If you're a Maryland, D.C., or Virginia business, chances are you know someone who is a recent or current victim of a major cybersecurity attack. If you don't, then you're either a victim but don't know it yet, or you haven't been paying attention.
On Sunday, Washington confirmed that the Treasury and Commerce Departments have suffered a large-scale cyber penetration event. The cyberespionage attack is so significant that the Department of Homeland Security Cybersecurity Division released an emergency directive - just the fifth of its kind since its creation in 2015 - telling all federal civilian agencies to scour their networks for compromises.
The day before Thanksgiving, the Baltimore County Public Schools system was shut down by a ransomware attack that hit all its network systems; halting distance-learning classes for over 115,000 students. Scores of Maryland and D.C. businesses are still reeling from similar cyber-attacks discovered in recent weeks.
Cyber powerhouses like Microsoft, SolarWinds, and FireEye have also recently confirmed major cybersecurity events in recent days.
'Why Should I Care?'
The first reason that businesses should care about these major hacking, penetration, and malware events is because cyber attacks are on the rise during the COVID-19 pandemic.
The second reason you should care is because the successful penetration of the U.S. Treasury and Commerce Departments, and successful infiltration of SolarWinds, unequivocally shows that cyber attacks are becoming more sophisticated.
The third reason is because states, nations, and economic zones are introducing new and changing privacy and data security laws, which are changing the liability landscape for businesses handling, collecting, or using personal data.
And finally, you should care because the consequences and costs of a major cyber attack can be devastating. In some cases, statutory notification and reporting requirements alone can cost millions of dollars.
'Okay, so what should I do?'
The first thing businesses in the DC, MD, VA area should be doing is checking to see if they use SolarWinds' centralized monitoring platform 'Orion' (and if so, whether they downloaded Orion update version 2019.4 through 2020.2.1 (released between March 2020 and June 2020). These updates have been tainted with malware, and are reportedly the cause of the successful penetration of U.S. agencies.
Second, businesses should carefully review their cyber-insurance policies. Businesses should take a very close look at their coverage levels. Due to the costs of cyber coverage, too many businesses are holding just $1M coverage policies, and these will barely cover the costs of reporting and notice requirements in the event of breach. It leaves too great a risk that the company will bear the costs of business interruption and damages (which, depending on the jurisdiction and size of the breached company, can run in the billions!).
Businesses should also take careful note of the terms of their cyber policies. Does the policy include dependent/contingent interruption coverage? Are there limitations depending on whether the cause of an outage is by human error or negligence? Does the policy exclude outages or breaches caused by third party software? Is your coverage conditional on maintaining minimum, pre-defined levels of cyber/network security controls?
Finally, every responsible organization should develop a comprehensive and sophisticated data security and privacy protection program. Experts should be brought in to design a secure data matrix, which is documented, tested by a qualified assessor (including internal and external penetration tests), and audited annually. Anything less than this is an invitation for future peril, and may very well serve as a risk any insurance policies.
Unsure whether your organization has sufficient data protection controls? Need to know whether your cyber/business interruption policies cover you for the most common cyber events? Does your organization need help drafting enterprise-wide policies to help deliver a more secure data environment? Need to update your privacy policy? If so, contact Out-House Attorneys, LLC. We provide regulatory guidance on global data security and privacy laws, and can help you complete the data security audits and matrixes so often required by your insurers, clients, and vendors.
The information provided on this website does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user or browser.