US 2021 Cyber Agenda May Affect Liability, Disclosure, and Enforcement

By Christopher Hetner and Robert Peak


Cyber Disclosure Liability Online Article

Structural and technological changes have been set in motion by COVID-19, creating new cyber-risk and security challenges that will likely endure even after the pandemic ends. There is no shortage of cyber-threat actors attempting to take advantage of this situation, and the majority of cyberattacks continue to be financially motivated.

While cybersecurity has seen strong progress over the last decade in terms of threat information sharing and cyber-resilience measures, it is still easier to attack than defend in cyberspace. Every year, cybercrime becomes cheaper, easier, and faster, making a variety of companies more vulnerable to attacks than ever before. After all, all companies are tech companies nowadays.

Last year, of course, was no exception. As boards seek to oversee companies’ risk assessments, investments, and cyber-defense tactics to ensure their businesses adapt to meet post-pandemic cyber challenges, they must take stock of the complex and varying types of cyberattacks businesses faced in 2020.

Over the past twelve months, massive amounts of downtime due to business disruption caused by cyberattacks and large troves of highly sensitive data made the private sector particularly vulnerable to ransomware, supply-chain compromise, distributed-denial-of-service (DDoS) attacks, and data breach attacks. As cybercriminals devised new ways to profit, such attacks grew in volume, sophistication, and impact.

DDoS extortions, where attackers extort companies by threatening DDoS attacks, made a resurgence in 2020, with the New Zealand stock exchange among financial institutions targeted. Even Amazon Web Services suffered a record-setting attack last February.

While DDoS attacks have caused significant problems, ransomware dominated the headlines last year. In fact, 2020 saw seven times more ransomware attacks than 2019. However, it is far from just a volume issue, as ransomware operators, driven by profit, think of new and innovative attack strategies. Attackers now almost always steal sensitive data in addition to encrypting the target company’s network or devices—called “double-extortion” ransomware—and extort victims by threatening to either publish data online or to auction off victims’ data on the dark web. Among companies that experienced double-extortion ransomware attacks last year were Banco de Costa Rica and a trio of financial technology providers including Cognizant Technology Solutions Corp., Finastra, and Pitney Bowes. There has also been staggering growth in the ransomware-as-a-service (RaaS) market, with Intel 471 tracking 18 new RaaS groups in 2021.

The US Securities and Exchange Commission (SEC) has issued multiple alerts warning of increasingly advanced ransomware attacks on registrants as well as their third-party service providers. As the massive SolarWinds breach starkly highlighted, even entities with relatively robust cyber defenses are vulnerable to attacks through third-party suppliers. Sophisticated attackers recognize this and are increasingly devoting attention and resources to targeting third-party service providers and other organizations down the supply chain that allow them to compromise many networks at once. Companies everywhere should pay more attention to supply-chain vulnerabilities as potential attack vectors for data breaches, ransomware, and other cyberattacks. 

Indeed, there is no end in sight, with damages from cybercrime projected to reach $6 trillion globally in 2021. Despite ever-growing investments in cyber defense, an increasingly anxious public feels that the oversight of federal agencies, boards, and CEOs fails to meet their expectations. The lack of a generally accepted framework for the evaluation of cyber risk, agreed-upon best practices, or unifying standards adds to the uncertainty and complexity for senior executives and directors of understanding the true nature and extent of an organization’s cyber-risk exposure. Given this emerging reality, the legislative and regulatory agenda must evolve to address these economic, national security, and stakeholder impacts. 

The Expected Cyber Agenda Under the New Presidential Administration

President Joseph R. Biden Jr. has said his administration will make cybersecurity a top priority at every level of the government. Moreover, in stark contrast to the previous administration’s agenda, the focus on data privacy issues will intensify as will collaboration with Europe and the global community. Vice President Kamala Harris has a track record of such focus; as attorney general in California, she spearheaded privacy efforts that ultimately led to the state’s adoption in November of the California Privacy Rights Act (CPRA), which established a new regulatory agency to police data privacy.

Changes in US Senate leadership and anticipated greater collaboration with the US House of Representatives will likely spur bills to address the governance of cybersecurity, incident reporting, and consumer privacy. Senators Sherrod Brown and Pat Toomey have agreed to furthering technology concerns in the Senate Banking Committee. It is widely expected that Senator Jack Reed will reintroduce a bipartisan bill to require disclosure to investors of information on whether a company’s board has a member with cybersecurity expertise. Moreover, the Cyberspace Solarium Commission, mandated by the National Defense Authorization Act of 2019, recommended various legislative initiatives that may advance, including amending the Sarbanes-Oxley Act of 2002 to mandate corporate accountability and certain cybersecurity disclosures by publicly traded companies.

Leadership changes expected at financial services regulators and at the Consumer Financial Protection Bureau will likely coincide with a host of new regulations as well as a revitalization of consumer protection efforts. Further, market participants should anticipate an increase in examinations and enforcement actions from all independent regulators and other oversight agencies, such as the Financial Industry Regulatory Authority.

States legislatures and regulators are expected to continue to prioritize cybersecurity and data privacy. Some may align with the CPRA and others with the New York Department of Financial Services cybersecurity requirements, which cover all financial institutions operating in New York. The lack of a comprehensive federal cyber regime has and will continue to contribute to the diversity of state initiatives, which may be reminiscent of state blue sky laws from the early 1900s.

Without question, the legislative and regulatory landscape in 2021 will include a variety of measures that seek to improve the accountability for and governance of cyber-related concerns.

How Boards Can Act Now

While there is no one-size-fits-all solution, there are specific defensive investments that companies can implement to mitigate risk from costly cyberattacks—and to preempt new regulations and legislation.

The first step in improving cyber defenses is to know what needs protection by quantifying cyber-risk exposure and deriving a risk appetite. Companies should conduct a 360-degree review across the enterprise that covers external exposures, such as those created by third-party service providers. A discussion around risk appetite, addressed in the NACD Director’s Handbook on Cyber-Risk Oversight, should cover the following principles:

  1. Corporate Values: What risk will we not accept?

  2. Strategy: What are the risks we need to take?

  3. Stakeholders: What risks are stakeholders willing to bear, and to what level?

  4. Capacity: What resources are required to manage those risks?

  5. Financial: Are we able to adequately quantify the effectiveness of our risk management and harmonize our spending on risk controls?

  6. Measurement: Can we measure and produce reports to ensure proper monitoring, trending, and communication?

Managing supply-chain risk from third-party service providers has become an essential part of corporate risk management. As supply-chain attacks leverage the existing trust between vendors and customers, they can be incredibly difficult to prevent and detect. Today, unfortunately, many companies remain underinvested in this area.

Companies should ideally try to evaluate the cyber-risk exposure of prospective service providers before engaging them as trusted third-party partners, and one way to achieve this is through security ratings. These ratings, from companies such as SecurityScorecard, provide a standardized snapshot and ongoing monitoring of a company’s cybersecurity capabilities to help it make strategic risk decisions.

Advanced companies can also use security ratings alongside strategic risk metrics to do the following:

  1. Align cyber-risk scenarios with material business exposure.

  2. Roll the reporting of cyber risks together with financial exposure to inform risk-management decisions.

  3. Measure the improvement of cyber-risk reduction over time.

Companies must also ensure sound technology hygiene. A large part of this involves implementing proactive vulnerability and patch management programs and applying secure coding standards across internal and external applications, but it also includes managing supply-chain exposure, integrating enterprise-wide security, and performing regular risk-assessment evaluations and incident-response exercises.

With cybersecurity and data privacy on the legislative and regulatory horizon, boards should act now to ensure their security programs will meet potential requirements and stay up to date as Congress and regulatory bodies proceed with their related plans.

The views expressed in this presentation are the views of the author and do not necessarily reflect the views of the author’s employer or any other entities with which the author may be associated.

Chris Hetner
Chris Hetner served as the senior cybersecurity advisor to SEC chairs White and Clayton and currently is a senior advisor at The Chertoff Group, a special advisor for cyber risk at NACD, and a member of the NASDAQ Center for Board Excellence Insights Council.

Robert Peak
Robert Peak has served in senior capital markets policy roles including at the SEC, where he worked on the Commission’s issuance of its 2018 cybersecurity guidance. He has advised commissioners, members of Congress, and board members, and is a thought leader in securities trading, regulation, and enforcement.