Log4j: application risk for public enterprises | McDermott Will & Emery
Security researchers predict that organizations will face the vulnerability (and its fallout) in the months to come. CISA has created a dedicated Log4j webpage to provide an authoritative, up-to-date resource with tips and mitigation resources for network advocates, as well as a GitHub repository from the affected device and service community. These government resources establish the basis of reasonable security for the Log4j response and, in essence, provide a potential roadmap for legal compliance.
While Wolf at the Door can be the technical challenge of identifying and remedying vulnerability, SOEs need to monitor the application of internal controls and procedures in responding. Companies should also assess the impact that the Log4j vulnerability may have on their business, financial condition and operating results. These investigations will determine whether a public company has disclosure obligations under US securities law. Indeed, the Securities and Exchange Commission (SEC) has stressed that public companies must take “all necessary measures” to inform investors of significant cybersecurity risks and incidents.1 in right time. The risks and incidents covered may include those that have not yet matured into a cyber attack.
A public company may have the best policies and procedures on paper, but if they are not applied correctly and there is not the proper flow of information, the risk of enforcement abounds. This is especially true where, like here, the vulnerability is so prevalent (over 100 million devices and servers would be affected by the security breach) and it is actively exploited by malicious actors, including those associated with states. -nations.
The SEC has a proven track record in exercising enforcement actions against state-owned enterprises for deficient disclosures and controls related to cybersecurity risks and incidents; these actions include instances where management failed to conduct a proper investigation and adequately consider whether a breach should be disclosed to investors as well as a cybersecurity incident that has not been remedied in accordance with company policy or properly reported to senior management.
If the past is a prelude, the SEC could send information requests to companies that have downloaded a compromised version of Log4j and ask them to provide more details on the use of the software as well as other compromises by external players. , regardless of the importance of or access to non-public information material. Although Log4j is open source software and does not have a ready list of companies that have installed it, the US government is monitoring a continually updated list of known vulnerable vendors / applications involving Log4j. And, Log4j is on the radar of regulators; for example, the SEC highlighted it on its website.
As the Log4j problem continues to develop, company personnel responsible for developing and overseeing disclosure controls and procedures should have a line of sight to the technical response and ensure that the controls and procedures for the company are correctly applied. They must also be vigilant, in a dynamic threat environment, about obtaining sufficient information to meaningfully assess disclosure obligations, including asking:
- Has the company conducted a vulnerability assessment to identify if it has potentially been impacted by Log4j?
- If so, what is the assessed impact on reputation, financial performance, and relationships with customers and suppliers?
- What, if any, prevents such an assessment?
- If the business has systems or applications using vulnerable versions of Log4j, what is the remediation plan to address those systems or applications, and how long will it take to effectively remediate them?
- Is there a gap between existing company policies and procedures for responding to security incidents and managing vulnerabilities and the way Log4j is managed?
- Has the company discovered indicators of compromise (IoC) related to Log4j in its environment?
- Has the company been diligent with its suppliers, especially those with access to company data and / or systems, to determine if they have been affected by Log4j?
- Has the company ever had cybersecurity incidents and, if so, were they disclosed to investors?
- If they were not disclosed, for what reasons were they determined to be unimportant?
When preparing for a disclosure, SOEs should provide sufficient detail about a material cybersecurity risk or incident so as not to over-generalize; at the same time, companies should avoid details that could allow malicious actors to target exploitable software running on corporate systems.2 Finally, companies should be aware of the prohibition on insiders trading in company securities when in possession of material non-public information, which may include knowledge regarding the impact of Log4j.3
1A “cybersecurity incident” is “[a]n event which actually or potentially leads to negative consequences for… an information system or the information that the system processes, stores or transmits and which may require a response action to mitigate the consequences. US Computer Emergency Preparedness Team website, available at https://niccs.us-cert.gov/glossary#I.
2In its February 2018 guidance, the SEC noted that it does not expect companies to make detailed disclosures that could compromise the company’s cybersecurity efforts, for example, by providing a “roadmap” »For those seeking to penetrate the security protections of a company; Nor does the SEC expect companies to publicly disclose specific technical information about their cybersecurity systems, associated networks and devices, or potential system vulnerabilities in details that would make those systems, networks and devices more sensitive to a cybersecurity incident. Nonetheless, the SEC expects companies to disclose cybersecurity risks and incidents that are important to investors, including the financial, legal, or reputational consequences that flow from them.
3In 2018, the SEC charged a number of former Equifax employees with insider trading before the company announced in September 2017 of a widespread data breach that exposed Social Security and Social Security numbers. other personal information of approximately 148 million US customers. See former Equifax executive accused of insider trading, available at https://www.sec.gov/news/press-release/2018-40; https://www.sec.gov/news/press-release/2018-115; Former Equifax manager charged with insider trading, available at https://www.sec.gov/news/press-release/2018-115.