What happened in the first quarter of 2023?
As anticipated in our end of year update in 2022, several federal agencies have begun to flex their enforcement muscles as cybersecurity watchdogs, in addition to their traditional powers to regulate their respective industries. While by no means exhaustive, this article will highlight three recent examples impacting finance, telecommunications and transportation industry verticals.
Finance – The SEC
In January, the SEC filed an enforcement action in Washington D.C federal court to enforce its investigative powers following a cyber breach at the international law firm of Covington & Burling LLP.
According to the SEC, “In or around November 2020, threat actors associated with the Microsoft Hafnium cyberattack maliciously and unlawfully obtained access to Covington's computer network and certain individual devices, including access to non-public files of nearly 300 Covington clients that are regulated by the SEC.” The SEC served the law firm with a subpoena for its client lists, seeking the names of any clients whose data was “viewed, copied, modified or exfiltrated by the threat actors.”
In response, the law firm refused to turn over its client records, citing the sacrosanct attorney-client privilege. Notably, the law firm itself is not a publicly traded company and thus not under direct regulation by the SEC.
The SEC argues that the court should compel the law firm to produce the records to assist the SEC, “in identifying any suspicious trading by the threat actors or others in those clients' securities, and whether such trading was illegal based on material non-public information that the threat actors viewed or exfiltrated as part of the cyberattack.” In addition, the SEC seeks to determine, “whether the impacted clients made all required disclosures to the investing public about any material cybersecurity events in connection with the cyberattack.”
Legal commentators are uncertain of the ultimate disposition, and while the SEC maintains that the information it seeks is simple identity and not protected attorney-client communications, other law firms have joined in support of Covington in its litigation in opposing the SEC’s enforcement action. We will monitor this litigation as it develops.
Telecommunications – The FCC
The FCC has also recently submitted proposed cybersecurity regulations that it hopes will modernize its ability to regulate and enforce cybersecurity requirements within the telecommunications industry. This includes, “expansion of the definition of a breach, changes to customer notification, and changes to reporting to the Commission and law enforcement.” Whereas the current definition of a breach includes only intentional acts, the proposed regulations will include, “inadvertent access, use, or disclosures of customer information.”
The FCC is also considering comments on whether actual harm should be required to trigger notifications and whether there should be “good faith” carveouts for notification due to accidental disclosures by employees. But while such carveouts and harm triggers would be helpful, other proposed language will impose additional responsibilities on telecommunication companies. These include separate notification directly to the Commission (in addition to the FBI and Secret Service), as well as imposing a “without unreasonable delay” notification standard for customers, removing the current mandatory waiting period.
We will continue to watch and update once these rules are fully adopted.
Transportation – The TSA
While we most commonly associate the TSA with the airline industry, the agency’s reach is much broader, extending to railroads and pipelines as well. As set forth in the Biden Administration’s recently issued National Cybersecurity Strategy, infrastructure security is a key pillar in overall national security. As a result, the TSA anticipates issuing specific regulations intended to secure railroads and pipelines.
The Colonial Pipeline attack in 2021 demonstrated the unique disruptive impact that an attack on pipelines can have on the national economy. As a result, the TSA is focused on requiring a layered depth approach to security that fends off not just Information Technology (IT)threats but Operational Technology (OT) threats as well, such as to supervisory control and data acquisition (SCADA) systems.
According to Homeland Security Today, “Cyber actors have demonstrated their willingness to engage in cyber intrusions and conduct cyberattacks against critical infrastructure by exploiting the vulnerability of OT IT systems.
Pipeline and rail systems, and associated facilities, are vulnerable to cyberattacks due to legacy equipment that lacks updated security controls and the dispersed nature of pipeline and rail networks spanning urban and outlying areas. Keeping these systems insulated from attacks is therefore critical, and part of a layered cybersecurity strategy.
Insurance implications
- For organizations regulated by any of these agencies, or similar federal or state agencies, ensure regulatory coverage is part of your cyber insurance program. Typically, coverage for regulatory actions is included within the security and privacy insuring agreements. Such coverage will generally provide for the defense of regulatory actions, which often includes full blown enforcement actions and investigative subpoenas, such as in the SEC example, above.
- Be sure to have a detailed cybersecurity response plan as required by these agencies and others like them, which may include:
- Designation of a responsible individual for cybersecurity
- Appropriate privileged access controls
- Employee training, drills and exercises
- Technical and physical security controls
- Incident response plan and operational resilience
- Record keeping and documentation
- Industries such as transportation, logistics, utilities, or manufacturing, must ensure that the definition of computer system or network is sufficiently broad enough to include operational networks, such as SCADA systems so that the applicable coverage is triggered when there is a cyberattack. Although many cyber policies explicitly include SCADA in these definitions, some policies may still limit computer networks to informational networks alone, which could pose a problem if a breach occurs to an operational network.
Conclusion
Managing cyber related vulnerabilities should be part of the operational resilience strategy of every organization. Preparing in advance is one of the best ways to reduce the cost of dealing with a major cyber incident. All cyber insurers now are requiring businesses meet specific cyber security standards to be eligible to purchase cyber insurance.
Disclaimer
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).