Please find our fourth edition of the Cyber Capsule. As in months past, we continue to see an emphasis on two trends — an emphasis on cybersecurity funding and an emphasis on information sharing. Information sharing, however, highlights a common tension in the incident response world — determining the right amount of information to share. It is often difficult for a business responding to an incident to know what information to share and when. Mandatory disclosure requirements, of course, take some of that decision-making away from a business. The question becomes: Do these mandatory disclosures do more harm than good? It depends on who you ask.

KEEP YOUR EYES ON THESE

1. Don't Bank on It: Financial Industry Trade Groups Claim TMI. On July 14, the U.S. House of Representatives passed 2023 defense budget bill HR7900 by a vote of 329-101, which contains an amendment with security rules that financial trade groups claim is both duplicative and problematic. Trade groups argue that they already are subject to extensive incident reporting, and because these rules create more reporting obligations to different agencies and under different standards, they further complicate the reporting process and can negatively affect the way impacted entities can respond to the incident. Trade groups also claim that the proposed amendment would require banks and other critical infrastructure to release details about their software vendors and other risks to their supply chains that could later endanger them if that data were stolen from the government in a cyberattack.
2. Small Business Owners Need a Lift? On August 2, Sen. Maggie Hassan (D-NH) introduced the Small Business Cybersecurity Act (S4701), which would establish a federal program to provide direct grants to small businesses to fund: (1) cybersecurity training; (2) hiring cybersecurity consultants; (3) reviewing cybersecurity policies/procedures; and (4) testing those policies/procedures. Maximum amounts are based on a three-tier formula, with small states receiving up to $200,000, medium states up to $300,000, and large states up to $400,000.
3. Take Back the Power? On August 1, Sens. Mark Warner (D-VA), Jon Ossoff (D-GA), and Cynthia Lummis (R-WY) introduced the Improving Cybersecurity of Credit Unions Act (S4698), which seeks to return third-party examination authority over credit unions to the National Credit Union Administration (NCUA). Currently, federal and state bank supervisors have third-party examination authority. The NCUA claims that if it regains authority, it would better protect credit union customers and strengthen credit unions against cybersecurity risks, privacy violations, and anti-money laundering schemes.
4. Taking the Law Into Its Own Hands. On August 11, the Consumer Financial Protection Bureau (CFPB) published a circular, explaining how and when financial firms may violate the Consumer Financial Protection Act (CFPA) by failing to adequately safeguard consumer data. The circular also discussed widely accepted data security practices, such as multifactor authentication (MFA), password management, and timely software updates, but it fell short of mandating these practices under the Consumer Financial Protection Act (CFPA).
5. California Seeks to Mandate Certain Agencies to Adopt Security Policies. On August 30, AB2135 made its way to the governor's desk after passing in the Senate on August 23 by a vote of 39-0. The bill would require state agencies not under the governor's direct authority to adopt and implement (1) certain security and privacy policies, standards, and procedures; and (2) perform a comprehensive independent security assessment every two years.
6. Clarity or Confusion? On August 31, the governor received AB1711 for consideration after it passed in the California Assembly by a vote of 74-1. The bill would require an agency to post a notice on its internet website when a person or business operating a system on behalf of the agency must issue a security breach notification. Proponents believe the bill would provide certainty to customers (1) that the data breach notification letter they receive is authentic; and (2) the source of the breached data. Bill opponents, however, claim the bill would create more confusion since it requires the agency to post a "notice of data breach" on its own website (to the extent it maintains one), even when the vendor was the source of the breach.

SHARING IS CARING

1. New Cybersecurity Framework Provides Open-Source Communication. On August 10, a group of 18 technology and cybersecurity firms announced the Open Cybersecurity Schema Framework project, which intends to facilitate the exchange of information to help prevent, detect, and ward off cyberattacks more efficiently.

FORGET ME NOT

1. NYDFS Proposes Amendments to Cybersecurity Requirements. On July, 29, the New York Department of Financial Services (NYDFS) released its proposed amendments, seeking to strengthen and expand upon existing cybersecurity requirements. The amendments (1) create a new category of Class A companies; (2) enhance governance, technology, and risk assessment requirements; and (3) impose new notification obligations, including a 72-hour notification to the NYDFS and a 24-hour notification requirement for any extortion payment. For more details, please see Troutman Pepper's Consumer Financial Services Law Monitor article.

POTPOURRI

1. Knowledge Is Power. Beginning in July 2023, all New York attorneys must complete one additional CLE requirement — at least one cybersecurity CLE credit.

AS THE WORLD TURNS

1. Cybercrime Groups Resort to Call-Back Phishing Tactics. Researchers believe at least three distinct groups that separated from the Conti operation have adopted BazarCall phishing tactics as the primary attack vector to gain initial access.

2. REWARD: US Government Seeks Information on Malicious Cyber Criminals. The U.S. government is offering up to $10 million in rewards for information pertaining to five high-ranking members of the Conti ransomware group.