Amid the escalating situations in Ukraine, federal and state governments are alerting U.S. individuals and businesses of more cyberthreats that stem from Russia’s invasion of Ukraine that could impact cybersecurity in the near future.
CISA cyber security advisories
The Cybersecurity & Infrastructure Security Agency and the Federal Bureau of Investigation have released several joint cyber security advisories that include updates about the ongoing threat of Russian cyberattacks to Ukraine and other territories, including the U.S.
One Cybersecurity Advisory, which was issued last month, revealed that several national security agencies in the U.S., and the National Cyber Security Centre in the United Kingdom identified a new, more advanced malware called Cyclops Blink that has replaced malware that was previously disrupted. Cyclops Blink is more sophisticated than its predecessor and its primary target so far are devices that utilize WatchGuard, a multifunctional network security service that protects businesses of all sizes from cyberthreats.
New cyberattack reporting requirements
U.S. Congress passed the Strengthening American Cybersecurity Act of 2022 (S.3600) last week, which would require U.S. entities—including those in the finance sector—to report substantial cyberattacks to CISA within three days and within 24 hours if ransomware payments are made.
According to a statement from CISA Director Jen Easterly on Friday, CISA will use cyberattack and ransomware reports from applicable sectors to understand how U.S. adversaries are targeting U.S. networks and critical infrastructure. Additionally, the reports will allow CISA to deploy resources and assistance to victims of cyberattacks and share its discoveries quickly to warn other potential victims.
President Joe Biden is expected to sign S.3600 soon. For updates on this legislation and on how it may affect the insurance industry, watch your PIA Northeast publications.
Protection and compliance
Northeast states—including New York and Vermont—have urged individuals and businesses to protect themselves from cyberattacks; and to ensure that they comply with state and federal cyber-, sanctions- and virtual currency-related laws and regulations.*
Additionally, New Jersey Gov. Phil Murphy signed legislation (S-1889/A-3090) that requires the New Jersey Department of Treasury to develop a list of residents and entities in the state that engage in certain prohibited activities in Russia or Belarus. According to the law, New Jersey and its subdivisions are prohibited from banking with, holding investments in, or maintaining insurance coverage issued by a financial institution that appears on that list.
These events have significant implications for the U.S. financial sector, so all U.S. individuals and businesses should review this guidance.
Cybersecurity. Russia’s cyberattacks against Ukraine could spread to other territories and networks, which exposes the U.S. financial sector to increased risks to cybersecurity. Additionally, U.S. sanctions could cause Russia to retaliate by attacking U.S. infrastructure (which includes cybersecurity).
Sanctions. The U.S. has imposed a sanction against Russian individuals, banks and other entities, and all U.S. persons, including—without limitation—banks, virtual-currency businesses, insurers, insurance producers, third-party administrators and other financial institutions are prohibited from engaging in any financial transactions with them, unless otherwise authorized by the U.S. Treasury’s Office of Foreign Assets Control. For more information on U.S. sanctions, see OFAC’s Sanctions Programs and Information webpage.
Virtual currency. Transfers of virtual currency may be used to evade sanctions that are imposed on individuals and entities, including through transmission of virtual currency to or from users who are located in sanctioned jurisdictions. Therefore, all regulated entities that engage in virtual-currency business activity must have tailored policies and procedures to protect themselves against risks that virtual currency present, including through the implementation of OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry.
*Reminder: Insurance entities that hold a New York state insurance license are required to file a certification of cyber-compliance with the New York State Department of Financial Services by Friday, April 15, 2022.
NYDFS and VTDFR
According to guidance from the New York State Department of Financial Services—which was released last month—all regulated entities should comply fully with U.S. sanctions on Russia, in addition to all New York state and federal laws and regulations, including the DFS’ cyber security and virtual-currency regulations set forth in 23 NYCRR 500 and 23 NYCRR 200, respectively.
Additionally, the Vermont Department of Financial Regulation issued a press release last month that reminds investors to exercise caution and to avoid making impulsive decisions in a volatile financial market. Investors should be watchful for scam artists who are trying to turn recent market-downturn into “100% safe” or “guaranteed” investments.
Cybersecurity best practices
Additional cyber security guidance from the DFS encourages business owners to consider implementing these practices to prevent potential ransomware attacks. These do not alter the current cyber security regulations that apply to all entities that the DFS regulates.
Per the guidance, the DFS recommends that all regulated entities adopt the following measures:
Email filtering and anti-phishing training. Employee awareness of network-security obligations and regular anti-phishing training are critical to securing any network. Additionally, periodic phishing exercises can help employers assess the updated training needs for their companies. These steps are essential for any entity in which multiple employees have access to data systems.
Vulnerability and patch management. Businesses should have a thorough program to assess vulnerabilities in their infrastructures. Periodic penetration testing should be included in the program, which is designed to find, assess and remedy vulnerabilities. Timely updates and patches should be made regularly and automatically, if possible.
MFA. Multifactor authentication is an effective method of restricting access via password cracking because it adds a second layer of security. The DFS recommends that businesses adopt MFA for all privileged accounts—even when the accounts are accessed internally—to reduce the likelihood of a breach and restrict any potential breaches.
Disable RDP access. Employers should limit remote desktop privileges with which an employee can access their work computer remotely through a different device that is potentially on another network. When an entity deems RDP necessary, businesses should restrict access to approved, originating sources and require MFA for access.
Password management. Entities should ensure that all employees have strong, unique passwords. Passwords are recommended to be at least 16 characters, and for employers to prohibit commonly used passwords. Whenever possible, employers and users should turn off password caching, which is when a web browser saves passwords.
Privileged access management. Entities of all sizes should provide authorized employees with the least-privileged access necessary for them to do their jobs. Most employees should have access only to the parts of the system that they need to do their jobs. This limits the number of users with privileged access. Privileged access also should be accompanied by MFA and secure passwords. Entities should review the number of privileged accounts on a regular basis. Even employees with privileged accounts should have a second account for nonprivileged work, such as a computer login.
Monitoring and response. Businesses should have an endpoint detection and response solution to monitor and respond to activities on their systems. EDR can offer varying levels of solutions based on a company’s size and corresponding security needs.
Preparing for an incident
The DFS’ last two recommendations focus on preparing for a potential cyber security incident to limit the breach and enable a timely response.
Tested and segregated backups. Maintaining comprehensive, segregated backups of all company data allow for a much easier recovery in the event of a ransomware attack. To effectively protect the backups from a potential breach, it’s recommended to keep at least one backup offline and segregated from the company network. Backups also should be tested regularly and updated when appropriate.
Incident response plan. Companies should have an incident response plan that includes how to respond to potential ransomware attacks. This allows for a guided response if an attack occurs, and it should be tested with key decision makers.
Ransomware attacks are more prevalent than ever, especially amid foreign escalations—and they could happen to your agency. Be sure to follow these guidelines because you never know when a ransomware attack could happen to you. The time is now to act quickly.
Act quickly with PIA and partners
To help independent insurance agents identify their agencies’ cyber security weaknesses, PIA National has partnered with Thomas H. Wetzel & Associates to provide a Cyber Risk Assessment, which determines agencies’ unique cyberrisks.
Once PIA Northeast member-agencies assess their cyberrisks, they can use PIA-partnered TAG Solutions’ exclusive Cyber Security Program, which will help them to remediate their cyberrisks and cover up their exposures so that their businesses—and their insureds—are protected.
Additionally, PIA has more information on how to protect your agency through its Privacy Compliance Central, and how to comply with DFS cyber regulations (for agents who do business in New York). If you have questions, call PIA at (800) 424-4244 or email the Industry Resource Center.
Clare Irvine, Esq.
Clare Irvine, Esq., graduated from Fordham University School of Law and Arizona State University.