On January 11, 2022, the U.S. Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a joint advisory, warning of an increasing cybersecurity threat posed by Russian state-backed threat actors to U.S. critical infrastructure.
Author: Peter Baldwin
Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.
Discerning Data Cyber Vulnerability Alert: Log4j
According to numerous government and media sources, malicious cyber actors are targeting a new “zero day” vulnerability on a massive scale. This vulnerability, referred to as “Log4j” or “Log4Shell,” has resulted in widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library.
Read the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)’s guidance on the Log4j vulnerability here.
Continue reading “Discerning Data Cyber Vulnerability Alert: Log4j”
New York Department of Financial Services Issues New Guidance on Multi-Factor Authentication and Cybersecurity Frameworks
With cyberattacks continuing to plague the financial services industry, the New York Department of Financial Services (NYDFS) recently released new guidance for regulated entities related to the use of Multi-Factor Authentication (MFA) and cybersecurity frameworks.
On December 7, 2021, NYDFS issued a formal Industry Letter entitled Guidance on Multi-Factor Authentication. According to the Industry Letter, MFA “is an essential part of cybersecurity hygiene . . . which is why it was one of the few technical controls explicitly required by” the NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (the Cybersecurity Regulation). However, the Industry Letter goes on to note that “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” most often due to MFA “being absent, not fully implemented, or configured improperly.” Specifically, NYDFS noted that, from January 2020 to July 2021, more than 18.3 million consumers were impacted by cybersecurity incidents reported to NYDFS that were linked to an MFA failure.
OFAC Issues Sanctions Compliance Guidance for Virtual Currencies
In October, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published new guidance for the virtual currency industry focusing on compliance with the financial industry’s obligations related to U.S. economic sanctions.
OFAC administers and enforces economic sanctions against targeted and/or sanctioned foreign countries, geographic regions, entities, and individuals to further U.S. foreign policy and national security goals.
As noted in the new guidance, virtual currencies now playing an increasingly prominent role in the global economy. The growing relevance of virtual currency, both as an investment and as a payment method, brings greater exposure to sanctions risks. Specifically, there is an increased risk that a sanctioned entity or an entity in a jurisdiction subject to sanctions might use virtual currency as an alternative to fiat currency in an effort to avoid U.S. sanctions. As such, the OFAC guidance specifically targets technology companies, virtual currency exchanges, virtual currency administrators, virtual miners, digital currency wallet providers, and users.
Continue reading “OFAC Issues Sanctions Compliance Guidance for Virtual Currencies”
Faegre Drinker on Law and Technology Podcast: The Growth and Evolution of Disruptionware
Cyberattacks are an increasingly common presence in the news, and disruptionware has emerged as a popular — and particularly nefarious — type of attack. Disruptionware poses an especially troubling threat, because it attacks both an organization’s information technology and operational technology networks — often with highly destructive goals. In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss sits down with Peter Baldwin to break down disruptionware attacks, the industries that are most susceptible to them, and what we can learn from high-profile incidents.
Fall Cybersecurity Enforcement Update: State and Federal Regulators Increase Scrutiny on Victims of Cyberattacks
We have written here previously about the dramatic increase in cyberattacks on companies of all types since the start of the COVID-19 pandemic. Indeed, by some estimates, ransomware attacks have increased over 90% during the first half of 2021 compared to the same period last year. As these and other types of cyberattacks have increased, various federal and state regulators have correspondingly stepped up efforts to investigate and bring enforcement actions – which often include large fines – against companies that are perceived to have been negligent in their cybersecurity efforts. Two of the most active agencies in cybersecurity enforcement have been the New York Department of Financial Services (NYDFS) and the United States Securities & Exchange Commission (SEC), both of which have made important announcements regarding cybersecurity compliance in the past few months.