White House Issues New Ransomware Guidance

Cyberattacks against businesses across the U.S. have sharply increased over the last year. Ransomware is the fastest-growing type of cybercrime that companies face, with annual losses exceeding $20B. For example, in May of 2021, hackers targeted the billing systems of America’s largest oil pipeline, Colonial Pipeline, causing gas price spikes and shortages across the East Coast. Later, hackers attacked the world’s largest meat producer, causing about ten of its plants to shut down temporarily. Fujifilm is among the latest high-profile ransomware victims, with more expected in the coming months. In some cases, hackers are after a ransom, but in other instances, they steal data. Either way, companies are left scrambling to resume normal operations, secure digital assets, and assess/remediate the damage.

The White House, in response, recently issued an Executive Order and open letter which includes best practices to help private businesses increase protections. Together, they form the basis for more federal oversight and policy, something that is not likely to go away anytime soon. Read on for a summary of the key details.

White House Executive Order

Across ten significant sections, the Executive Order (EO) contains policies and provisions to help the federal government modernize cybersecurity systems and improve federal response efforts. The EO also includes guidance on improving software supply chain security, streamlines cyberattack reporting, and outlines new policies.

Most of the EO focuses on the federal government, but there are significant implications for the private sector, which include:

1. Improving the federal government’s response to cybersecurity attacks
2. Sharing cyberthreat information as a matter of policy
3. Increasing the security of the software supply chain
4. Establishing a national cybersafety control board

The bulk of the EO is spent outlining how cybersecurity protocols will be formalized. Policies call for more transparent infrastructure and significant cybersecurity investments, whether cloud-based, on-site, information technology (IT)-based or operational technology (OT)-based.

Notably, the EO calls out the importance of collaborating with the private sector to protect the country’s information security systems.

Most of the timeline-based orders relate to cyber threat sharing. For example, within 60 days, the White House will review recommended updates to government contracts with IT and OT service providers.

Baseline security standards will also be established for software sold to or developed for the government. These standards, which cover everything from the development environment to encrypting data, apply to those doing business with the government. Pilot programs will kick off first and be based on existing consumer product labeling programs to publicize security information. Finally, the EO specifies that incentives – which are yet to be determined – will be offered to software manufacturers and developers, including those in the private sector.

Finally, a Cyber Safety Review Board will be established to review and assess cyber threats and significant incidents affecting the federal and private sectors. Board representatives will be comprised of federal agencies, such as the FBI, Department of Justice, National Security Administration, and others, including private sector representatives. The Board will be renewed every two years unless otherwise directed by the President.

White House Open Letter

In addition, the open letter from the White House to the private sector outlines the cyberthreat environment and recommended best practices to mitigate risk.

First appearing in the EO, the following four steps can be implemented immediately for better cybersecurity.

• Multifactor authentication and stronger passwords.
• Endpoint detection and response that proactively monitors and blocks malicious activity.
• Encryption, so if data is stolen, it is either unusable or of limited use.
• A skilled empowered security team to lead cybersecurity defense systems and patch rapidly.

Five other critical action steps were highlighted, including:

• Back up data, system images, and configurations test them regularly, and keep the backups offline.
• Update and patch systems using a centralized patch management system and a risk-based assessment strategy.
• Test an incident response plan, which can include questions like ‘How long can operations be sustained without access to certain systems, and for how long?’
• Use a third-party security tester to assess the vulnerability of systems against a sophisticated ransomware attack.
• Segment networks for core business functions and operations, and filter and limit access to core networks.

Contact Us

The unfortunate reality is that cybercriminals will continue to exploit corporate systems and networks to gain access to valuable data. As a result, New Jersey and Pennsylvania-area businesses should review the published information and make changes as necessary. If you have questions about the information outlined above or need assistance with a tax, accounting, or audit issue, Klatzkin can help. For additional information, click here to contact us. We look forward to speaking with you soon.

©2021 Klatzkin & Company LLP. The above represents our best understanding and interpretation of the material covered as of this post’s date and does not constitute accounting, tax, or financial advice. Please consult your advisor concerning your specific situation.