OTX Partners
OTX Roundtable GRC News
November 2023
Remember that supply chain attack against SolarWinds in late 2020. Ya, kinda hard to forget! SolarWinds became an attack vector to all of their clients and, in some cases, organizations further down the line.
It looks like there will be some actual accountability in the situation. The SEC has formally charged the SolarWinds corporation and the Chief Information Security Officer (CISO) individually for ”fraud and control failures relating to allegedly known cybersecurity risks and vulnerabilities.”
As part of its IPO in 2018, SolarWinds included only generic and hypothetical cyber security disclosures while, behind the scenes, CISO Timothy Brown wrote in an internal presentation that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”
In the 68-page filing, the SEC reveals that SolarWinds claimed to follow the NIST 800-53 security framework in a security statement posted prior to the IPO. However, internal assessments between 2019 and 2021 revealed that SolarWinds had only implemented a small fraction of the standard (6%). By January 2021, the organization had only achieved 40% compliance with 60% of the controls left “completely unmet”.
When news of the breach first broke, SolarWinds’ stock price plummeted leaving many investors holding the bag. By making false claims about their security practices, the suit claims Brown and SolarWinds defrauded investors and deprived them of critical information while making investment decisions. Read the SEC summary notice here
This is in line with the new trend of federal regulatory agencies holding individual executives accountable for misrepresenting cyber security controls. In October of last year the Federal Trade Commission took action against James Cory Rellas, CEO of the alcohol delivery service Drizly, for failing to implement adequate cybersecurity controls despite having been altered to problems with the company’s data security procedures following a previous incident.
These two incidents should be seen as a warning sign that regulatory agencies a taking cybersecurity very seriously. Executive team members actively involved in the governance of cybersecurity policies are being held to account personally. the penalties can be severe and likely career ending for those involved.
This week, President Biden, issued an Executive Order, aimed at developing guardrails for the fast exploding Artificial Intelligence industry. The new EO is very broad and sweeping, addressing a wide swath of issues that have become areas of concern with the use of AI. This includes the danger of the technology to be used to commit fraud, produce dangerous biological materials, exacerbate racial biases and discrimination, and spread misinformation and disinformation. In an industry notorious for keeping its intellectual property tightly under wraps, the Executive Order requires “companies developing any foundation model that poses a serious risk to nation security, national economic security, or the public health and and safety must notify the federal government when training the model, and must share the results of all red-team safety tests.” NIST will be tasked with developing the rigorous standards for extensive red-team testing.
The Executive Order also addresses positive impacts and the ethical side of the use of AI. The order speaks to the use of AI tools to find and fix vulnerabilities in critical software. As part of the their ongoing AI Cyber Challenge, the administration has been critical of the software industry’s lack of focus on security in the development of software. The order also directs the National Security Council to and the White House Chief of Staff to develop a National Security Memorandum that directs the US Military and Intelligence community to “use AI safely, ethically, and effectively in their missions”
Data privacy has been a big issue for many years and AI makes it that much easier to extract, identify and exploit personal data. The Executive Order calls on Congress to pass legislation to protect the personal data of all Americans. This includes commercially available personally identifiable information procured through data brokers. This may lay the groundwork for an American version of GDPR.
The Large Language Models must be trained with vast amounts of data. It has been identified that historical data used to train the model has the danger of propagating discriminatory practices into the future based on the practices of the past. The Executive Order directs agencies to combat algorithmic discrimination. Among other groups, landlords, federal benefits programs, and the criminal justice system are directed to establish best practices to keep AI algorithms from being used to exacerbate discrimination.
The Executive Order also attempts to address the fear that we will all be replaced by robots someday. The recent Screen Writers Guild and Screen Actors Guild strikes highlighted the threat AI presents to the creative community. The order directs industry to develop principles and best practices to mitigate the harms and maximize the benefits of AI for workers. The order will produce a report on AI’s potential labor-market impacts and study and identify options for strengthening federal support for workers facing labor disruptions.
Finally, the order addresses the need to ensure an open, competitive marketplace that maintains the United States’ leadership in the AI space both at home and globally. View the FACT SHEET here
The new FTC Safeguards Rule just went into effect earlier this year, however, one additional requirement has been added to the rule
The new rule, which went into effect June 9th of this year is an evolution of the Gramm-Leach-Bliley Act of 1999. It broadens the definition of a financial institution to include, among others, mortgage brokers, collection agencies, CPAs, car dealerships that lease vehicles to consumers, and mortgage settlement companies. It also provides guidance on specific controls that need to be implemented in order to properly safeguard personal financial information.
The amendment requires non-banking financial institutions to report data breach incidents within 30 days. It applies to incidents that impact 500 or more customers. However, if the data stolen is encrypted the requirement does not apply.
The reporting requirements include the name and contact of the reporting financial institution, a description of the type of information involved, the date and duration of the incident, and the number of consumers affected. It also asks for confirmation of whether law enforcement has advised that public disclosure of the breach could obstruct an investigation or threaten national security.
The amendment is schedule to take effect in April 2024. For More background on the FTC Safeguards Rule see this month's featured blog.
In September of 2022, the Cybersecurity and Infrastructure Security Agency (CISA) released the initial version of its #StopRansomware Guide. This provides ransomware and data extortion prevention best practices and a response checklist. The guide identifies numerous countermeasures to help prevent threat actors from infiltrating organizations and spreading ransomware. It describes many specific examples of tools and techniques that can be implemented base on the common attack vectors used by bad actors.
The 31-page updated version incorporates new information gleaned from research on the latest attack techniques collected by CISA and other security experts over the past three years.
Additional resources are cited throughout the report for more in-depth information on certain topics. Schematic diagrams articulate proper network segmentation techniques to limit the propagation of any ransomware or malware.
Organizations can use the the Ransomware and Data Extortion Response Checklist as part of their Incident Response Plan.
The #StopRansomware Guide is a great resource for MSPs for managing their own internal networks but also an opportunity to discuss the topic with clients and ensure they are protecting themselves at an equal level.
Join us for this free virtual event to learn about the latest use cases, adoption trends, and recommendations for prioritizing your Zero Trust projects and initiatives for 2023. Whether you are new to Zero Trust or an experienced practitioner, this forum is a must-attend event to understand the policies, procedures and technologies required to enable a zero-trust strategy.
The New Rule
The new FTC Safeguards Rule greatly expands the covered entities of GLBA and provides much more detail regarding the specific safeguards covered entities must implement.
The rule defines a financial institution as "any institution the business of which is engaging in an activity that is financial in nature…" and "An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities.."
Within the new rule itself the following examples are cited specifically as covered entities:
More specifically, those entities include, but are not limited to:
mortgage lenders
“pay day” lenders
finance companies
mortgage brokers
account servicers
check cashers
wire transferors
travel agencies operated in connection with financial services
collection agencies
credit counselors and other financial advisors
tax preparation firms
non-federally insured credit unions
investment advisors that are not required to register with the Securities and Exchange Commission
entities acting as finders
A retailer that extends credit by issuing its own credit card directly to consumers
The rule further expands additional examples of covered entities:
An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days
A personal property or real estate appraiser
A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution
A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution
Next OTX Roundtable Meeting
Thursday December 7, 2023
1:00 PM ET
(Virtual)
OTX Partners LLC
OTX Roundtable GRC is a peer group helping MSPs build and maintain a security and compliance-focused culture. Find out more here
© 2023 OTX Roundtable, Inc. all rights reserved. Designated trademarks, brands, logos, and service marks are the property of their respective owners.