to revisit your cybersecurity posture including your tools, policies, procedures and programs. Regulations will likely expand to other industries, when the cyber security landscape changes for one industry, it often bleeds into others sooner or later.
Additionally, cyber insurance providers are becoming much more stringent in regards to whom they will insure and what security measures they demand. For those businesses who can get insurance, premiums are rising rapidly, and this is especially true if your cybersecurity posture is weak, which is yet another reason to act now.
You can find some great insight on the current state of the cyber insurance market in this recent article from The Wall Street Journal, “Buying Cyber Insurance Gets Trickier as Attacks Proliferate, Costs Rise.”
Two More Cybersecurity Bills Passed in June
In June 2022, two bipartisan cybersecurity bills were signed into law by President Biden: the Federal Rotational Cyber Workforce Program Act of 2021, and the State and Local Government Cybersecurity Act of 2021.
Together these bills intend to:
- Improve collaboration between DHS and state, local, tribal and territorial governments.
- Require the National Cybersecurity and Communications Integration Center (NCCIC) to coordinate with the Multi-State Information Sharing and Analysis Center (MS-ISAC) to aid state, local, tribal and territorial government entities with cybersecurity exercises, training, and education and awareness.
- Provide a rotating workforce for cyber security efforts across federal agencies.
What It Means for Your Business
While governments try to shore up cybersecurity regulation and provide support and guidance, protecting your business still falls squarely in your court. Our certified experts have been helping businesses understand and defend against the myriad cyber threats being thrown at them since 1992.
Here are some free resources to help your improve your cybersecurity posture:
- Cyber Security eBook
- Cyber Security Essentials Checklist
- Phishing Prevention Cheat Sheet
- Ransomware Response Checklist
- Vulnerability Assessment
You can also contact us or book a meeting to discuss your IT and security needs today. We’re here and ready to help.
Share this Blog
Is Your Name or Birthday a Part of Your Password?
If so, you’re a part of the 59 percent of people who don’t follow proper password hygiene. More than 70 percent of passwords are used for more than one system, meaning if cybercriminals crack one, they can access a lot more accounts.
Our free Enterprise Password Management Guide will give you the best password hygiene practices to help you secure your computer and your business.