These warnings should be taken seriously, and companies should strongly consider implementing the various recommendations contained in them. That is particularly true because cyberattacks from nation-states have caused significant business disruption, leading to large expenses to variously restore the business, compensate consumers and compensate for legal and regulatory defense costs and liabilities. For example, North Korean attacks in 2014 reportedly cost Sony Pictures millions in IT, income loss on the movie The Interview and legal expenses, in addition to the embarrassment of the internal emails being publicly released. And NotPetya, destructive ransomware malware allegedly launched by Russia, has reportedly caused more than $10 billion in total damages. NotPetya had impacts on organizations in almost every industry, including pharmaceutical companies, law firms and logistics companies.
Legal and regulatory expectations for cybersecurity are also increasing as recent new laws require companies to increase the attention and resources devote to cybersecurity, and that serves as another reason to seriously heed warnings about possible Iranian cyberattacks. Finally, and perhaps most importantly, the overwhelming number of Iran-related warnings could well serve as compelling evidence that attack victims were “on notice” of this new wave of cyber threats, and thus companies were required to reasonable mitigation measures.
No economic sector is truly immune from these various warnings either. As DHS CISA pointed out in its alert, Iran has conducted numerous serious high profile cyberattacks over the prior decade and is known to have significant sophisticated cyber capabilities. Its cyberattack targets have hit various industry sectors, including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications and the defense industrial base. The DHS CISA alert recites numerous high-profile and significant attacks attributed to Iran, including a multi-year, massive cyber theft campaign on behalf of the Islamic Revolutionary Guard Corps.
Given these notices, businesses should consider reasonable mitigation measures. Possible steps companies may want to take include:
- Check in with your IT Department, if you have not already done so, to confirm that the appropriate resources and attention are being directed to risks to your organization’s cyber systems. Make sure they have seen the alerts and are prioritizing the technical recommendations. It is important for management to set the tone for IT and make sure cybersecurity priorities are understood. Companies may consider delaying non-critical IT projects that may impact the company’s security posture or take resources away from cyber defensive priorities. For companies with a cybersecurity plan that calls for additional measures when the risk environment is greater, implement those measures now.
- Communicate with employees through messaging and training. All employees need to be alert for suspicious emails or other unusual computer activity. It is important for all staff to be trained and for awareness to be heightened.
- Confirm that your business continuity plans for cybersecurity and data privacy are up to date and your systems have appropriate backup. Plans need to be updated to ensure that the right relationships, including law enforcement, are identified and current. Plans must be exercised to be effective. Consider a tabletop exercise or other method to test your organization’s readiness. Practice is essential to make sure that all everyone knows the role they are expected to play in an emergency.
- Review your insurance program to understand whether you have coverage for “state-sponsored” cyberattacks. Dedicated cyber policies typically have coverage for cyber terrorism and property policies may cover damages to the company from a cyberattack, including resulting physical damage. However, nearly all policies also have an exclusion for “war,” which some insurance companies argue precludes coverage for state sponsored attacks. Language in policies differs, and you should bring questions to your insurance brokers and counsel.
- Make sure your company’s cybersecurity program is up-to-date and in compliance with all legal and regulatory requirements as well as industry best practices. Increasing regulatory requirements must be met. Cybersecurity is increasingly a legal requirement that should be treated as other legal risks of the organizations. Maintaining systems without adequate protections can lead to serious business challenges as well as legal exposure and the lack of reasonable cybersecurity precautions and controls can lead to risk. There are many existing laws and regulations that have long required companies to develop reasonable cybersecurity precautions, including Gramm Leach Bliley (GLB) 15 U.S.C. §§ 6801 et seq., and the NYDFS cybersecurity regulation 23 NYCRR Part 500. The legal and regulatory requirements are increasing, including a soon to be effective New York law titled the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which will be effective in March 2020 and requires companies across industries to adopt a comprehensive cybersecurity program.
By March 21, 2020, all companies that have private information about New York residents will need to adopt reasonable data security safeguards to protect confidentiality of data. Companies are exempt from this law if they can show that they are compliant with certain other cybersecurity legal requirements, GLB and 23 NYCRR 500. The SHIELD Act greatly expands New York’s requirements on companies with data relating to New Yorkers to adopt comprehensive cybersecurity programs. The safeguards can be tailored based on the size and complexity of the institutions but must at a minimum include:
- designation and training of employees to coordinate cybersecurity compliance,
- the use of third-party service providers capable of maintaining appropriate cybersecurity practices, with safeguards required by contract,
- risk assessment of the company’s cybersecurity program, including both the network and software design and the information processing, transmission and storage,
- processes and physical safeguards to detect, prevent and respond to attacks or system failures,
- monitoring and testing of the effectiveness of the cybersecurity program,
- processes to safely, securely and permanently dispose of data within a reasonable amount of time after it is no longer needed for business purposes, and
- updates to the program periodically to address changes in the business or circumstances that would require the program to be changed.
Companies that have not yet done so should examine their cybersecurity program for SHIELD Act compliance and consider updating the program promptly if it does not meet the New York requirements.