CYBER CORNER

WHITE HOUSE UNVEILS NATIONAL CYBERSECURITY STRATEGY: WHAT IT MEANS FOR BUSINESSES

The Biden administration has announced a new national cybersecurity strategy that calls for greater regulatory scrutiny of the private sector’s handling of cyber threats. The plan also proposes a shift in liability for flaws in technology products which leaves their end users vulnerable to an attack.


The plan would hold software developers responsible for putting out products without adequate security built into their design, while cloud service providers would be held accountable for failing to safeguard personal data. White House officials indicated that they would collaborate with Congress around legislation that would offer a “safe harbor” provision for companies that take steps to “securely develop and maintain” the products they bring to market. Critics within the tech industry fear that the shift in liability will stifle innovation. Critics also argue that it is impossible to design products in a way that anticipates new vectors of attack in advance. 


Another proposal would require companies that operate “critical infrastructure” to report “substantial” incidents to the federal government within 72 hours of discovery. Currently, cooperation of this sort is voluntary on the part of businesses, and compliance is not universal. While Homeland Security Secretary Alejandro Mayorkas believes mandatory reporting of incidents could benefit the fight against cybercrime, privacy advocates have voiced concerns over the possible erosion of civil liberties. Separately, the tension between these competing interests has boiled over in an ongoing dispute between the SEC and a prominent law firm around the SEC’s demand that attorneys disclose a list of clients whose information may have been compromised in a cyberattack on the firm.   


The plan also calls for the exploration of a federal backstop for cyber insurance, something which is already being explored by the Department of the Treasury. Cyber insurers have raised premiums and sought to narrow the scope of coverage over the past few years in an effort to recoup losses resulting from ransomware and other incidents. Proponents of a backstop argue that it would help the industry withstand a systemic or catastrophic event, although it is not clear whether the federal government would seek to prescribe underwriting criteria and coverage terms if taxpayer dollars were at stake. 

 

The Takeaway

Cybersecurity is a national security issue, and we can expect greater cooperation between the private and public sectors in the coming years to protect our economy and way of life.

SENATE BILL CALLS FOR CLARITY AROUND CYBER INSURANCE COVERAGE

A bipartisan bill introduced in the U.S. Senate seeks to provide small businesses with the information they need to make better use of their cyber insurance policies. The “Insure Cybersecurity Act of 2023” is being co-sponsored by Senators John Hickenlooper of Colorado and Shelly Moore of West Virginia. The bill would create an interagency working group for the purpose of studying cyber risk and facilitating better communication between insurers and insureds. Some of the objectives laid out in the legislation include:

 

  • Analyzing and explaining in a manner that is understandable to customers, the technical and legal terminology that is often used in policies;
  • Developing recommendations regarding provisions that relate to ransomware and payments being made in response to ransomware attacks;
  • Determining how to address incidents that are caused by cyberterrorism or acts of war; and
  • Developing recommendations for prospective customers around the types and levels of coverage offered under a policy. Providing guidance for agents and brokers regarding how to communicate policy provisions in a way that is clear and easy for customers to understand.

Additionally, the working group would examine the constraints faced by insurers in areas of cyber risk not adequately covered at present, such as reputational damage and intellectual property. The working group would gather input from insurers about what measures might be needed to address these exposures.

 

The working group would be comprised of representatives from the Cybersecurity & Infrastructure Security Agency (CISA), the National Institute of Standards & Technology (NIST), the Department of the Treasury, and the Department of Justice, as well as other agencies at the working group’s discretion. The working group would be empowered to solicit input from external stakeholders and would be expected to generate a report on its findings no more than one year after its launch.

The Takeaway

There is no question that the lack of standardization in carrier forms can be challenging for brokers and insureds. However, there are entities within the insurance industry that can help to homogenize the terms and conditions of cyber policies. It remains unclear whether Washington needs to be involved in creating a solution. However, the industry should work towards building a consensus around the scope of the product and strive for the use of common terminology.

OFFBOARDING CYBER EXPOSURES 

One of the most popular social media platforms (the “Company”) found its confidential source code posted on an online collaboration platform for software developers. While the country’s concerns about the security of social media users’ data have been on the rise, this leak is also a major exposure of intellectual property for the Company. The Company reached out to the software platform, pointing to copyright infringement issues, and asked them to take down its code. The software platform complied; however, how long the leaked code was online remains unclear. 

 

In the months leading up to this event, the Company faced drastic leadership changes, followed by mass layoffs that affected 75% of employees. The stories of such layoffs received a lot of attention from the public. The Company suspects that one of its former employees was to blame for the leak and asked a Federal Court to order the software platform to reveal the identity of the person who shared the code, as well as any other individuals who downloaded it. 

 

This incident also serves as a reminder for employers about the sensitivity of employee departures. This incident demonstrates that employees could take advantage of the sensitive data of a business, especially when they are leaving a given company on less than great terms. Although such coordination is easier said than done, the IT, HR, and Legal departments need to work closely during times of such turmoil, to ensure the security of the offboarding process. That is especially true when the departing party is as sophisticated as one of the company’s technical engineers. The HR and Legal departments should be ready to remind all departing employees of any non-disclosure agreements. Companies should also consider notifying key clients of employee departures to alert the necessary parties that such employees no longer have the authority to act on the company’s behalf. Finally, even during a period of layoffs, it is important to part with employees as humanely as possible to avoid aggrieving the parties who once had knowledge of the company’s vulnerabilities.