- Managed Security Services
- Cybersecurity Solutions
- Site Security Assessment
- Vendor IT Audits
- Risk Analysis
- Disaster Recovery
- Business Continuity
- Data Recovery
- Policies and Procedures; Training
- Disaster Response Coordination and Management
- Data breach notification(s)
- IT Security Assessment
- vCISO Engagement
- Business Strategy
- Threats and Intelligence
- On site training, including Periodic Dry Runs
Armolon Serves on Cybersecurity Panel at the Annual National Muni Bond Summit
Generally, our blogs focus on one or two recent activities in the world of cybersecurity and cybercrime. This blog, however, provides informational bullets related to Armolon’s recent participation on a national cybersecurity panel.
I had the pleasure of serving on the Cybersecurity Panel last week at the National Muni Bond Summit (Summit) in Nashville, Tennessee. The Summit is a national and annual event organized by the Bond Dealers of America (BDA) and The Bond Buyer.
Others on the panel included Orlie Prince (Vice President, Senior Credit Officer, Manager, Moody’s Investors Service), Tiffany Tribitt (Director, Lead Analyst, Local Governments Southeast, U.S. Public Finance, Standard and Poor’s Global Ratings), and Jeffrey Peelen (Partner, Quarles & Brady LLP).
Those attending the Summit were primarily municipal bond issuers (e.g., the City of…, the County of…, the State of…), and broker dealers who originate and sell municipal bonds (mostly tax-exempt debt).
During my part of the panel discussion, I attempted to emphasize the critical nature of cybersecurity and the obvious relationship to cybercrime (emphasis on the “crime” aspect). Below are some of the informational bullet points that I laid out:
Who are they and what do they want?
- A cybersecurity attack or hack is not an attack on the computer as much as an attack on the user (be they an individual or corporate person).
- 92% of all attacks are initiated through “social engineering” by the attacker or hacker (e.g., phishing, as the way in — and then they are able to plant worms, viruses, trojans and bots onto the target’s system). The hacker is almost always sophisticated, takes time to research the target, and tries several if not many methods to “get into” the target system. The hacker is a “business” person or group of persons, and is focused on making a lot of money at the expense of others.
- Ransomware and other invasive software programs are free or are sold as a commodity (you can buy a ransomware program for about USD $35), and the methods that lead to a ransom demand are varied (the hacker does not have to be a “computer genius” to be successful at getting into the target’s system).
How you should protect your data
- Municipal and corporate entities are each significant targets, and they will work diligently with cybersecurity professionals to, at the minimum, (i) prepare and practice for receiving the ransom demand, responding to the demand, and recovering from any system damage incurred as a result of the ransom targeting, (ii) open and hold a crypto currency account (almost all ransoms are paid in crypto currency), and (iii) maintain an updated “off system” server or hard drive that holds critical if not all system data.
- With regard to municipal entities, it is important to remember that all municipal entities are creatures of the given state’s constitution and legislation – that is, a municipal entity can only act in a manner consistent with statutory authority. As a result, several critical questions come up in ransom demand situations, which include, does the municipal entity have authority to (i) negotiate a ransom demand, (ii) open and hold a crypto currency account, and (iii) pay the ransom demand in United States dollars or a crypto currency (along the line of “participating” in a criminal enterprise). In most states, the answer to all these questions is initially “no.”
- Both municipalities and corporate entities must be extremely careful when allowing a vendor broad or even limited access to their system. In a recent United States Securities and Exchange Commission (SEC) enforcement action, a financial institution named Voya Financial Advisors Inc. (Voya) was sanctioned and fined ($1 million) for failure to apply and monitor its cybersecurity policies to vendors who composed the majority of Voya’s staffing and performed most of Voya’s financial activities. See, SEC Charges Firm With Deficient Cybersecurity Procedures.
- Many entities are beginning to consider placing critical data on the “cloud”. This is a recent development, and the effort has been described as a “migration” into the cloud (even an “evolution”). As can be imagined, there are many positives and almost as many potential negatives that come to the forefront during the migration to and eventual participation in placing data on a cloud.
- Finally, most cybersecurity professionals agree that serious and consistent “training” and “monitoring” of all personnel allowed on a given system is the best defense against becoming a target of a cybercriminal. Cybersecurity is a very important game of strategy (similar to chess). As noted above, it is you against the cybercriminal. You cannot completely protect the system from a criminal attack, but you can significantly lessen your target profile, and make is so difficult to hack or invade, that the cybercriminal may just move on to other easier targets than your system.The bicycle example works here> – if a bicycle thief comes across ten identical bicycles, and seven of these bicycles are locked, although the criminal can eventually break the lock, the criminal will focus on stealing the three bicycles that are not protected. For the bicycle criminal (as the cybercriminal), time is money, and there is always the risk of getting caught if too much time is spent on each bicycle. And, the three bicycles, just as critical data of a ransomware target, can be used by the criminal, sold on the black market, or held for a later financially beneficial time – all with the focus of making “easy money.”
- Do not forget that many jurisdictions (e.g., California, New York, European Union) and some federal agencies or contractors (e.g., U.S. Department of Defense), require specific data protection protocols, and data breach notification within a designated period of time (e.g., 72 hours, or in the case of a contract, the period noted in the contract). Jurisdiction by public entities is generally based on the residence of the person potentially harmed by the data breach, not the residence of the corporate headquarters of the company breached. Failure to comply with these rules can be financially devastating to a corporate and municipal entity, and in no small way embarrassing (negative press has never served as a good way to grow and maintain your operation).
- Maintaining cybersecurity Policies and Procedures (in other words, “ground rules” for the cybercrime game, Policies), are so very important. Constant training and practicing of all action elements of the Policies is a must. One other practice to place more emphasis on is hiring. Focus on hiring the computer genius who also appears to have strong ethical standards. A person such as this is available, but it takes more time and effort by the employer to find.
- On March 27, 2019, Utah Governor Gary Herbert signed HB57, the first U.S. law to protect electronic information that individuals have shared with certain third parties. The bill, called the “Electronic Information or Data Privacy Act,” places restrictions on law enforcement’s ability to obtain certain types of “electronic information of data” of a Utah resident. See, Utah governor signs electronic data privacy bill requiring warrants to access certain types of data.
- On March 12, 2019, the On March 12, 2019, the European Parliament (Parliament) approved the proposal for a regulation of the European Parliament and of the Council on ENISA, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (collectively, Cybersecurity Act). The Parliament’s approval follows a political agreement between the European Commission, the Parliament and the Council of the European Union (Council) reached last December.
- The Cybersecurity Act aims to achieve a high level of cybersecurity and cyber resilience, and to promote individuals’ trust in the EU digital single market. See, EU parliament approves the proposal for cybersecurity act.
All of our legislative update information is courtesy of the law firm of Hunton Andrews Kurth, which in my and many other’s opinion is the global leader in cybersecurity and data breach law, rules and regulation.