Cybersecurity: Continued Cyberattacks and New Regulations Result in Increased Risk

In a recent survey of almost 2,800 global organizations, one in five respondents reported experiencing a ransomware attack in 2021—with almost half of those respondents suffering significant operational impacts as a result.[1]

This past year proved to be no better, as a steady stream of governments, businesses and individuals alike became victims of high-profile cyber-attacks in 2022.  Still, despite the frequency, sophistication and severity of these attacks, available data suggests that only about half of U.S. companies even have a cybersecurity response plan in place—and many are not financially prepared should a material cyber-attack occur.[2]  As new rules, guidance and initiatives on cyber-related issues continue to emerge, boards should pay particular attention to the demands of cybersecurity oversight and the significant risks posed by cyberattacks, especially as regulators and private litigants continue to bring large numbers of cybersecurity-related actions in response to data breaches.

In this summary, we provide an overview of the legal cybersecurity landscape in 2022 for boards and their directors, including by highlighting notable breaches, regulatory developments, and decisions, as well as best practices to keep in mind for 2023.

Data Breaches and Ransomware Attacks

As with 2021, 2022 was a year filled with significant data breaches and widely disruptive ransomware attacks taking headlines:

• In February, aviation company Swissport International suffered a ransomware attack affecting the company’s information technology infrastructure and services.
• In March, Nvidia, one of the world’s largest semiconductor companies, confirmed that the company had suffered a cyberattack at the hands of the hacking group Lapsus$, which resulted in the leak of personally identifying information (PII) of more than 71,000 employees.
• In April, mobile payment service Cash App disclosed to the SEC through its parent company Block that the company had suffered a data breach affecting 8.2 million customers in December 2021.
• In July, Marriot confirmed that a hacking group targeted an unsuspecting employee and successfully gained access to Marriot computer systems in June.  The group obtained various categories of personal information for over 5 million people.
• In August, convenience company 7-Eleven suffered a cyber-attack resulting in the shutdown of 175 stores due to a compromise in its systems that prevented the use of cash registers and receipt of payments.
• In October, car manufacturer Toyota posted a message on the company’s website starting that almost 300,000 customers who had used its telematics service had their email addresses and customer control numbers compromised.

Numerous other breaches included a national emergency causing ransomware attack in Costa Rica and breaches at global not-for-profit organizations like the Red Cross, U.S. government agencies including the U.S. Department of Education, and several universities, colleges and public school systems.

Of course, this is just a small selection of the cybersecurity attacks that impacted companies and organizations around the globe.  Each of these incidents, impacting firms large or small, frequently had a devastating effect on the operations of those entities, forcing difficult decisions such as how best to respond to the attack, whether and how to disclose the attack publicly, whether to pay a ransom to obtain access to systems and data (and whether to trust that a payment would result in that outcome at all), and how to manage the fallout from the attack for customers and stakeholders.  

Regulatory Focus on Cybersecurity

Regulators issued new rules, guidance and initiatives on cybersecurity-related topics as the sophistication and number of data breaches continued to increase:

• President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which, among other things, requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.[3]  These reports allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and quickly share that information with network defenders to warn other potential victims.[4]
• The U.S. Securities and Exchange Commission (SEC) announced new proposed disclosure rules for cybersecurity incidents and cybersecurity risk management, strategy and governance.  These new rules, which would apply to domestic and foreign companies subject to the reporting requirements of the Securities Exchange Act of 1934, impose various new requirements, including the disclosure of:  (i) material cybersecurity incidents within four days after a registrant determines that it experienced such an incident; (ii) a company’s cybersecurity policies and procedures and governance; and (iii) cybersecurity expertise of board members.[5]
• The SEC’s Division of Examinations—formerly the Office of Compliance Inspections and Examinations—released its 2022 Examination Priorities, one of which was information security.  According to the report, the Division has set out to review registrants’ information security practices in order to protect critical investment information and prevent interruptions that could jeopardize businesses.[6]  
• In September, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published Cyber-Related Sanctions Regulations.[7]  While the Regulations do not introduce new or change prior guidance, they amalgamate existing executive orders, laws and other regulations and reiterate the U.S. government’s disapproval of making payments to bad actors in connection with cyberattacks, in particular relating to activity originating outside the United States.
• In November, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a financial trend analysis regarding ransomware-connected Bank Secrecy Act filings occurring during the second half of 2021. [8]  FinCEN found that the number and dollar amounts at issue of ransomware-related, suspicious activity reports had tripled between 2020 and 2021, shifting from approximately $400 million to $1.2 billion.  Notably, this increase comes on the heels of FinCEN’s and OFAC’s Fall 2021 advisories regarding the reporting of ransomware-related incidents.
• The New York Department of Financial Services (DFS) announced proposed updates to its cybersecurity regulations first promulgated in 2017. [9]  The recent amendments strengthen the DFS’s “risk-based approach to ensure cybersecurity risk is integrated into business planning, decision-making, and ongoing-risk management.”[10]

As regulators continued to implement these new rules, guidance and initiatives, there were a number of cybersecurity enforcement actions against companies that allegedly maintained inadequate cybersecurity protections or that failed to comply with related disclosure obligations:

• In August, crypto-currency trading platform Robinhood Crypto LLC (RHC) entered into a Consent Order with the DFS based on “serious deficiencies” related to, among other issues, cybersecurity and virtual currency identified in DFS’s examination of RHC from January to September 2019.  DFS found that during a period of rapid growth for RHC’s business in 2019, RHC “failed to invest the proper resources and attention to develop and maintain a culture of compliance—a failure that resulted in significant violations of [DFS’s] anti-money laundering and cybersecurity regulations.”[11]  The Consent Order required RHC to pay a $30 million civil penalty and hire an independent consultant for eighteen months to review and report on RHC’s efforts to improve its compliance program.[12]
• In October, a federal jury convicted Uber’s former Chief Security Officer (CSO) of criminal obstruction of Federal Trade Commission (FTC) proceedings and concealment of a felony for attempting to hide Uber’s 2016 data breach.[13]  In this case, the evidence presented by the Department of Justice at trial showed that the CSO participated in negotiations with the FTC in connection with an FTC investigation of Uber’s data security practices without disclosing the attack, and took affirmative steps to hide the information. 
• DFS entered into a Consent Order with licensed health care company EyeMed Vision Care for alleged cybersecurity violations that “contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public, personal health data, including data concerning minors.”[14]  DFS found that the company had failed to (i) limit user privileges by allowing nine employees to share email mailbox credentials, and (ii) implement data management processes, both of which resulted in significant consumer data being accessible through the impacted mailboxes.  DFS also found that the company had failed to conduct an adequate risk assessment.  The Consent Order imposed a $4.5 million fine on EyeMed and required the company to undertake significant remedial efforts to improve its cybersecurity, including by conducting a comprehensive risk assessment system and developing a plan to address issues identified in the assessment.
• The New York Attorney General (NYAG) fined fashion retail brand Shein’s parent company, Zoetop, for its handling of a 2018 data breach involving the exposure of data for approximately 40 million customers that had accounts with the clothing brand.[15]  According to the NYAG, Zoetop misrepresented the size and nature of the breach, originally claiming that the leak affected only 6 million accounts and did not involve credit card information (when it in fact did).
• SolarWinds indicated in a SEC filing that the company had received a Wells notice informing the company of the agency’s intention to bring an enforcement action with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure procedures.[16]  This follows the SEC’s announcement at the end of 2021 regarding a sweep of public companies and corresponding disclosures related to the SolarWinds software cyberattack that became public in 2020.  

Litigation Developments

There were also significant developments in cyber-related litigation in 2022:

• In January, a federal judge in New York dismissed a putative class action filed against men’s clothing company Bonobos, Inc., following an August 2021 data breach.  The court determined that a Bonobos customer whose personal information was stolen in the breach failed to demonstrate a sufficiently substantial risk of harm to establish standing to sue.  The decision reflects the increased uncertainty regarding the viability of suits for damages based solely on future risk of identity theft or fraud, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez.[17]
• In April, one day after going to trial, Aerojet Rocketdyne Holdings, Inc. agreed to settle a matter in which a qui tam relator attempted to hold his former employer accountable using the False Claims Act for its alleged cybersecurity fraud.  The relator alleged that Aerojet fraudulently concealed its failure to comply with government regulations requiring defense contractors to implement cybersecurity measures and report incidents and breaches.  This litigation signals the dangers of non-compliance with cybersecurity regulations for government contractors.[18]
• In October, an Illinois jury issued the first-ever verdict against a company for violating the Illinois Biometric Information Privacy Act (BIPA), awarding $228 million to a class of plaintiffs who were fingerprinted by one of the defendants’ third-party vendors.  The verdict highlights juries’ willingness to hold companies responsible for BIPA violations as well as a federal court’s unwillingness to allow the involvement of third parties to defeat liability.[19]  Other states, including Texas and Washington, have their own biometric data privacy laws.  Companies that operate on a national scale should consider whether their operations in each state comply with all applicable biometric data privacy laws.

Board Oversight Best Practices for 2023

In light of emerging regulatory and litigation trends regarding cybersecurity, as well as the SEC’s proposed cybersecurity disclosure rules, boards should continue to review and ensure the adequacy of their oversight measures. In particular:

• Ensure that oversight of cybersecurity risks is delegated to a committee of the board (or establish specific cybersecurity review guidelines if responsibility is retained at the full board) including assessment of risks as part of strategy, risk management and financial oversight and disclosure. 
• Establish regular briefings by management to the board of cybersecurity risks including benchmarking company policies and procedures against industry peers and best practices.
• Ensure that the company has a cyber-incident response and that the board is familiar with it, including the proposed reporting matrices to communicate incidents.  Relatedly, periodically engage in a cybersecurity response tabletop exercise to familiarize directors with their oversight role in the event of cyber-related incidents.
• Regularly review the company’s cybersecurity budget and assess cyber-related insurance coverage.
• Document the board’s engagement in cybersecurity oversight, including its engagement in such cybersecurity discussions and participation in tabletop exercises.

Key Takeaways

• The continued frequency of data breaches and ransomware attacks, coupled with increased regulatory scrutiny and litigation risk, makes cybersecurity an essential issue for boards.
• Ransomware attacks in particular continue to result in substantial costs, legal risks and reputational concerns.
• In light of the SEC’s proposed cybersecurity rules, we expect the SEC to continue to actively investigate cybersecurity-related disclosures by public companies.  The DFS and State Attorneys General continue to be active as well in investigating breaches. 
• Private litigation arising out of data breaches continues to be a substantial risk.  The recent $228 million verdict in the BIPA litigation—while not itself related to a cybersecurity breach—highlights the possibility of substantial verdicts against companies for alleged cyber and privacy failures.  Biometric privacy laws are a particular risk, but litigation relating to data breaches can also result in sizable settlements.
• These trends underscore the need for boards to take an active role in overseeing management’s preparation for cyberattacks and responses to incidents. Among other things, boards should establish clear ownership of cyber risk oversight, have briefings on cybersecurity risks to the full board and document steps the board has taken in connection with its oversight.

[1] Thales, “2022 Thales Data Threat Report” (February 2022), available here.

[2] Forbes, “Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know” (June 3, 2022), available here.

[3] CIRCIA, “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA),” available here.

[4] For additional details, see our March blog post available here.

[5] For additional details, see our April alert memo available here, Practical Steps for Increased Board Effectiveness and Turning a Corner on Corporate Governance: The SEC’s Disclosure Agenda.

[6] See SEC Division of Examinations, “2022 Examination Priorities,” available here. The Division will also be reviewing registrants’ business continuity and disaster recovery plans, which in some cases, will account for certain climate-related risks.  This focus in information security goes hand in hand with the proposed cybersecurity rules released in February 2022, which included comprehensive reforms for registered advisers regarding cybersecurity risk management policies and procedures, mandatory reporting of certain cybersecurity incidents to the SEC (including a new Form ADV-C), and mandatory disclosures to investors and other market participants.  For additional details, see our April blog post available here.  For additional details on the proposed SEC rules, in particular, see also our February blog post available here. See also New York State Department of Financial Services, “DFS Superintendent Adrienne A. Harris Announces Updated Cybersecurity Regulation” (November 9, 2022), available here.

[7] U.S. Department of the Treasury OFAC “Amendment to the Cyber-Related Sanctions Regulations and Associated Administrative List Updates” (September 2, 2022), available here. 

[8] Financial Crimes Enforcement Network, “FinCEN Analysis Reveals Ransomware Reporting in BSA Filings Increased Significantly During the Second Half of 2021” (November 1, 2022), available here. 

[9] 23 NY Comp Codes Rules and Regs § 500.0. The original regulations established a regulatory model for ensuring that entities addressing the evolving nature of cybersecurity threats adequately protected consumers and businesses with the most effective controls and best practices available.  Among other items, the amendments contemplate a tier-system that imposes heightened requirements based on a regulated entity’s size, enhanced governance requirements for executive management, controls to prevent unauthorized access to technology systems, and more frequent risk and vulnerability assessments.  These changes also reflect DFS’s commitment to “promote the protection of customer information as well as the information technology systems of regulated entities.”

[10] New York Department of Financial Services, “DFS Superintended Adrienne A. Harris Announces Updated Cybersecurity Regulation” (November 9, 2022), available here.

[11] New York Department of Financial Services, “DFS Superintendent Harris Announces $30 Million Penalty on Robinhood Crypto for Significant Anti-Money Laundering, Cybersecurity & Consumer Protection Violations,” available here.

[12] For additional details, see our August blog post available here. 

[13] United States Attorney’s Office, Northern District of California “Former Chief Security Officer Of Uber Convicted Of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records” (October 5, 2022), available here.

[14] New York State Department of Financial Services, “DFS Superintendent Harris Announces $4.5 Million Cybersecurity Settlement with EyeMed Vision Care LLC” (October 18, 2022), available here.

[15] NY Attorney General Letitia James, “Attorney General James Secures $1.9 Million from E-Commerce SHEIN and ROMWE Owner Zoetop for Failing to Protect Consumers’ Data” (October 12, 2022), available here.

[16] See SolarWinds Corporation Form 8-K (October 28, 2022), available here.

[17] For additional details, see our January blog post available here.

[18] U.S. Department of Justice, “Aerojet Rocketdyne Agrees to Pay $9 Million to Resolve False Claims Act Allegations of Cybersecurity Violations in Federal Government Contracts” (July 8, 2022), available here.

[19] Celeste Bott, “BNSF Hit With $228M Judgment In First BIPA Trial” (October 12, 2022), available here.