Three recent notable regulatory and legislative developments are significantly heightening expectations on cybersecurity disclosures and attestations.
Over the last month, notable threat activity and U.S. Government regulatory pronouncements have highlighted the evolving technology supply chain security risk surface and the need for focused mitigation measures.
Companies that were forced to adapt to the reality of COVID are now grappling with operating in and evacuating from war zones (e.g., Ukraine), in contested or hostile environments (e.g., Russia), or on the edges of a conflict zone which could spread regionally, without warning. In addition to being one of the worst humanitarian crises Europe has faced in decades, the war in Ukraine—including its second and third order effects—highlights how quickly the operational landscape can shift.
On February 24, 2022, President Putin announced a “special military operation” in Ukraine to “protect” the people in the “republics of Donbas”, adding the actions were aimed at demilitarizing and “de-nazifying” Ukraine. Almost immediately following, Russian forces began a multi-pronged air, land, and sea invasion from the north, south, and east, launching missile strikes against multiple cities including the capital of Kyiv.
On Monday February 21, 2022, in the aftermath of a series of unproductive diplomatic meetings between Russia, the U.S., and NATO, and DDOS cyberattacks, President Putin announced that Russia would recognize the separatists in Donetsk and Luhansk in Eastern Ukraine as “independent republics” and that Russian troops were being deployed to the region as “peacekeepers.” This approach mirrors the actions that Russia took in Crimea in 2014 and in Georgia 2008. The White House has announced limited sanctions prohibiting Americans from doing business in or with the regions of Donetsk and Luhansk, as well as sanctions on Nordstream AG. German Chancellor Olaf Scholtz announced that Germany would not complete certification of the NordStream II pipeline as a response to the Russian actions.
Threats of government shutdowns and stopgap funding measures seem to have become standard operating procedure for the U.S. federal budget process.
Far from a functioning appropriations process, Congress relies on continuing resolutions (CR) that maintain spending at prior year levels and massive “must sign” omnibus appropriations bills to keep the government open.
The U.S. Securities & Exchange Commission (SEC) 2018 interpretive guidance on cybersecurity disclosure requirements makes it clear that public companies should have comprehensive cybersecurity policies and procedures in place with a focus on timely disclosure of material cyber risks and incidents.
On Friday January 14, 2022, in the aftermath of unproductive diplomatic meetings between Russia and the U.S. and NATO, malicious cyber attackers launched a massive attack against Ukrainian government websites. Approximately seventy websites were targeted, and several sites are impacted, including the Ministry of Foreign Affairs and Ministry of Education.
As advisors to some of the world’s largest organizations, we know firsthand how critical the implementation of a company-wide cybersecurity strategy is to defending against today’s rapidly evolving threats. The continuous strengthening of security posture – from prevention measures to plans for detection, response, and recovery – serves to prepare organizations for the inevitable with effective damage controls in place.
It’s important to remember, though, that cybersecurity is not just about tools and technology. There is a human element, too, that companies can leverage in their favor in their cyber defense strategies year-round – and particularly during the busy holiday season.
On Friday December 10, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert based on the Apache Software Foundation security advisory regarding a critical (CVSS score of 10 out of 10) remote code execution vulnerability affecting Log4j.
