The Federal Energy Regulatory Commission has issued a final rule creating information security standards for the US electric grid. The US Congress is also considering legislation designed to combat perceived cybersecurity and privacy threats related to the grid. Among other things, the legislation would establish a regulated security testing regime for products used in the grid.
The Federal Trade Commission (FTC) has settled a claim against Henry Schein Practice Solutions Inc (Shein), a provider of office management software for dental practices. The FTC claimed that Shein falsely advertised the level of encryption in software provided to protect patient data.
Shein marketed a database to dental practices with claims that the software was compliant with Advanced Encryption Standard (AES) encryption required to protect patient data under healthcare regulations in the US. However, rather than “encryption”, the software used a less secure algorithm of “data camouflage” which was more vulnerable to attack.
Under the settlement, Shein will be required to notify all customers that the software does not provide industry-standard encryption. Shein will also pay USD$250,000 as disgorgement – a common provision in FTC advertising cases, but the first for marketing claims specifically related to data security.
Link (FCC): FCC press release
The EFF has released the results of research on poorly secured automated licence plate recognition (APLR) systems. The research identified more than a hundred APLR cameras left accessible to anyone with a web browser. The EFF release also looks at the response of five agencies operating the APLR cameras, on being warned of the vulnerabilities.
Credit ratings agency Standard & Poor’s has recently signalled that “cybersecurity as an emerging threat … has the potential to pose a higher risk to financial institutions in the future, and possibly result in [credit] downgrades.”
The ratings agency has gone so far as to say that if a bank or other financial institution is ill-prepared to withstand an IT security breach, it could be downgraded even without suffering an actual attack. And (more conventionlly) a downgrade may also be warranted after a breach, if the breach causes significant reputational issues with the potential to result in a major loss of customers, or if the financial or legal losses significantly affects the bank’s balance sheet.
With that in mind, Standard & Poor’s notes that it has begun to ask a range of questions regarding financial institutions’ preparedness against IT security breaches, including:
- Do you have a robust, well-documented program to monitor IT security risks?
- Does the financial institution have any third-party vendor oversight? If so, what kind and how much?
- How long has it typically taken to detect an attack?
- What containment procedures are in place if the financial institution is breached?
- Are emergency scenarios test-run?
- What software or other techniques are used to monitor attacks?
- What kind of expertise about IT security exists on the board of directors?
- How much does the financial institution spend on IT security, and what resources does it devote? What is the total tech budget this year versus last?
- Does the financial institution have any insurance to compensate for an IT security breach?