A recent increase in Distributed Denial-of-Service (“DDoS”) attacks on the financial services industry has damaged customer confidence in businesses impacted by these events. DDoS attacks are frequently used by threat actors as decoys and open the door for these actors to inflict more damage. DDoS attacks flood the targeted organization’s network with extraneous internet traffic, causing systems to crash and halting e-commerce.
While these events do not generally result in data compromises, they do affect how the industry’s customers view the affected organizations and result in reputational harm. Unfortunately, these attacks are affecting all areas of the industry, including but not limited to, investment banking, personal finance, private wealth management, and the insurance sector.
This uptick in DDoS attacks has been attributed to the current state of geopolitics – as nation-states and other hacker groups are looking to target financial institutions and undermine public confidence in the global financial system. In response to these attacks, the Financial Services Information Sharing and Analysis Center has stressed the importance of cyber resilience and business continuity. Organizations are encouraged to have an incident response plan and cyber insurance coverage in place to limit the impact of any potential attacks. Organizations that utilize outside vendors are also encouraged to integrate third-party risk management into their incident response plans.
On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a Notice of Proposed Rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), a federal law enacted in 2022. These rules are in draft form and do require covered entities to report any incidents until 60 days after a Final Rule is published, which is not likely to occur until 2026. The proposed rule would impose new requirements for data and record preservation on the part of entities that comprise the nation’s critical infrastructure, reflecting a shift in the role of CISA from relying primarily upon voluntary cooperation with the private sector to mandating information sharing.
The proposed regulations would apply to cyber incidents which potentially jeopardize the confidentiality, integrity, or availability of information on an information system, or which actually jeopardize the information system itself. Some examples of covered cyber incidents include a compromise to the entity’s network or operational systems, a business interruption, unauthorized access to non-public information, or a supply chain compromise.
The rule contemplates that covered entities experiencing such a cyber incident would be required to submit a report within 72 hours after the covered entity reasonably believes a covered cyber incident has occurred. A covered entity must also report having made a ransom payment within 24 hours of doing so, even if the payment is made by another party on the entity’s behalf. If the entity has an agreement with another federal agency to report such incidents, compliance with that agreement would be deemed to satisfy the entity’s obligations under CIRCIA as well. The Director of CISA is also permitted to issue a request for information to a covered entity if it has reason to believe the entity has failed to make a required report under CIRCIA. These subpoenas could lead to a civil action being brought by the U.S. Attorney General, and even result in sanctions for contempt.
Additionally, the proposed rule would require covered entities to preserve data related to the incident for at least two years following the incident report. The data subject to preservation would include correspondence with the threat actor, indicators of compromise, and records related to any ransom payment made, among other items.
CISA claims the proposed rules is an attempt to balance national security interests with the agency’s history of voluntary cooperation with covered entities.
In a recent decision, a Delaware court dismissed lawsuits brought against a software service provider (the “Software Provider”) who suffered a ransomware attack. This attack compromised the customer data of many of the Software Provider’s corporate clients. Following the attack, the Software Provider notified its clients of the potential data breach and various cyber insurance carriers (the “Carriers”) paid out on the policyholders’ claims.
Following their reimbursement of the policyholders’ losses, the Carriers filed suit against the Software Provider seeking reimbursement for the funds they had paid out resulting from the Software Provider’s security failure. This process is known as subrogation. To prove that the Software Provider was at fault for the ransomware attack which had caused a loss to policyholders, the Carriers had to show either breach of contract or negligence on the part of the Software Provider.
However, the court held that the Carriers failed to properly plead either claim, as they solely relied on conclusory allegations. The fact that a data breach occurred, resulting in financial losses to the Software Provider’s clients, was not enough to show that the Software Provider had breached any of its contractual duties or its duty of care to its clients.
The court’s ruling highlights the importance of understanding service agreements that may be in place between service providers and their clients. These providers often ask their clients to agree to waive subrogation on behalf of their insurance carriers – effectively precluding insurers from taking legal action against the insured’s vendors. However, this waiver can only be enforced if it is allowed by the client’s insurance policy. As such, it is critical that the provisions of these service agreements are aligned with the insured’s rights and responsibilities under their terms of coverage.