Multiple media outlets have reported on the incidence and effects of the WannaCry malware, which locked down computers across the globe while demanding Bitcoin ransom to decrypt the information. Regulated industries such as financial services and healthcare have now been alerted as to what they should do in the wake of an attack and how to reduce the risk of such attacks going forward. Organizations that do not follow the recommendations and then sustain a loss of protected data may face regulatory scrutiny and penalties.
The Office of Compliance Inspections and Enforcement (“OCIE”) of the SEC issued an Alert on May 17, 2017 in which it listed “cybersecurity practices” public companies should follow to reduce the risk of another attack. These include a Cyber Risk Assessment “to identify cybersecurity threats, vulnerabilities and the potential business consequences” (a similar requirement may be found in the recent New York Department of Financial Services Cybersecurity Regulations); penetration tests and vulnerability scans; and system maintenance that includes provisions for installation of security patches. Such “best practices” often work their way into compliance metrics when organizations audited by OCIE following a data breach may be assessed penalties for violation of Regulation S-P, which requires safeguards to protect identifiable financial information.
Similarly, the U.S. Department of Health and Human Services (“HHS”) issued four alerts entitled “International Cyber Threat to Healthcare Organizations,” the last one published on May 17, 2017. HHS cited its prior Guidance that a ransomware attack is presumed to be a data breach reportable under HIPAA. It also stated if the data subject to an attack were encrypted, a data breach may not be reportable provided the organization can show that the data were, in fact, encrypted at rest and had been merely re-encrypted by the WannaCry or other ransomware malware. In other words, HHS has stated once again that healthcare organizations should, to properly safeguard identifiable health information, encrypt information at rest (in storage).
Of course, it is impossible to provide one hundred percent effective defenses to all cyber attacks. But SEC, FINRA or HHS audits and penalty proceedings may well result if organizations that do not follow the practices in these guidelines and then suffer a loss of data in an attack that takes place after the dates of these Alerts. If you have questions regarding cybersecurity regulatory compliance or defense in an audit or penalty proceeding, please contact Kenneth N. Rashbaum.