The Most Significant Developments in Cybersecurity and Cyber-Related Liability Risks

As we reflect upon 2023, it will unfortunately be remembered as a record-breaking year for ransomware and cybercrime. Data breaches have affected companies of all sizes and in every sector costing the United States billions of dollars in damages. Hackers are increasingly using double and triple extortion tactics that involve encryption, data exfiltration, and distributed denial of service attacks. According to IBM’s 2023 Cost of Data Breach Report, the average total cost of data breach in the United States increased to $9.48 million. The most common causes of a data breach are phishing and the use of stolen or compromised credentials. Advances in generative artificial intelligence will likely cause these numbers to grow in 2024 as AI-tools such as WormGPT and FraudGPT are used to craft more persuasive phishing emails, develop malicious code and malware, and identify security vulnerabilities or weaknesses in target organization’s networks.

While cyber threats vary, the most serious and persistent threat in 2023 was ransomware.^[1] Ransomware attacks have become more sophisticated and aggressive, incorporating high-pressure extortion tactics – even incorporating threats of violence if victims do not pay. The number of ransomware victims in 2023 surpassed 2021 and 2022 and, according to a report issued by cyber policy underwriter Corvus Insurance,^[2] global ransomware attacks increased 95% from 2022. According to the Sophos State of Ransomware 2023 report, the average ransom payment was $1.54 million. By 2031, ransomware attacks are predicted to cost its victims $265 billion annually.^[3] No organization is immune from becoming a victim of a cyberattack. Similarly, no industry has been spared from these highly disruptive and damaging hacks: law firms, hospitals, healthcare organizations, insurance and technology companies, financial institutions, manufacturers, retail, government agencies, municipalities, and schools were targeted this year. Indeed, schools at both the primary and higher education levels have become a top target for ransomware in the United States and are more likely to pay a ransom than other organizations.

While cybercrime has increased exponentially, so has the amount of federal and state cybersecurity regulations. Most notable are the SEC’s new cybersecurity disclosure rules, the strengthening of the Federal Communications Commission’s data breach notification requirements, and the significant expansion of New York Department of Financial Services’ (“NYDFS”) cybersecurity regulations, which includes a new 72-hour reporting requirement for ransomware attacks and cybersecurity incidents, a 24-hour reporting requirement for any cyber extortion payment with a report due within 30 days explaining why the payment was necessary, and numerous other new compliance requirements. While we wait for the Department of Defense to publish the final Cybersecurity Maturity Model Certification (“CMMC”) rules, applicable to all defense contractors, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to publish its proposed rules implementing the 72-hour cyber incident, reporting requirement for all organizations involved in critical infrastructure under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) by March 2024, the Department of Health and Human Service (“HHS”) announced new measures that would increase cybersecurity requirements for hospitals and healthcare organizations in 2024 (“HHS Cybersecurity Initiative”), including the implementation of new cybersecurity requirements for hospitals and updates to the Health Insurance Portability and Accountability Act (“HIPAA”) to add cybersecurity measures.

This announcement recognizes how vulnerable the healthcare industry is to cyberattacks. The number of large data breaches affecting the healthcare industry has increased 93% over the last five years. In 2023, there were more than 300 publicly reported ransomware attacks against healthcare organizations. These attacks were highly disruptive. For instance, in November 2023, Ardent Health Services, which operates 30 hospitals and more than 200 healthcare facilities in six states, suffered a ransomware attack effectively shutting down the hospitals, requiring ambulances to be diverted, and creating an immense public safety threat.

Further, the HHS roll-out of its new Cybersecurity Initiative coincides with its December 7, 2023 announcement of its first settlement of an investigation of a 2021 phishing attack that led to a data breach affecting nearly 35,000 patients and HIPAA violations with Louisiana-based medical group, Lafourche Medical Group (“Lafourche”).^[4] Lafourche agreed to pay $480,000 and to implement a corrective action plan, which includes two years of monitoring. In this case, the hackers had used a phishing attack to gain access to an email account that held the electronic health information of 34,862 people. HHS found that Lafourche violated HIPAA by failing “to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information.” This settlement foretells a far stronger role HHS will play in investigating and disciplining healthcare organizations for weak cybersecurity controls.

In 2023, the SEC and Federal Trade Commission (“FTC”) clearly signaled that they intend to aggressively investigate and enforce its regulations to protect the public from lax cybersecurity and the issuance of false and misleading corporate disclosures pertaining to data breaches and privacy violations. For example, Amazon agreed to pay the FTC $30 million to settle privacy and cyber related charges related to Alexa and Ring. Blackbaud paid a $3 million fine to settle SEC charges that they made false representations concerning the impact of a 2020 ransomware attack – they claimed that their charitable donors’ personal information (social security numbers and bank account information) was not accessed when in fact the hackers had accessed and exfiltrated that data.

The Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) have both clearly signaled that they plan to hold corporate executives accountable for cybersecurity noncompliance. In May 2023, DOJ sought a 15-month prison sentence against Uber’s former Chief Security Officer, Joseph Sullivan, the first corporate executive to be criminally prosecuted for concealing a data breach. In October 2022, the jury convicted Sullivan of obstructing justice and misprision of a felony. Although the Court declined to imprison Sullivan as DOJ requested, this case should serve as a warning that DOJ will be seeking jail time against corporate insiders who choose to cover up embarrassing cybersecurity mistakes and lie to federal officials.

Since announcing the Civil Cyber Fraud Initiative in October 2021 and criticizing government contractors for choosing silence “rather than reporting breaches,” DOJ has announced four settlements under this Initiative. Most recently, in September 2023, DOJ announced a $4 million dollar settlement with Verizon Business Network Services LLC for failing to fully implement cybersecurity controls in connection with an information technology service it provided to federal agencies. While the above would be enough to make the year significant, there are five developments in particular that stood out in 2023.

1. The SEC Charges SolarWinds and its Chief Information Security Officer, Timothy Brown, with Fraud and Internal Control Failures.

On October 30, 2023, the SEC issued a civil complaint against SolarWinds and its CISO, Timothy Brown (“Brown”), sending shockwaves through corporate security departments. The charges relate to alleged misrepresentations about cyber risk, internal control failures, and securities fraud associated with a sophisticated supply chain cyberattack of SolarWinds Orion network management software (“SUNBURST”) orchestrated by a foreign government. The SEC had never before charged any corporate individual for their role in cybersecurity failures or deficiencies, but it is now clear that it intends to hold individuals personally accountable for cybersecurity lapses and inaccurate cybersecurity disclosures.

The SEC alleges that from October 2018 through January 12, 2021, SolarWinds and Brown defrauded investors and customers through misstatements and omissions that concealed the company’s “poor cybersecurity practices” and “increasing cybersecurity risks.” SolarWinds allegedly misled investors by only disclosing hypothetical and generic cybersecurity risks when the company and Brown knew of specific vulnerabilities, poor cybersecurity controls, and elevated risks affecting SolarWinds’ security posture. Despite knowing about SolarWinds’ vulnerabilities and questioning the company’s ability to protect its critical assets, Brown failed to fix or address these deficiencies. After learning about the SUNBURST attack, SolarWinds made incomplete and misleading disclosures in its Form 8K filing.

2. New York Lawyers Were Sanctioned for Blindly Relying Upon ChatGPT to Conduct their Legal Research and Using that Research in Pleadings Filed in Federal Court.

On June 22, 2023, U.S. District Court Judge P. Kevin Castel for the Southern District of New York imposed sanctions on two New York lawyers, Steve Schwartz and Peter LoDuca, who had filed pleadings in opposition to a motion to dismiss in federal court that included six “non-existent judicial opinions with fake quotes and citations created by the artificial intelligence tool ChatGPT.” See “Opinion and Order on Sanctions” issued in Mata v. Avianca, Inc., 22-cv-1461 (PKC), Doc. #54. Even after opposing counsel notified the attorneys that their citations were non-existent and could not be found, the attorneys “continued to stand by the fake opinions.” The lead attorney, Schwartz, explained in an affidavit submitted to the Court that he relied upon ChatGPT rather than conducting his own legal research or verifying that the cases he cited in his brief were legitimate. To the contrary, Schwartz asked ChatGPT if one of the cases cited was a real case. ChatGPT falsely claimed that it was and could be “found on legal research databases such as Westlaw and LexisNexis.” In his 43-page decision, Judge Castel noted that this case was “unprecedented” but found Schwartz and LoDuca acted in “bad faith” through their actions in consciously avoiding learning the truth and by making false and misleading statements to the Court. Judge Castel ordered the lawyers and their firm to pay a $5,000 fine. Subsequently, in November 2023, a Colorado attorney was temporarily suspended for 90 days after he used “sham cases” generated by ChatGPT in a motion filed in state court and falsely claimed that an intern was responsible for the errors when questioned about it. See People v. Zachariah C. Crabill, Case No. 23PDJ067 (Colo. Nov. 22, 2023).

As a result of issues like these, numerous courts have either issued standing orders or have proposed rules requiring lawyers to disclose whether they used AI tools to conduct any legal research for any pleadings and verify that the citations contained in any legal briefs are real.

In addition to creating false information, the use of AI tools is being scrutinized by the United States and foreign governments. Indeed, the EU recently approved its AI Act designed to regulate AI and implement guardrails. These efforts will undoubtedly continue in 2024. Both the SEC and FTC have also announced investigations targeting AI. The SEC recently issued requests for information to several investment advisors as a part of an investigative sweep seeking information on how they use AI.^[5] In July 2023, the FTC opened an investigation into whether OpenAI, the company that developed the ChatGPT platform, mishandled personal data or violated other consumer protection laws.

3. The SEC Issues Final Rules on Public Disclosures of Cyber Incidents.

On July 26, 2023, the SEC adopted new cybersecurity incident reporting rules for public companies subject to the reporting requirements of the Securities Exchange Act of 1934. These new rules require public companies to publicly report any cybersecurity incident that they determine to be “material” within four business days of making that determination on an 8-K form with the SEC. On the 8-K form, companies are required to describe the “material aspects of the nature, scope, and timing of the [cybersecurity] incident, as well as the material impact or reasonably material impact of the incident” on the reporting company “including its financial condition and results of operations.” This materiality determination must further be made “without unreasonable delay.” The new SEC rules also impose periodic disclosure requirements about cybersecurity risk management, strategy, and governance.

As demonstrated by several public companies that recently experienced ransomware attacks including Clorox, MGM Resorts, and Caesars Entertainment, complying with these rules will be very difficult and require extensive preparation. Cyberattacks are not typically contained, investigated, and remediated in a matter of days. Within four days of discovering a likely material cybersecurity incident such as a ransomware attack, organizations do not know the true scope of the incident and likely do not know (1) how their network was accessed; (2) whether any backdoors still remain on their network; (3) how long cyber actors have been hiding on their network and accessing files; and (4) what data/files were compromised. Furthermore, as the National Association of Corporate Directors stated, the four-day incident reporting deadline “may not allow companies the time to put in place adequate patches and protections before being forced to make it known that they have been compromised digitally.” This could lead to attack escalation. In addition, during this short four-day reporting time frame, organizations may still be trying to determine attribution or could be engaged in negotiations with the cyber actors to gain necessary intelligence. Yet, such SEC disclosures are required to be publicly filed and executives will be held accountable for any false or misleading statements made about cybersecurity incidents.

Further, the SEC is only allowing a limited law enforcement exception to this reporting requirement. This exception needs to be approved by the U.S. Attorney General within the four-day discovery deadline and, for that exception to apply, the Attorney General must determine “that the disclosure of the cybersecurity incident rather than the incident itself poses a substantial risk to national security or public safety.” Both the FBI and DOJ recently issued guidance on how victims can request DOJ to authorize a disclosure delay for national security and public safety reasons, which make clear that these will rarely be issued.

Lastly, the SEC’s whistleblower program poses a looming threat for public companies faced with having to comply with these stringent new rules. We have already seen bad actors seek to take advantage of this program. Hackers (BlackCat a/k/a ALPHV) had the audacity to file a complaint that one of their victims, MeridianLink, hadn’t reported the incident to the SEC within four days of its attack on its network. This was likely in retaliation for refusing to pay the ransom and will now become part of their criminal extortion playbook.

4. The Russian Ransomware Attack of MOVEit Weaponized a Zero-Day Vulnerability Demonstrating How Supply Chains Can Be Exploited.

In May 2023, a Russian ransomware gang, CLoP began abusing a zero-day vulnerability in Progress Software’s MOVEit Transfer enterprise file transfer tool. Although Progress Software quickly issued a patch, CLoP stole the personal data of more than 65 million people worldwide from over 2,000 organizations, including governmental entities such as the New York City’s public school systems and private businesses. The number of victims continue to grow and class actions lawsuits have been brought against numerous companies. This was clearly the largest data theft of 2023.

The SEC has already begun investigating Progress Software and served the company with a subpoena on October 2, 2023. The issuance of a subpoena doesn’t necessarily mean that the SEC will bring a civil complaint against Progress Software like SolarWinds. In light of the SEC’s recent pronouncements and aggressive posture, however, the SEC’s regulators will undoubtedly be closely scrutinizing Progress Software’s internal controls, corporate governance procedures, and public disclosures against its internal communications and cybersecurity assessments.

5. The DOJ Cracks Down on Crypto with a Guilty Plea from Binance’s CEO, Weeks After Convicting the Founder of FTX of Stealing Billions of Dollars from its Customers.

Less than three weeks after Sam Bankman-Fried, the founder and former CEO of the collapsed FTX crypto exchange, was convicted of a massive multi-billion dollar fraud, Changpeng Zhao, the founder of Binance Holdings Limited (“Binance”), the world’s largest cryptocurrency exchange, pled guilty to a single felony – failing to maintain an effective anti-money laundering program – and resigned as Binance’s CEO. Binance also pled guilty to conspiracy, acting as an unlicensed money transmitting business, and sanctioned violations and agreed to pay a fine of $4.3 billion dollars. According to DOJ, Binance prioritized profits over U.S. financial laws, and illegally processed billions of dollars in trades for terrorists, hackers, and child abusers on its platform. As part of the DOJ settlement, Binance will be subject to extensive monitoring for at least three years.

In July 2023, DOJ announced that it was “super-charging” its criminal investigations into malicious cyber activity and the abuse of cryptocurrency. DOJ has been highly critical of crypto – describing this currency as being primarily used for nefarious and illegal purposes. Indeed, in recent enforcement actions and press releases, DOJ identified North Korea as one of the primary benefactors of crypto, which has used illegally obtained cryptocurrency to finance its weapons of mass destruction program. DOJ has sent a clear message through the prosecutions of Bankman-Fried and Zhao that the use of new technology regardless of how complex will not deter prosecutions from being brought.

Conclusion

New federal and state cybersecurity regulations and cyber incident disclosure requirements – such as the rules enacted by the SEC and NYDFS – will undoubtedly create significantly more liability risk and compliance requirements for companies. It is critical that organizations maintain strong cybersecurity programs, designed using a risk-based approach, that implement reasonable cybersecurity controls and effective cybersecurity risk management and oversight processes. A vital component of such programs is an incident response plan.

Additionally, the best way to prevent cyberattacks and mitigate the risks caused by them is to practice good cyber hygiene, including: implementing multifactor authentication wherever possible; ensuring software patching and security updates are regularly performed; incorporating access controls, network segregation, and data minimization into your enterprise cybersecurity; using tools that monitor, detect, and block suspicious user activity, threats to external endpoints, and changes to firewalls; and providing corporate personnel frequent and comprehensive cybersecurity training.

[1] In general, ransomware involves the encryption of data and extortion for the release of that data. Typically, after gaining access to a network, hackers steal sensitive data, then deploy ransomware (a form of malware) to encrypt the victim’s network, and finally, demand a ransom for the release of the victim’s data and not to sell the stolen data on the ransomware gang’s leak site on the dark web.

[2] See Corvus Report dated October 24, 2023 available at https://www.corvusinsurance.com/news/2023-ransomware-attacks-up-more-than-95-over-2022-according-to-corvus-insurance-q3-report.

[3] Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031, Cybercrime Magazine, Jul. 7, 2023, available at https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/.

[4]See HHS Press Release dated December 7, 2023, available at https://www.hhs.gov/about/news/2023/12/07/hhs-office-for-civil-rights-settles-first-ever-phishing-cyber-attack-investigation.html.

[5]Richard Vanderford, Sec Probes Investment Advisors’ Use of AI, Wall Street Journal, Dec. 10, 2023, available at https://www.wsj.com/articles/sec-probes-investment-advisers-use-of-ai-48485279.