On Tuesday April 14, 2020, the fifth annual Incident Response Forum (the “Forum”) convened an extensive roster of presenters from private practice and the government, including from the DHS, DOJ, FTC, SEC, NYDFS, FBI, and the Secret Service, to discuss best practices for incident response.

The government panelists shared insights into the evolving landscape of data security threats and expectations for companies before, during, and after incident response.  Four key themes emerged from the various panels, discussed in more detail below.

  • Companies should consider developing appropriate strategies to protect against, mitigate, and remediate threats from evolving ransomware and business email compromise attacks.
  • Companies should consider building a trusting relationship with law enforcement before a data security incident occurs.
  • Companies should consider creating and testing a crisis communication plan pre-incident.
  • COVID-19 has not softened U.S. regulatory compliance expectations.

Evolving Threats from Ransomware and BEC

The Forum devoted a session each to ransomware and BEC attacks, underscoring their top-of-mind status for regulators, law enforcement, and private practitioners involved in incident response.  The government panelists explained that the volume and sophistication of these attacks are on the rise, including as attackers take advantage of companies’ reliance on remote work environments.

Leonard Bailey, Special Counsel for National Security at the DOJ’s Computer Crime and Intellectual Property Section, explained that ransomware attacks and similar forms of internet extortion schemes accounted for $7.5 billion in damages and are responsible for over two thousand complaints submitted on the FBI’s Internet Crime Complaint Center (“IC3”) in 2019 alone.  Underscoring this, IC3 published a recent public notice that online extortion scams are on the rise during the COVID-19 crisis.  Like ransomware attacks, BEC schemes are not new, but they have evolved with technology, and have become more pervasive.  Michael D’Ambrosio, Deputy Assistant Director for Cyber, Office of Investigations of U.S. Secret Services, explained that he has seen an 80% increase in reported BEC incidents in the past year and the scheme appears to be increasingly common for Office 365 users.  Mr. D’Ambrosio also highlighted the proliferation of BECs using AI-enabled deepfake audio which we wrote about earlier this year.  Related to these, Kristina Littman, Chief of the Division of Enforcement’s Cyber Unit at the SEC, noted an uptick in the hacking of material, nonpublic information—including account intrusion or takeovers—and spoofing of financial institution websites.

Mr. Bailey indicated that the emergence of the Maze Ransomware, which exfiltrates company data before encrypting it, reflects an evolution in ransom attacks that include a threat to publish compromised information publicly if the attacker is not paid.  He explained that this new disclosure risk makes it increasingly important for companies to treat the life cycle of a ransomware attack similar to that of a data security incident, and prepare and respond accordingly.  Similarly, Justin Herring, the Executive Deputy Superintendent of the Cybersecurity Division at the NYDFS, recommended that companies be prepared to assess their reporting obligations to regulators, including to his agency, if they become the victims of a ransomware attack that presents a substantial likelihood of materially harming the companies’ operations–even if the ransomware attack did not compromise PII.

The panelists highlighted the benefit of preparing to mitigate these threats.  Mr. D’Ambrosio underscored the value of processes and procedures to authenticate email senders.  In the event of BEC resulting in erroneous wire transfer, he advised companies to call their law enforcement contact promptly, and notify both the issuing bank and receiving bank to maximize the chance of fund recovery via recall and/or freeze.  Michael Sohn, Supervisory Special Agent at the FBI L.A. Field Division, recommended companies also engage with third-party vendors to ensure that the vendors do not become an additional source of the companies’ vulnerability to BEC and ransom attacks.

For further discussion of ransomware attacks and the risks related to paying the ransom, check out our previous post here.

Benefits of Timely Information Sharing with Law Enforcement

The government panelists at the Forum almost universally emphasized the benefit of building a trusting relationship with law enforcement before suffering from an incident.  Michael Sohn even suggested that companies should get the FBI involved in the incident response planning stage, including during table-top exercises.

When incidents occur, companies can leverage preexisting relationships with law enforcement to share information promptly and maximize the latter’s ability to help.  Mr. Sohn and various other speakers encouraged timely and detailed submissions of IC3 complaint referral forms as an additional avenue of information sharing, explaining that law enforcement uses these forms to connect the dots among discrete incidents and help companies recover funds lost in BEC scams.  Mr. Sohn emphasized that the FBI does not impose a monetary threshold for its involvement in a case.

Timely sharing of information also allows law enforcement to alert other relevant stakeholders.  For instance, Mr. Sohn explained that in the L.A. Field Office, the FBI has a team dedicated to proactively sharing key cyber threat information with the private sector.  Yet he emphasized that they view this information sharing as a two-way street.  The Secret Service and FBI also have connections with their counterparts overseas and often collaborate on cyber crimes that have cross-jurisdictional elements, as is often the case for BEC attacks. As for other regulators, Mr. Herring noted that while the NYDFS does not follow a specific formula for sharing information with other regulators or law enforcement, his agency works closely on cases with various district attorney offices and the NYAG.

For further discussion on timely information sharing with the FBI in the event of a cyber incident, check out our prior post here.

Art of Crisis Communication

In addition to prompt information sharing with law enforcement, the government panelists also pointed to the importance of careful crisis communication during an incident.  Leonard Bailey from the DOJ advocated for companies to draft a two to three-sentence holding statement describing the incident, and to be ready to make a statement without delay.  In drafting such statements, he explained that it is critical to capture the essence of the facts while ensuring that they are broad enough to not trigger the constant need for update as additional facts emerge from forensic investigation.

James A. Trilling, Senior Attorney, Division of Privacy and Identity Protection at the FTC, echoed the need for consistency in messaging.  He highlighted the value to companies when they align their communications to different regulators.  He urged companies to develop a thorough and consistent narrative at the outset, and advised that such efforts could be bolstered by adopting a proactive stance towards communication and conducting a comprehensive investigation as early as possible, even though additional facts might emerge as the investigation proceeds.

Continuing Uptick in Regulatory Scrutiny and Compliance Expectations

Remarks from the government panelists underscored our recent observation that we are unlikely to see drastic relief from privacy or security regulation and enforcement during the COVID-19 crisis.  Several panelists alluded to their respective agencies’ continued compliance expectations, and a general trend towards stricter enforcement of regulatory requirements.

Ms. Littman described the SEC’s two-prong cybersecurity focus:

  • Regulated entities should implement adequate cybersecurity controls, especially in areas implicating customer PII; and
  • Issuers should adopt policies and procedures that ensure appropriate cybersecurity related disclosures to investors.

Ms. Littman explained that controls should be commensurate with the risks created by their adopted technologies—there is no one size fits all approach.  Ms. Littman noted though that the Division of Enforcement often considers the Office of Compliance Inspections and Examinations (“OCIE”)’s examination criteria to determine whether a data security event warrants an investigation or enforcement action.  For further discussion of OCIE’s latest cybersecurity observations issued in January 2020, check out our prior post here.

On disclosures, Ms. Littman explained that the SEC refrains from second-guessing an issuer’s good-faith judgment and reasonable decisions with respect to disclosures.  Nevertheless, issuers should adopt policies and procedures that appropriately elevate reportable data security events to senior leadership, empower the board’s oversight of cybersecurity risks management, and appropriately disclose material cybersecurity incident to investors.

As for the NYDFS, Mr. Herring reiterated that the agency, including the incident response team, which he oversees, is focusing on supervision, examination, and policy development in the near-term.  He noted that not only has the NYDFS started honing in on cyber incidents from a compliance enforcement perspective and opening new cases, it has also ramped up its policy development, starting with key issues such as health insurance.  Related to this, the NYDFS issued COVID-19 guidance on April 13, 2020, which you can find more information about here.

James A. Trilling also highlighted his agency’s enforcement focus, including that the FTC  is considering the following factors in determining the reasonableness of a data security compliance program:

  • existence and documentation of security controls;
  • an Incident Response Plan (“IRP”) that is consistent with industry standards;
  • evidence demonstrating that the company’s cybersecurity practices are consistent with the written IRP and stated security controls.

Mr. Trilling also noted that the FTC’s data security orders increasingly contain language that:

  • prescribe with specificity what the company must do with respect to its Comprehensive Information Security Program;
  • mandate increased accountability for Third Parties, including independent sampling, employee training, and comprehensive review;
  • elevate data security review to the c-suite level.

For further discussion of data security enforcement trends in 2020, check out our previous post here.

The Panelists

The full slate of government panelists are listed below, and you can find their bios here.

  • Justin Herring (NYDFS, Executive Deputy Superintendent, Cybersecurity Division)
  • Ian Brekke (DHS, Deputy General Counsel (pending approval))
  • “Lars McCarter (DHS, Strategic Advisor, Threat Hunting, Cybersecurity and Infrastructure Security Agency)
  • Leonard Bailey (DOJ, Special Counsel for National Security, Computer Crime and Intellectual Property Section)
  • James A. Trilling (FTC, Senior Attorney, Division of Privacy and Identity Protection)
  • Kristina Littman (SEC, Chief, Cyber Unit, Division of Enforcement)
  • Michael C. Sohn (FBI, Supervisory Special Agent)
  • Michael D’Ambrosio (U.S. Secret Service, Deputy Assistant Director for Cyber, Office of Investigations)

The authors gratefully acknowledge the assistance of law clerks Catherine Martinez and Mathew Elder in preparing this entry.