On October 21, 2022, the US Department of Health and Human Services, along with the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), issued a bulletin warning that a cyber threat actor group known as "Daixin Team," is actively targeting US businesses, predominantly in the healthcare and public health sectors, with ransomware and data extortion operations. The bulletin contains several technical recommendations that should be passed along and, if possible, implemented by your IT teams.

But cybersecurity begins at the top of an organization, a point the Federal Trade Commission (FTC) emphasized in a proposed consent issued on October 24. In that matter, the FTC alleged that a company's failure to use appropriate information security practices was the responsibility of the CEO. The FTC alleged that the CEO did not implement, or properly delegate responsibility to implement, reasonable information security practices, by failing to hire an executive responsible for information security—although he hired executives for many other areas. In the proposed consent, that individual, for the next 10 years, will be responsible for ensuring that any future company where he is a majority owner or CEO (or similar position) has implemented and maintains a comprehensive information security program.

Steps you can take

  1. If you don't already have one, appoint a senior executive responsible for security of personal data, including policies and procedures as well as an incident response plan—not to mention implementation of the CISA recommendations.
  2. Have that senior officer report to the Board of Directors (or other governing body) at least annually on the effectiveness of your organization's security, as well as any material cybersecurity events that have occurred since the prior report, and any material cybersecurity risks facing your organization.
  3. Conduct a tabletop exercise with senior executives to simulate a cyberattack/ransomware event and see how your organization would respond, including finding and fixing any holes in your current incident response plan.

If you have questions about implementing your security program or conducting ongoing risk assessments, please contact the Norton Rose Fulbright professionals listed below.



Contacts

Denise Webb Glass
Denise Webb Glass
Office Administrative Partner, Dallas
Email
denise.glass@nortonrosefulbright.com
T: +1 214 855 8063
Susan Linda Ross
Susan Linda Ross
Senior Counsel
Email
susan.ross@nortonrosefulbright.com
T: +1 212 318 3280

Industries:

Practice areas:

Recent publications

Publication

Office of the United States Trade Representative (USTR) proposes to impose port fee increases on Chinese vessels and vessel operators (consultation closing on 24 March 2025)

On 16 January 2025, the USTR published a notice of determination that China’s targeting of the maritime, logistics and shipbuilding sectors for dominance is actionable under Section 301 of the US Trade Act of 1974. Section 301 grants the USTR the authority to investigate and remediate, including through the imposition of tariffs or other import restrictions, foreign trade practices that it determines (1) are unreasonable or discriminatory, and (2) burdens or restricts US commerce.

Global | March 27, 2025

Shipping

Publication

Global Minimum Tax rules in 2025

The OECD Pillar Two rules (also known as the Global Minimum Tax), where implemented by a national jurisdiction, require multinational enterprises (MNEs) with a consolidated group turnover of more than €750 million to calculate the effective tax rate in each jurisdiction in which it operates.

Global | March 27, 2025

Shipping

Publication

A new year ahead for shipping: Regulatory compliance

There are a few main legislative developments in 2025 which will have an impact on the shipping industry.

Global | March 27, 2025

Shipping
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now