When thinking of infrastructure, physical infrastructure of roads, bridges, tunnels, and highways comes to mind, but not necessarily cyber infrastructure that we also travel and rely on daily. Reliance on cyber infrastructure has become more pronounced during the pandemic with remote work environments. In conjunction with October being Cybersecurity Awareness Month, this article touches on several hot-button issues affecting cyber infrastructure.
Cybersecurity Awareness Month was first established in 2004, with the goal of assisting individuals in protecting their online personal information. The United States’ Cybersecurity and Infrastructure Security Agency (“CISA”), working in conjunction with industry, has advanced an advocacy role with both the general public and business community, promoting different themes addressing global cybersecurity concerns. This year’s theme is ‘See Yourself in Cyber,’ promoting each individual and business to examine their own use of, and interactions with, cyber infrastructure.
Multi-factor Authentication: What does it mean and how could it affect you?
One of the four key preventative measures highlighted in CISA’s cyber awareness campaign is employing multi-factor authentication, or MFA. MFA, defined as “[a}n authentication system that requires more than one distinct authentication factor for successful authentication”, protects accounts and cyber infrastructure through authentication factors including something you know, something you have, or something you are. Among the drivers that may bring MFA to your doorstep:
- MFA is more frequently becoming a contractual requirement in business arrangements where data or information is exchanged between two or more parties via cyber infrastructure;
- MFA has been incorporated into regulatory requirements, including the New York Department of Financial Services’ Cybersecurity Regulations affecting the financial services and insurance industry;
- For businesses seeking cyber insurance coverage to transfer financial risk associated with a cyber incident or breach, the underwriting process may require a prospective insured to have MFA in place before coverage can be purchased.
Ransomware Attacks: How Multi-factor Authentication plays a role
Ransomware, “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable,” has seen a significant rise over the last few years, to become the number one cyber incident worldwide. The global frequency of ransomware attacks has grown significantly in the last few years, spanning across industry segments such as education, information technology services, businesses, the legal profession, medical and other health services as well as government entities. Multi-factor authentication can be a critical defense mechanism against these types of attacks.
Extensive Costs Associated with a Cyber Incident such as a Ransomware Attack
The costs of a cyber incident, such as a ransomware attack, can be very significant and multi-faceted. According to 2021 data from the United States’ Department of Health and Human Services’ the cost to rectify a ransomware attack ranged from a low of $1.27 million (healthcare) to a high of $2.73 million (education) with an average of $1.85 million. Losses associated with a ransomware attack vary, ranging from the ransom payment itself to network and device costs, people time, lost business opportunities and the organization’s downtime while affected by such an attack.
While the cyber insurance market has been in existence for over 20 years, the significant rise in cyber incidents, and increased cost of these, over the last few years, has driven interest in cyber insurance polices. Cyber policies can provide cover for data recovery, incident notification, third-party claims, and ransomware payments, depending on the market. As the sophistication of cyber attacks has increased, so have underwriting requirements for cyber insurance. Multi-factor authentication, for example, may be a prerequisite to obtaining coverage.
Legislative Updates – Cyber Incident Reporting for Critical Infrastructure
In March of 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The legislation covers entities within the critical infrastructure space, including include financial services, energy, information technology, healthcare and public health, food and agriculture, government facilities, transportation systems, communications, critical manufacturing, commercial facilities, chemical, water and wastewater systems, nuclear reactors, materials and waste, emergency services, dams, and defense industrial bases as defined under President Obama’s 2013 Presidential Policy Directive/PPD-21. Covered entities would be required to report a cyber incident within 72 hours to the Department of Homeland Security (“DHS”) and CISA. When a ransomware payment is made, that entity must report to both DHS and CISA that such a payment has been made no later than 24 hours after such payment has been issued.
Planning for the Future: A Business Continuity Plan
Part of an organization’s business continuity plan should also incorporate cyber protection protocols. A business continuity plan, or BCP, is defined as “the process of creating preventive and recovery systems to deal with potential cyber threats to an organization or to ensure process continuity in the wake of a cyberattack. BCP’s secondary goal is to ensure operational continuity before and during execution of disaster recovery.” These plans are not restrictive to cyber-attacks alone, covering issues such as natural disasters and fires as well.
By: Jessica Cambridge, J.D., M.S.