At a glance.
- Solicitors Regulation Authority preps guidance on cyber-loss indemnity clauses.
- US Intelligence Community issues its Annual Threat Assessment.
- Industry groups welcome opportunity to shape supply chain security standards.
UK regulator prepares guidance on cyber-loss indemnity clauses.
Legal Futures says Britain’s Solicitors Regulation Authority (SRA) is drafting an amendment to clear up insurance providers’ minimum terms and conditions regarding coverage of legal firms’ cyber losses. The worry is that some professional indemnity policies are too vague about what’s included, leading to either exposure or redundant coverage. The new clause will clarify that civil liability claims stemming from cyberattacks are covered (just like other civil liability claims), while “first-party losses,” whether monetary or reputational, needn’t be.
An SRA executive called law firms “an attractive target” for cybercrime since they “handle large amounts of client money and sensitive information”: firms lost £2.5 million to cyberattacks in the first half of last year. Though lawyers are concerned about further rate hikes, the Law Gazette observes that premiums should not increase in response to the change.
US Intelligence Community now assesses China as a top global threat.
After almost twenty years of emphasizing Islamic terrorism, the Intelligence Community’s (IC’s) Annual Threat Assessment lists China, Russia, Iran, and North Korea as the chief threats to national security, NPR reports, noting that the “order of the topics presented… does not necessarily indicate their relative importance or the magnitude of the threats.” Members of the IC will brief Congress on the report today and tomorrow.
The assessment describes China as “increasingly…a near-peer competitor, challenging the United States in multiple arenas — especially economically, militarily, and technologically,” observing that the CCP “is pushing to change global norms.” NBC adds that China is “doubling its nuclear capacity, besting American capabilities in space and expanding its influence abroad.” President Biden has pledged a strong stance on Beijing, without getting into specifics.
The document characterizes cyber threats as “intertwined” with foreign threats and infrastructure risks. Direct attacks on infrastructure are given prominence in the assessment, but there's also considerable attention paid to influence operations, including disinformation.
Some industry comment on the Assessment has come in. Garret Grajek, President and CEO of YouAttest observed that a lot of the incidents mentioned in the Assessment occurred in areas that were already highly regulated, and that he's concerned the report might prompt uncritical expansion of regulation and its attendant compliance burden:
"The message is serious because the situation is serious. My fear as a identity professional for 30 years is that more regulation will occur because of the threat. Every one of these hacks occurred to enterprises that were under some sort of regulation - be it SOX, PCI-DSS, HIPAA or self-mandated regulations like ISO 27001 or HITRUST. The problem in today's environment is that the audit/compliance process is NOT adding enough value to the overall security posture of the enterprise.
"Audit/compliance is seen as a data gathering activity in most enterprises. It's gathering information on the changes and the reason/justification of the changes. This is a complete misappropriation of resources - both time and money. The change information should be automatically formatted into a compliance conducive format - where no effort is needed at "audit time" to search/retrieve records."
Saryu Nayyar, CEO of Gurucul, sees confirmation of the well-known, continuing, high tempo of offensive cyber operations from familiar adversaries:
"Cyberattacks are not slowing down. The recent cyber espionage attacks involving Russia and China that exploited SolarWinds and Microsoft Exchange vulnerabilities demonstrate the intensity of these threats to our national security.
"The Annual Threat Assessment report essentially says that China wants to rule the world, and will stop at nothing to attack the U.S. Homeland. Ironically, China already leads the world in surveillance systems. Too bad our own government hasn't deployed sophisticated monitoring platforms like behavioral analytics to proactively identify and mitigate these cyber espionage cyberattacks.
"Meanwhile, it's no surprise that Russia continues to be a top cyber threat to the U.S., intentionally targeting our critical infrastructure. We need to be much more prepared to defend our electric grid, industrial control systems, and underwater cables. The best defense is a full stack offense which again includes cyber defenses powered by machine learning like security analytics."
More on industry participation in developing supply chain security policies.
Information technology trade groups are encouraging the Government to stand by industry standards in the wake of Holiday Bear’s romp, according to MeriTalk, rather than developing their own or attempting “to supplant private sector leadership.” Calling out President Trump’s Executive Order 13873—which had the effect of restricting Chinese vendors—as a non-example, the memo styled industry’s lead “a bedrock of Federal trade, technology, and security policy.” The groups asked the Commerce Department to lean on the public-private ICT Supply Chain Risk Management Task Force in implementing EO 13873.