CYBER CORNER

PROPOSED FLORIDA LEGISLATION WOULD OFFER “SAFE HARBOR” TO CYBER-COMPLAINT BUSINESSES

Government efforts to regulate cybersecurity have been criticized for often having the effect of punishing the victim. A bill pending in the Florida legislature takes a radically different approach.  


HB473 would offer a safe harbor against data breach litigation to businesses operating in Florida that maintain a robust level of cybersecurity in compliance with government and industry standards. The bill is known as the “Cybersecurity Incident Liability Act,” and it aims to incentivize businesses to stay current with their network security and data protection by providing an affirmative defense against tort claims arising out of data breaches.


Plaintiffs can file class action lawsuits against businesses that fall victim to a breach, even after the company provides notification and offers credit monitoring and identity theft protection to its customers. This legislation doesn’t prevent plaintiffs from doing that, but if a company can show that its practices are in substantial alignment with generally accepted cybersecurity standards, it will shield them from potential liability arising out of the breach.


Importantly, the legislation does not mandate specific Cybersecurity measures. Instead, the bill gives businesses the option to select from one of several recognized frameworks, including the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”) and The Center for Internet Security’s (“CIS”) Critical Security Controls. The safe harbor is also available to businesses that demonstrate compliance with Federal legislation such as HIPAA, Gramm Leach Bliley, or the Federal Information Security Modernization Act. This flexible approach considers the size of the business, the nature of its activities, the sensitivity of the data being held, and the resources available to implement improvements to security.  

The Takeaway

This bill has a long way to go before it could be signed into law, but there is no time like the present to adopt better security controls. Some action items include conducting a thorough risk assessment to pinpoint and remediate vulnerabilities, developing or refreshing your incident response plan, and updating your information security policies. Taking these steps can help make your network and data assets more secure, improve your risk profile in the eyes of the underwriters, and position you to benefit from safe harbor provisions as they become law.  

UNDERWRITERS REPORT RANSOMWARE ATTACKS INCREASED BY NEARLY 70 PERCENT IN 2023

Despite a slight drop in the final quarter of the year, ransomware attacks increased by 68% in 2023 to reach an all-time high, according to a report from Corvus, a leading underwriter of Cyber insurance. 


Drawing upon data from “leak sites” on the so-called “dark web” where cybercriminals ply their trade, this past year saw 4,496 victims of ransomware, up from 2,670 in 2022. However, Corvus Chief Information Security Officer Jason Rebholz hailed the recent success of law enforcement in apprehending threat actors, describing their efforts as having an “incredible impact” even so, Rebholz noted in an interview with the insurance news source Zywave that new forms of malware continue to proliferate, and businesses must remain vigilant. 


Corvus attributes an unexpected drop in ransomware events late in the year to disruptions of a notorious ransomware syndicate by law enforcement, along with efforts to neutralize a particularly virulent form of malware. Corvus also cautioned that not all victims of ransomware end up being publicized on the dark web, so the report carries a risk of underestimating the actual number of attacks that have taken place by as much as 41%. Threat actors continue to exploit vulnerabilities in corporate networks, and even companies like VMware, Cisco, and Citrix – household names in the technology sector – have found themselves on the receiving end of ransomware attacks.

 

The Takeaway

Corvus is urging companies to focus on cyber resilience in 2024, and to take steps to secure their networks and data assets. Some steps that Alliant recommends businesses take include encrypting sensitive information, backing up data (and regularly testing the firm’s ability to restore from backups), and developing a detailed incident response plan. Bear in mind that the payment of ransom should always be considered a last resort. A proactive approach to managing cyber risk can help reduce the likelihood that a payment to threat actors will need to be made.