Ignoring cyber threats can affect your job—and haunt your next one

On October 21, 2022, the US Department of Health and Human Services, along with the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), issued a bulletin warning that a cyber threat actor group known as "Daixin Team," is actively targeting US businesses, predominantly in the healthcare and public health sectors, with ransomware and data extortion operations. The bulletin contains several technical recommendations that should be passed along and, if possible, implemented by your IT teams.

But cybersecurity begins at the top of an organization, a point the Federal Trade Commission (FTC) emphasized in a proposed consent issued on October 24. In that matter, the FTC alleged that a company's failure to use appropriate information security practices was the responsibility of the CEO. The FTC alleged that the CEO did not implement, or properly delegate responsibility to implement, reasonable information security practices, by failing to hire an executive responsible for information security—although he hired executives for many other areas. In the proposed consent, that individual, for the next 10 years, will be responsible for ensuring that any future company where he is a majority owner or CEO (or similar position) has implemented and maintains a comprehensive information security program.

Steps you can take

1. If you don't already have one, appoint a senior executive responsible for security of personal data, including policies and procedures as well as an incident response plan—not to mention implementation of the CISA recommendations.
2. Have that senior officer report to the Board of Directors (or other governing body) at least annually on the effectiveness of your organization's security, as well as any material cybersecurity events that have occurred since the prior report, and any material cybersecurity risks facing your organization.
3. Conduct a tabletop exercise with senior executives to simulate a cyberattack/ransomware event and see how your organization would respond, including finding and fixing any holes in your current incident response plan.

If you have questions about implementing your security program or conducting ongoing risk assessments, please contact the Norton Rose Fulbright professionals listed below.