NTSC Blog

Weekly News Roundup: June 3, 2019

Proposed “Lower Health Care Costs Act of 2019” Includes Cybersecurity Guidance

The “Lower Health Care Costs Act of 2019,” proposed by the Senate Committee on Health, Education, Labor, and Provisions on May 23, includes a section titled “Recognition of security practices” that states the bill will “[incentivize] health care entities to adopt strong cybersecurity practices by encouraging the Secretary of Health and Human Services to consider entities’ adoption of recognized cybersecurity practices when conducting audits or administering fines related to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” According to HealthITSecurity.com, “If passed, the legislation would have the Government Accountability Office study the current state of healthcare cybersecurity to understand gaps and risks of the electronic transmission of individually identifiable health information as patients move and exchange data to third parties, including mobile apps not covered by HIPAA.”

Navy Rear Admiral Ross Myers Becomes Deputy Commander of US Cyber Command

On Memorial Day, Navy Rear Admiral Ross Myers became the Deputy Commander of US Cyber Command. According to US Cyber Command, “As a flag officer, Myers served as vice deputy director for Nuclear, Homeland Defense and Current Operations, Joint Staff (J33); director of Plans and Policy (J5) at Headquarters, U.S Cyber Command. Myers became the chief of staff at Headquarters, U.S. Cyber Command in May 2018.” Politico notes, “[Myers] fills the slot left open by Marine Lt. Gen. Vincent Stewart, whose retirement was first reported by POLITICO in March. He left the command after a 40-year career in the U.S. military. The Senate confirmed Myers [during the week of May 20].”

In Other Cybersecurity News…

Here, we offer a summary of a few other news items of note from last week.

• Acting Superintendent Linda A. Lacewell Names Justin Herring Executive Deputy Superintendent of Newly Created Cybersecurity Division: According to a press release, “Acting Department of Financial Services (DFS) Superintendent Linda A. Lacewell [on May 22] announced that Justin Herring will be appointed Executive Deputy Superintendent of the Department’s newly created Cybersecurity Division. The new division, which will focus on protecting consumers and industries from cyber threats, is the first of its kind to be established at a banking or insurance regulator.”
• First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records: According to KrebsOnSecurity, “The website for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified [last] week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.”
• Game on for Cybersecurity: Round 2 of MITRE ATT&CK Testing Announced: According to Forbes, “MITRE recently announced Round 2 for the MITRE ATT&CK evaluations. MITRE ATT&CK is an open and transparent methodology used to evaluate security vendors’ capabilities. It is a knowledge base and complex framework of more than 200 techniques that adversaries may use over the course of an attack. […] MITRE has also announced an update to the framework. This includes a new Tactic (think of Tactics likes stages along an attacker’s journey that is a category of attacks, which ATT&CK refers to as Techniques) around Impact.”

Cybersecurity Reports and Surveys Roundup

We’ve rounded up a few of the best cybersecurity reports and surveys released last week:

• ACCA’s “Cyber and the CFO” Report: According to the Association of Chartered Certified Accountants (ACCA), “[While] over half of those who responded to [the] survey said they had ‘some’ involvement in cyber security (58%), they were more likely to say they had ‘none’ (22%) than ‘a great deal’ (20%).”
• Majority of CISOs plan to ask for an increase in cybersecurity investment: Reported in Help Net Security, “Most CISOs of financial institutions (73 percent) plan to ask their organization’s CFO for an increase in cybersecurity investments in the next year, according to the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber-risk in the global financial system.”
• New Report Indicates Cyber Insurance Providers Are Too Slow to Respond to Emerging Threats, Customer Needs: Reported in CPO Magazine, “The market is ready for new cyber insurance packages that cover risks such as data loss, denial of service and cyber extortion – 55% of customers said they are open to a new insurance model, but only 26% have sufficiently updated their coverage. 37% of customers also reported being open to sharing more personal data if it leads to better coverage against emerging risks, but only 27% of insurers currently have the technological capability to implement such a plan.”
• Survey: SMBs Don’t Recognize Good Security: Reported in Security Boulevard, “According to a new study by Continuum, even though 1 in 4 respondents admitted to being hit with a cyberattack in the past six months, half of SMBs feel helpless to defend themselves from new forms of cyberattack.”
• OT/ICS Security Professionals Say Risk is at Critical Levels and Believe People Represent the Biggest Risk to Cybersecurity: According to a press release, “People remain the greatest threat to industrial control systems (ICS) and associated networks, as found by a new SANS survey focused on better understanding cybersecurity risks to operational technology (OT) systems. More than half of respondents also see the cyber risks to their safe and reliable operations as high or higher than in past years.”
• Most businesses 'overconfident' in their ability to stop cybersecurity breaches: Reported in TechRepublic, “Some 93% of organizations said they feel prepared against cyberthreats, though they lack common cyber best practices, according to a Centrify report.”

Cybersecurity Acquisitions

Four major cybersecurity company acquisitions were reported last week:

• Insight Venture Partners Acquires Recorded Future: According to Recorded Future, “Insight Venture Partners has decided to double down on their earlier investment in Recorded Future by agreeing to acquire the company in its entirety for $780 million.”
• Palo Alto Networks Announces Intent to Acquire Two Companies to Extend Its Cloud Security Leadership: According to a press release, “Palo Alto Networks (NYSE: PANW), the global cybersecurity leader, today announced that it has entered into definitive agreements to acquire Twistlock, the leader in container security, and PureSec, a leader in serverless security, to extend its Prisma™ cloud security strategy.”
• FireEye Acquires Security Instrumentation Leader Verodin: According to a press release, “FireEye, Inc. (NASDAQ: FEYE), the intelligence-led security company, [on May 28] announced the acquisition of Verodin, the leader in validating the effectiveness of cyber security controls. The transaction closed [on May 28] and is valued at approximately $250 million in cash and stock, net of acquired net cash and excluding assumed unvested options, based on the closing price of FireEye’s common stock on May 24, 2019.”