The regulation of cybersecurity remains a new and rapidly evolving space — and regulatory activity and priorities can be somewhat opaque to outside observers. In this special episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss shares a discussion led by Faegre Drinker’s Peter Baldwin, who sat down with Brent Wilner, senior advisor to the Securities and Exchange Commission’s (SEC) Cyber Unit, and Justin Herring, leader of the New York Department of Financial Services’ (NYDFS) Cybersecurity Division. The two guests share their insights on each agency’s priorities in cybersecurity, data protection and enforcement.
Author: Peter Baldwin
Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.
Kaseya: The Latest High-Profile Ransomware Attack
On July 2, 2021, Kaseya Ltd., a Florida-based firm that provides software tools to thousands of primarily small and mid-sized businesses, became the latest victim of a high-profile ransomware attack. The attack is believed to have affected as many as 1,500 of Kaseya’s customers throughout the world, including at least 200 businesses in the United States. The attackers, who have claimed association with the Russia-linked REvil ransomware gang, have demanded an astronomical $70 million ransom to restore services for affected businesses.
The Kaseya attack was particularly devastating and effective because it was a supply chain attack, meaning it targeted a type of software that many other companies use to manage and distribute software updates. Thus, the attack not only affected Kaseya, but also potentially all of its customers.
Continue reading “Kaseya: The Latest High-Profile Ransomware Attack”
Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks
New York partners Pete Baldwin and Bob Mancuso authored an article for the New York Law Journal titled, “Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks,” that discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness.
Department of Homeland Security Announces New Cybersecurity Requirements for Pipelines
The Department of Homeland Security (DHS) recently announced a new Security Directive requiring companies in the pipeline sector “to better identify, protect against, and respond to” cyber threats. Among other things, the Security Directive requires pipeline operators to report cyberattacks against their pipelines to DHS. This new requirement replaces the voluntary reporting guidelines that had been in place since 2010.
The new Security Directive is a response to the May 2021 ransomware attack on Colonial Pipeline that shut down much of the oil and gas distribution to the East Coast of the United States for approximately six days. According to various media reports, Colonial Pipeline ultimately elected to pay a Russian ransomware gang that claimed responsibility for the attack over four million dollars to re-open the crippled pipeline.
New York Department of Financial Services Issues Report on SolarWinds Cyberattack
On April 15, 2021, the New York Department of Financial Services (NYDFS) issued a report on the recent SolarWinds cyberattack. A copy of the report is available here. NYDFS called the attack a “wake-up call” to regulated financial institutions and insurers that should cause them to immediately assess and, if necessary, improve their own cybersecurity posture in order to avoid victimization in future attacks.
NYDFS characterized the SolarWinds attack as a “widespread, sophisticated espionage campaign” by Russian foreign intelligence actors that resulted in “the most visible, widespread, and intrusive information technology supply chain attack” successfully completed to date. According to the report, the attack opened back doors into thousands of organizations around the United States and involved the theft of sensitive data from over 100 private sector companies, as well as at least nine federal agencies. NYDFS noted ominously that the attack highlighted the obvious “vulnerability to supply chain attacks” within the financial services industry.
Continue reading “New York Department of Financial Services Issues Report on SolarWinds Cyberattack”
New York Department of Financial Services and National Securities Corporation Agree to $3 Million Settlement in Cybersecurity Enforcement Action
Earlier this month, the New York State Department of Financial Services (NYDFS) announced a settlement and consent order with National Securities Corporation (National Securities) for $3 million in connection with National Securities’ violations of NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500).
National Securities sells life insurance, accident and health insurance, and variable life/variable annuities insurance. As part of its day-to-day operations, National Securities collects personal data from its customers.