Cyber Intelligence Weekly (October 29, 2023): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight one of the newest members of our team, Erin Conway, CPA, Senior Consultant, vCISO Advisory Services. She is the newest addition to our growing vCISO advisory team, assisting clients with making measurable progress enhancing their cybersecurity programs. Please connect with her and say hello!

Away we go!

1. SEC Charges SolarWinds and CISO with Fraud, Internal Control Failures

The U.S. Securities and Exchange Commission (SEC) has brought charges against the software company SolarWinds, and its Chief Information Security Officer (CISO) Timothy Brown, for allegedly deceiving investors regarding the robustness of the company's cybersecurity measures. This accusation comes in the wake of a devastating cyberattack perpetrated by Russian hackers in 2019, which exploited vulnerabilities within SolarWinds' systems. According to the SEC, SolarWinds and Brown downplayed the severity of their cybersecurity shortcomings, presenting them as hypothetical rather than concrete issues, despite being aware of significant deficiencies in their defenses.

The SEC's enforcement action underlines a stark discrepancy between SolarWinds' internal evaluations of their cybersecurity posture and the much more confident front they presented to investors. Gurbir S. Grewal of the SEC pointed out that the company and Brown neglected multiple warning signs and painted an inaccurately secure picture of their cyber controls environment. This misleading representation, he suggests, left investors without crucial information about the true state of the company's vulnerability to cyber threats.

The scale of the cyberattack that hit SolarWinds is significant, with the compromise of their Orion network management software leading to breaches across a swath of critical networks, including U.S. government departments, tech firms, and healthcare providers. The SEC has been scrutinizing the cybersecurity disclosures of SolarWinds since the attack was uncovered, particularly following the discovery that an easily guessable password had been in use, contrary to the company's public security policies. In response to the SEC's charges, SolarWinds has voiced its intent to strongly contest the claims, while Brown's legal representation is set on defending his reputation against what they consider to be an inaccurate complaint by the SEC.

2. NYDFS Releases Major Update to Part 500 Cybersecurity Requirements

The New York Department of Financial Services (NYDFS) has rolled out substantial updates to its cybersecurity rules for financial services companies, marking the first major revisions to Part 500 Cybersecurity Regulations since they were first enacted in 2017. These amendments, having undergone public review and revision since their initial proposal in July 2022, were officially adopted on November 1, 2023, and will be effective immediately upon their publication in the New York State Register. However, there will be staggered deadlines for covered entities to comply with the new requirements.

In this sweeping overhaul, one of the most noteworthy changes is the introduction of "Class A Companies" – larger NYDFS-regulated entities with over 2,000 employees or more than $1 billion in annual revenue, including affiliates. These firms will face more stringent cybersecurity obligations, such as annual independent audits, implementing privileged access management, and using tools to monitor unauthorized activity. The updates also expand the responsibilities of Chief Information Security Officers (CISOs) across all covered entities, now mandating reports on material cybersecurity issues to senior executives or boards.

Furthermore, the amendments enhance governance by necessitating that the senior governing body of a covered entity have a firm understanding of cybersecurity matters and are well-informed about the entity's cybersecurity program. Other significant updates require new policies on end-of-life management, asset inventory procedures, and notifications to the NYDFS within 24 hours in cases of extortion payments. The regulation now also insists on more frequent risk assessments and has added protocols for business continuity and disaster recovery planning.

For companies under the NYDFS’s watch, the clock is now ticking. With deadlines for compliance set at intervals ranging from immediate to two years post-publication, financial institutions need to assess whether they qualify as Class A companies, revise their cybersecurity policies, and ensure their CISOs and governance bodies are prepared to adhere to the updated regulations. As the landscape of cybersecurity threats continues to evolve, NYDFS’s Part 500 update is a clear message that regulatory bodies expect a corresponding evolution in the defenses of financial services against these threats.

3. Global Stand: Nearly 50 Countries Pledge Against Ransom Payments

In a landmark move, the United States, alongside nearly 50 countries, has taken a firm stand against ransomware attacks by vowing not to pay demanded ransoms. This resolve was announced ahead of the meeting of the International Counter Ransomware Initiative, an assembly first initiated by President Biden in 2021. The commitment is part of a broader strategy to combat the financing of cybercrimes and will be solidified in a joint policy statement endorsed by the participating nations, the European Union, and Interpol.

The declaration is a direct challenge to the economic model of ransomware operators. By collectively refusing to pay ransoms, these countries aim to diminish the incentive for cybercriminals to launch attacks. This year's gathering will also focus on enhancing collaboration, specifically through the use of artificial intelligence and blockchain analytics in tracking and combating ransomware activities. Another significant step includes the creation of an information-sharing platform exclusive to member countries and the introduction of a blacklist of cryptocurrency wallets known to be associated with ransomware schemes.

This no-ransom policy marks a bold shift in the international response to cyber threats, which have seen a dramatic surge, with attacks reportedly increasing by more than 150% year-over-year. However, the proposition has sparked controversy and even dissent within some law enforcement circles, where the outright banning of ransom payments has been questioned. Despite the challenges in aligning all member countries, the officials are confident that the initiative is on the cusp of universal agreement. The coalition also plans to hold countries accountable that are complacent or facilitative towards ransomware operations, signaling a new era of global cyber defense coordination and responsibility.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about