CYBER CORNER

A recent increase in Distributed Denial-of-Service (“DDoS”) attacks on the financial services industry has damaged customer confidence in businesses impacted by these events. DDoS attacks are frequently used by threat actors as decoys and open the door for these actors to inflict more damage. DDoS attacks flood the targeted organization’s network with extraneous internet traffic, causing systems to crash and halting e-commerce. 

While these events do not generally result in data compromises, they do affect how the industry’s customers view the affected organizations and result in reputational harm. Unfortunately, these attacks are affecting all areas of the industry, including but not limited to, investment banking, personal finance, private wealth management, and the insurance sector.

This uptick in DDoS attacks has been attributed to the current state of geopolitics – as nation-states and other hacker groups are looking to target financial institutions and undermine public confidence in the global financial system. In response to these attacks, the Financial Services Information Sharing and Analysis Center has stressed the importance of cyber resilience and business continuity. Organizations are encouraged to have an incident response plan and cyber insurance coverage in place to limit the impact of any potential attacks. Organizations that utilize outside vendors are also encouraged to integrate third-party risk management into their incident response plans.

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a Notice of Proposed Rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), a federal law enacted in 2022. These rules are in draft form and do require covered entities to report any incidents until 60 days after a Final Rule is published, which is not likely to occur until 2026. The proposed rule would impose new requirements for data and record preservation on the part of entities that comprise the nation’s critical infrastructure, reflecting a shift in the role of CISA from relying primarily upon voluntary cooperation with the private sector to mandating information sharing.

The proposed regulations would apply to cyber incidents which potentially jeopardize the confidentiality, integrity, or availability of information on an information system, or which actually jeopardize the information system itself. Some examples of covered cyber incidents include a compromise to the entity’s network or operational systems, a business interruption, unauthorized access to non-public information, or a supply chain compromise.

The rule contemplates that covered entities experiencing such a cyber incident would be required to submit a report within 72 hours after the covered entity reasonably believes a covered cyber incident has occurred. A covered entity must also report having made a ransom payment within 24 hours of doing so, even if the payment is made by another party on the entity’s behalf. If the entity has an agreement with another federal agency to report such incidents, compliance with that agreement would be deemed to satisfy the entity’s obligations under CIRCIA as well. The Director of CISA is also permitted to issue a request for information to a covered entity if it has reason to believe the entity has failed to make a required report under CIRCIA. These subpoenas could lead to a civil action being brought by the U.S. Attorney General, and even result in sanctions for contempt. 

Additionally, the proposed rule would require covered entities to preserve data related to the incident for at least two years following the incident report. The data subject to preservation would include correspondence with the threat actor, indicators of compromise, and records related to any ransom payment made, among other items.

CISA claims the proposed rules is an attempt to balance national security interests with the agency’s history of voluntary cooperation with covered entities.