The recent spate of publicly disclosed ransomware attacks has caused a groundswell of debate among policy makers in Washington, D.C., regarding the most effective way to deal with the threat. The perceived need for federal action on a number of fronts is growing so strong that it is worth pondering several ideas that may continue to gain traction.
Corporations would do well now to begin preparing for certain key themes in future federal cybersecurity regulation. In so doing, they will not need to achieve clairvoyance on the exact details of such legislation, but can adapt to its nuances more easily by working now to establish some key foundations of corporate readiness.
Bound to be the most controversial of ideas floating around D.C. is the possibility of outright prohibitions on ransomware payments. Though the administration has been sympathetic to the quandary faced by companies seeking to ensure business continuity, the headwinds appear to blowing in the direction of increasing the prohibitions on payments to ransomware actors.
While recognizing the difficulty in seeming to punish corporate victims, the gravity of the argument seems to be shifting, and starving such actors of funds appears to be increasingly perceived as an urgent requirement that outweighs other factors.
Enforcing Information Sharing
In the wake of the Colonial Pipeline hearings, Sen. Gary Peters (D-Mich.), alluded to draft legislationthat will mandate information sharing in the event a company experiences an incident. Like payment prohibitions, this issue seems to be building sufficient support, and some form of more robust sharing requirements seem likely.
Such requirements may look to the voluntary mechanisms created through the Cybersecurity Information Sharing Act of 2015 (CISA 2015) on the road to structuring mandatory requirements. Interested parties can also look to the categories of information required in the Transportation Security Administration’s recent pipeline “Security Directive” for a taste of what may have to be offered.
Of course, a critical component of any such regulation will be the protections it places around the information provided to the federal government, which remains the primary open question.
Regulating Security Measures
Long the subject of failed congressional initiatives (recall the draft Cybersecurity Act of 2012 and its progeny that eventually bore the more diminished fruit of CISA 2015), current events may also tip the political stars into alignment on setting up more prescriptive statutory requirements relating to specific security measures.
Though the list of potential remedies is too long and target-specific to exhaustively legislate, some key widely applicable themes are already lurking in the administration’s recent executive order on improving the nation’s cybersecurity. Likely requirements include: multi-factor authentication; software patching; robust segregation of information and operational technology environments for critical infrastructure; mandatory air-gapped system backups; and more stringent identity management around administrative accounts.
Though currently a less debated topic, any requirements to prohibit payments will almost inevitably need to be accompanied by backstop support for small- to medium-sized enterprises that would be more likely to experience insurmountable disruptions without decryption keys or funds to bridge the gap.
Enter something akin to the Terrorism Risk Insurance Program, authorized by the Terrorism Risk Insurance Act. Notably, as a mirror prohibition on ransom payments would suggest, it would likely avoid moral hazard problems by excluding support for transfers to threat actors, but such a program might provide continuity funds for organizations falling within a specified zone.
Spotlight on Cryptocurrency
Finally, though arguments abound as to whether tighter regulation on cryptocurrency transactions would change the landscape, the sector is certain to begin encountering much more restrictive reporting requirements.
Standard know-your-customer and anti-money laundering reporting requirements will be imposed on exchanges, many of which currently are not required by law to implement such controls.
How Companies Can Prepare
While a number of these requirements are likely to be unwelcome news to corporate America, for companies confronting the impact of future federal regulation, the exact contours of those requirements are less significant now than a general posture of security hardening and investment that would seem prudent in the current climate, whatever regulatory future might exist.
In that regard, there are a number of steps that can be taken to prepare that are rule-agnostic, and that make good security sense regardless of future federal mandates.
Companies should ensure their information technology staff are building out robust backup systems and continuity plans. Companies should also invest now in streamlined compliance functions that can specifically bridge the space between IT and legal, that interstitial zone where technical details have to be translated into comprehensible and actionable measures that corporate leaders, let alone the federal government, will increasingly be seeking.
As evidenced by a recent Securities and Exchange Commission announcement and enforcement action, public companies should prepare for more robust disclosures regarding their cybersecurity risk governance frameworks. Any entities facilitating cryptocurrency transactions should establish, or bring such transactions into alignment with, fully functioning anti-money laundering and know-your-customer frameworks.
Taking some of these basic measures now will help build adaptability and resilience, ultimately preparing for a future that will be shaped as much by federal requirements as any other force.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Brock Dahl is counsel in the Washington, D.C., and Silicon Valley offices of Freshfields Bruckhaus Deringer, where he focuses on guiding clients through complex cybersecurity, advanced technology development, data privacy and strategy, and regulatory issues. He previously spent several years with the National Security Agency.
Boris Feldman is a partner in the Silicon Valley office of Freshfields Bruckhaus Deringer and head of its U.S. Technology Practice, specializing in securities litigation, mergers and acquisitions, and fiduciary duty and disclosure counseling. He has represented dozens of the key entrepreneurs and leading companies in the tech industry.