At a glance.
- Report from DHS inspector general says there’s room for improvement.
- Data brokers lobby against passage of data privacy measures.
- Advice for smaller firms impacted by the SEC’s new cybersecurity measures.
- Addressing open-source software and supply chain security after SolarWinds.
Report from DHS inspector general says there’s room for improvement.
Earlier this month the Department of Homeland Security (DHS) inspector general (IG) completed a report tracking the agency’s progress on improving cybersecurity policies. The report compiles audit results from fiscal year 2019 onward and details the department’s momentum in completing a list of ten recommendations “aimed at improving the Department’s mitigation of risk related to malware, ransomware, and phishing attacks.” As MeriTalk explains, the recommendations focused on the DHS’s need to better reflect the latest standards released by the National Institute of Standards and Technology (NIST), while improving employee education on the risks from malware, ransomware, and phishing attacks. According to the IG report, the agency has closed or resolved five of the recommendations, while the other half are awaiting full implementation. The report concludes that “DHS can better protect its sensitive data from potential malware, ransomware, and phishing attacks by revising its policies and procedures to incorporate new controls, in accordance with Office of Management and Budget guidance, and ensuring its users complete the required cybersecurity awareness training to mitigate risk.”
Data brokers lobby against passage of data privacy measures.
As the US Congress plans to approve a federal data privacy law, the data brokers that profit from the collection of personal data are spending big bucks to push legislation in their favor. Politico reports that five leading data brokers increased their lobbying spending by about 11%, which translates to a bump of $180,000, in the second quarter of 2022 compared to the same quarter last year. The brokers are pushing for changes to the American Data Privacy and Protection Act (ADPPA), a bipartisan data privacy bill intended to increase consumer choice when it comes to controlling how their data is collected and shared. The brokers claim these data-sharing restrictions could impede criminal investigations, but they’re also angling for more freedom when it comes to using third-party data for targeted advertising. For brokers, this data is the backbone of their $240 billion market, but lawmakers and privacy experts are worried that the information is being used to track protesters, and that targeted ads influence vulnerable populations like minors and minorities. Caitriona Fitzgerald, deputy director of privacy advocacy group the Electronic Privacy Information Center, explained, “ADPPA has moved farther through Congress than any privacy bill has in many years. Data brokers are likely responding to the fact that Congress seems serious about passing privacy regulations.”
Advice for smaller firms impacted by the SEC’s new cybersecurity measures.
In February the US Securities and Exchange Commission (SEC) announced new cybersecurity rules regulating how private equity funds and private capital firms protect their data. As SEC Chair Gary Gensler explained, “Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets. The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.” As Forbes notes, these new measures impact not only private equity funds and venture capitalist firms, but also registered investment advisors (RIAs) and business development companies. The new rules require RIAs and funds to establish Written Information Security Programs, report breaches or suspected breaches in a timely and confidential fashion, and add disclosure statements to marketing materials. While this shouldn’t be difficult for larger, more cyber-savvy firms, smaller offices unfamiliar with cybersecurity due diligence worry these changes could be a drain on profits. For these firms, there are steps they can take now to minimize risk while maximizing revenue. These include preparing for the 48-hour breach notice deadline breach notification, and reviewing the company’s incident response and business continuity plans, implementing cybersecurity awareness training for employees, and obtaining a cyber insurance policy.
Addressing open-source software and supply chain security after SolarWinds.
Security Intelligence offers a look back at how major cyberattacks on US infrastructure over the past three years – like the infamous SolarWinds incident, the Microsoft Exchange Server attack, the Colonial Pipeline ransomware attack, and exploitation of the Log4j vulnerability – have impacted American policy regarding open-source software and supply chain security. In 2021 President Joe Biden issued two executive orders: the Improving the Nation’s Cybersecurity order, and another focused specifically on supply chain security. The National Security Council hosted a White House summit in January 2022 and another in May, bringing together industry executives and government leaders to discuss how to reduce security vulnerabilities in open-source software, support the integration of security features in open-source software development tools, and expedite fixes for existing vulnerabilities. Google Cloud pledged to establish an Open Source Maintenance Crew and launched a new software supply chain dataset for open-source developers, and the Linux Foundation and Open Source Security Foundation revealed a $150 million, ten-point plan to bolster open-source and supply chain security over the next two years. While these efforts are promising, some critics say a lack of time, funding, and manpower are slowing progress. Indeed, a recent global study surveying one thousand chief information officers found that while a majority have implemented improved security controls, 82% feel their companies are still vulnerable to supply chain attacks.