Skip to main content
Top Button
Ice Miller Cybersecurity Update: What You Need to Know About New Federal Cybersecurity Measures Ice Miller Cybersecurity Update: What You Need to Know About New Federal Cybersecurity Measures

Ice Miller Cybersecurity Update: What You Need to Know About New Federal Cybersecurity Measures

The Biden Administration and Congress are steeped in debate over new cybersecurity measures to combat ransomware attacks and security breaches of companies operating in the critical infrastructure industry. In the Senate, legislation has been introduced to mandate cyber incident reporting, while federal agencies like the Department of Justice (DOJ) and Office of Foreign Assets Control (OFAC) have announced efforts and guidance to crack down on companies failing to address cybersecurity issues. In the critical infrastructure sector, the Transportation Safety Agency (TSA) is moving forward with additional requirements for the airline sector, similar to enhanced regulations that were put in place for pipeline operations following the Colonial Pipeline ransomware attack. Finally, the Department of Justice has warned all defense contractors that failure to report security incidents in a timely manner may open companies to investigations under the False Claims Act (FCA), a clear statement by the DOJ that it does not believe contractors are complying with requirements under the Federal Acquisition Regulations.

Senators Proposed Cyber Incident Reporting Bill

Senators in the Homeland Security and Governmental Affairs Committee recently released a bill which proposes new requirements for critical infrastructure owners and operators to report cyber attacks within 72 hours to a new, aptly named, “Cyber Incident Review Office” within the Cybersecurity and Infrastructure Security Agency (CISA). This requirement would be imposed on all critical infrastructure companies and would be similar to the current 72-hour-reporting requirement for defense contractors. The industry had pushed for at least a three-day window for reporting after Sen. Mark Warner (D-Va.) and Sen. Marco Rubio (R-Fl.) introduced legislation earlier this summer requiring incident notification within 24 hours. In addition to reporting incidents, the bill would also mandate reporting on ransomware events by requiring organizations, including businesses with more than 50 employees, nonprofits, and state and local governments, to notify CISA if they make a ransom payment. Entities would be required to evaluate alternative options before making a ransom payment, as the U.S. government currently advises organizations not to pay ransomware gangs to unlock their data due to concerns it will further incentivize those groups. Senate sponsors will be presenting the bill to the Senate in the coming months. 

DOJ Announced Initiatives to Crack Down on Cybersecurity-Related Fraud

On October 6, the DOJ launched its “Civil Cyber-Fraud Initiative” which aims to “combine the department’s expertise in civil fraud enforcement, government procurement, and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.” Notably, this Initiative will use the False Claims Act (FCA) to pursue cybersecurity related fraud by government contractors and grant recipients. We’ve already seen the government and fraud claim relators use the FCA to punish contractors for allegedly violating Federal Acquisition Regulation cybersecurity safeguarding requirements. Significant to contractors, the DOJ aims to use this initiative explicitly to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” Contractors would be wise to address cybersecurity compliance issues ASAP.  

OFAC Releases Additional Ransomware Response Guidance 

As we recently covered, the OFAC updated its guidance on ransomware payments and imposed sanctions on a cryptocurrency exchange for facilitating ransomware payments. OFAC’s new guidance emphasizes that making ransomware payments or facilitating ransomware payments on behalf of a victim may violate OFAC regulations. Even if companies make or facilitate such payments unknowingly to threat actors on or with a substantial nexus to an entity on the sanction list, those companies may still be liable for sanctions violations. Yet OFAC’s new guidance provides companies with some strategies to reduce the likelihood of OFAC bringing enforcement actions by taking “meaningful steps” to reduce the risk of extortion through improving cybersecurity practices as highlighted in CISA’s September 2020 Ransomware Guide. Meaningful steps include:
  • Developing incident response plans;
  • Maintaining offline backups of data; and
  • Employing authentication protocols.
OFAC noted—and companies should do the same—that taking those steps could be a “significant mitigating factor” in enforcement responses. 

Ice Miller Cybersecurity Attorneys

Ice Miller has extensive experience assisting companies in the navigation and compliance of federal cybersecurity laws and regulations, as well as advising on cybersecurity-related procurement opportunities. Our team includes Guillermo Christensen, managing partner of the Firm’s Washington DC office and a former CIA officer with national security experience in the intelligence community and internationally with the U.S. Department of State; Christian Robertson, a former U.S. Air Force intelligence officer who regularly advises clients on international supply chain matters; and Angad Chopra, law clerk  in Ice Miller’s Data Security and Privacy Group (admission to the Illinois state bar pending).

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized