Biden administration pleads with business leaders – Better cybersecurity now – Tech
United States: Biden administration pleads with business leaders – Better cybersecurity now
To print this article, simply register or connect to Mondaq.com.
Last week, after weeks and months of warnings and warnings about recent ransomware attacks, the White House issued an extraordinary letter to “business executives and business leaders” urging them:
To understand your risk, immediately convene their management teams to discuss the ransomware threat and review the company’s security posture and business continuity plans to ensure you have the ability to quickly continue or restore operations.
The letter also stated that the private sector has a critical responsibility to protect itself against threats and to “ensure [the]corporate cyber defenses match the threat. Executive decree on improving the nation’s cybersecurity, the letter urged business leaders to implement these âhigh impactâ best practices:
- Multifactor authentication – because passwords alone are systematically compromised.
- Endpoint Discovery and Response – to support the proactive detection of cybersecurity incidents.
- Encryption – for data at rest and in transit, so if data is stolen, it is unusable.
- A competent and empowered security team to share and analyze threat information.
- A security team to administer an effective patch management program.
That the letter is addressed specifically to business leaders is not unusual. Federal agencies have repeatedly urged business leaders that meeting “industry standards” for cybersecurity is a legal obligation.
In July 2019, the Federal Trade Commission (FTC) announced a $ 700 million settlement with Equifax for flawed cybersecurity practices. As part of the settlement, the FTC mandated the directors and officers of Equifax:
- be informed of any evaluation or important update of its information security program every 12 months;
- assess, assess and identify gaps and weaknesses in Equifax’s information security program; and
- certifies every year for 20 years that Equifax is in compliance with FTC regulations.
In January 2020, the FTC announced that it would implement a “new and improved” approach to cybersecurity enforcement measures that requires “Board[s] or similar governing bodies “and” senior management “to” gather detailed information about the company’s information security program, so that they can personally corroborate compliance “with the company’s written information security program. organization (WISP).
Based on research suggesting that the FTC’s efforts to improve corporate governance in cybersecurity were timely and well-founded, the FTC said that this would create additional incentives for high-level surveillance and appropriate attention to cybersecurity.
In April 2021, the FTC has issued detailed guidelines on the role that business leaders should play in cybersecurity. In an article titled Boards: don’t underestimate your role in data security oversight, the FTC said that “[c]Contrary to popular belief, data security starts with the board, not the IT department.
The FTC then listed the strategies that business leaders should consider implementing, including:
- Build a team of stakeholders from across your organization – the team âshould incorporate stakeholders from the company’s business, legal and technology departments – both high-level executives and operational expertsâ.
- Establish oversight at the board level – it helps to “ensure that cybersecurity threats, defenses and responses grab the attention of the upper echelons and have the resources to do the job properly.”
- Hold regular safety briefings – cybersecurity is therefore dynamic, “[r]regular briefings prepare boards to take on their oversight responsibility, navigate the security landscape and prioritize threats to the business. ”
In addition to the letter, the White House issued a memorandum demanding that federal prosecutors involved in ransomware or digital extortion investigations:
- use improved notification requirements to relevant federal working groups of findings and developments; and
- coordinate with federal agencies and working groups, including with the Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the Ministry of Justice.
Despite the U.S. Supreme Court ruling last week limiting aspects of the federal government’s power to prosecute cybersecurity incidents, the letter, recent FTC guidelines, and memorandum demonstrate the central role of the federal government and business leaders in the prevention and investigation of cybersecurity attacks.
Originally published Jun 11, 2021
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR POSTS ON: US Technology