Biden Administration Beseeches Business Leaders – Better Cybersecurity Now

June 11, 2021 Advisory

Last week, after weeks and months of advisories and admonitions relating to recent ransomware attacks, the White House issued an extraordinary letter to “Corporate Executives and Business Leaders” urging them:

To understand your risk, immediately convene their leadership teams to discuss the ransomware threat and review the corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.

(Emphasis added).

The letter also stated that the private sector has a critical responsibility to protect against threats and to “ensure [the] corporate cyber defenses match the threat.” Referring back to the recent Executive Order on Improving the Nation’s Cybersecurity, the letter strongly urged business leaders to implement these “high impact” best practices:

  • Multifactor authentication – because passwords alone are routinely compromised.
  • Endpoint Detection and Response – to support proactive detection of cybersecurity incidents.
  • Encryption – for data at rest and in transit, so if data is stolen it is unusable.
  • A skilled, empowered security team to share and analyze threat information.
  • A security team to administer an effective patch management program.

That the letter was specifically directed at business leaders is not unusual. Federal agencies have repeatedly urged business leaders that adherence to cybersecurity ‘industry standards’ is a legal obligation. 

In July 2019, the Federal Trade Commission (FTC) announced a $700 million settlement with Equifax for deficient cybersecurity practices. As part of the settlement, the FTC mandated that Equifax’s directors and officers:

  • be informed about any material evaluations or updates to its information security program every 12 months;
  • evaluate, assess and identify gaps and weaknesses in Equifax’s information security program; and
  • certify every year for 20 years that Equifax is in compliance with the FTC’s settlement.

In January 2020, the FTC announced that it would be implementing a “new and improved” approach to cybersecurity enforcement actions that requires “Board[s] or similar governing bodies” and “senior managers” to “gather detailed information about the company’s information security program, so they can personally corroborate compliance” with the organization’s written information security program (WISP).

Based on research that suggested the FTC’s efforts to improve corporate governance on cybersecurity issues was timely and well founded, the FTC stated that it would create further incentives for high-level oversight of, and appropriate attention to, cybersecurity. 

In April 2021, the FTC issued detailed guidance on the role business leaders must play in cybersecurity. In a post titled Corporate boards: Don’t underestimate your role in data security oversight, the FTC stated that “[c]ontrary to popular belief, data security begins with the Board of Directors, not the IT Department.”

The FTC then listed strategies that business leaders should consider implementing which included:

  • Build a team of stakeholders from across your organization – the team “should incorporate stakeholders from business, legal, and technology departments across the company – both high-level executives and operational experts.”
  • Establish board-level oversight – this helps to “ensure that cybersecurity threats, defenses, and responses have the attention of those at upper echelons and get the resources needed to do the job right.”
  • Hold regular security briefings – cybersecurity is dynamic, therefore, “[r]egular briefings prepare boards to carry out their oversight responsibility, navigate the security landscape, and prioritize threats to the company.”  

In addition to the letter, the White House issued a memorandum that requires federal prosecutors involved with ransomware or digital extortion investigations to:

  • utilize enhanced notification requirements to relevant federal taskforces of findings and developments; and
  • coordinate with federal agencies and taskforces, including with the Department of Justice’s Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS).

Despite the United States Supreme Court’s ruling last week limiting certain aspects of the federal government’s authority to prosecute cybersecurity incidents, the letter, recent FTC guidance, and the memorandum demonstrate the central role of the federal government and business leaders in preventing and investigating cybersecurity attacks. 

If you have any questions about your organization’s or your Board’s cybersecurity legal obligations, please contact any of the authors of this advisory or your regular Armstrong Teasdale attorney. 

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware