Cybercrime Crackdown: 5 Regulatory Trends

In the past year, we have seen fascinating shifts in government interest and oversight of cybersecurity. There has been a resurgence of governmental interest in proactive cybersecurity legislation and regulations, as well as a sharp increase in law enforcement’s focus on cybercrime. Let’s look at the changes, proposed legislation, and how your organization can prepare.

The Cybercrime Crackdown

For way too long, ransomware operators and cybercriminal gangs went largely unchecked. In April of 2021, the Department of Justice (DOJ) created a new Ransomware and Digital Extortion Task Force designed to coordinate and prioritize the investigation and enforcement activities surrounding ransomware incidents.

Since then, the US has ramped up domestic and internal law enforcement efforts, resulting in warrants, raids, and/or prosecutions of over a thousand cybercriminals. The international crackdown included a Trickbot leader, a SIM jacking group, state-sponsored espionage groups, and more. Recently, the US has collaborated with other countries to arrest members of the REvil group, one of the largest ransomware operations. In a surprising turn, some of the arrests were made in Russia, a former haven for cybercriminals. With the recent arrests in Russia attributed to pressure from the US, it’s clear that the US’s new stance of “if you come for us, we’re gonna come for you,” is changing the cybercrime landscape.

Upcoming Changes Your Law Firm Should Watch

Keep an eye on emerging legislative and regulatory trends, and consider whether any of these changes could impact any of your long-term business or cybersecurity initiatives:

1. Cybersecurity regulations for US government agencies and their contractors are expanding. A 2021 Executive Order mandated that government agencies and their supply chain providers tighten their cybersecurity. It requires compliance with NIST framework requirements and makes once optional inspections mandatory. You can find more details on these changes in this blog post. In addition, Federal Hearings are also underway to update the Federal Information Security Management Act (FISMA) policies. These updates will help further define roles and policies for government agencies and their contractors in order to implement stronger cybersecurity practices. The DOJ has also alerted organizations that they will step in and prosecute government suppliers who are not meeting their contractual cybersecurity requirements.

2. Privacy regulations are increasing. From the ground-breaking European GDPR regulations to the California Consumer Privacy Act (CCPA), privacy legislation is becoming an increasing concern. In 2021 Virginia and Colorado passed privacy legislation, and more than 25% of US states have privacy legislation under consideration. California’s upgraded California Privacy Rights Act (CPRA) goes into effect in 2023 and adds additional privacy measures to the original CCPA. There’s also buzz about the privacy implications of employee monitoring systems, especially with BYOD devices, AI bias concerns, and biometric data rights. In fact, several states already have pending legislation to establish regulations around the use or collection of biometric data. As your organization makes decisions on how to move forward with technology innovations or data use and storage, you’ll want to keep a close eye on any applicable legislation and trends.

3. Breach reporting and policy changes for financial and healthcare compliance organizations are already in the works, with legislation pending for broader swaths of organizations. As of April 1, 2022, banking organizations must notify their primary federal regulator of certain cybersecurity incidents within 36 hours. This new rule also required certain bank service providers to notify the bank “as soon as possible” if they experience certain cybersecurity incidents. For more information on the new financial breach notification requirements, you can register for this webinar. All organizations should keep an eye out for potential updates to incident reporting regulations. Congress has pending legislation to require a 72-hour breach notification requirement for all organizations. For healthcare organizations, it is widely anticipated that the 2022 changes to HIPAA will include policy updates on the speed and ways people can access PHI, the fees that can be charged, and more.

4. Regulations and rules aimed at quashing ransomware. From the Colonial Pipeline to the Kaseya attacks, the US government has been cracking down on ransomware groups and ramping up cybersecurity measures in response. To decrease the number of ransomware attacks, NIST released a framework for ransomware risk management. 2021 also saw increasing pressure from government agencies for organizations to stop paying ransoms and heightened pressure for organization to report incidents to the FBI. The global crackdown on ransomware operators is changing the landscape, with some ransomware gangs charging higher ransoms to a smaller number of targets, while others have shifted to targeting individual computers with inexpensive ransoms.

5. The FTC declared its intent to prosecute companies that do not take steps to mitigate known vulnerabilities. In January of 2022, the FTC issued a press release on the importance of patching the Log4J exploit (read more and get Log4j patch directions here). This release also includes the impactful statement that “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” Organizations will need to increase their emphasis on timely patching (read this blog post on patching tips) or face potential legal consequences.

As the US government increases its emphasis on cybersecurity, the ripple effects will be felt by all organizations. Staying aware of these trends can help your organization make informed decisions as you consider new business initiatives and how to prioritize your cybersecurity spending. This blog is distributed with the permission of LMG Security.