National Security Council Urges Actions to Protect Against Ransomware

The Biden administration has released a memorandum reminding corporate executives and business leaders of the private sector’s “critical responsibility” to protect against ransomware threats. The memorandum was prepared by an official within the National Security Council (NSC), the president’s principal forum for considering national security and foreign policy matters with senior advisors and cabinet officials. After noting that the federal government has stepped up its international efforts to disrupt and deter ransomware actors, the memorandum highlights immediate steps that private-sector organizations can take to protect themselves, their customers, and the broader economy. According to the memorandum, companies that view ransomware as a threat to their core business operations rather than as a simple risk of data theft will react and recover more effectively.

The memorandum urges implementation of best practices from President Biden’s “Executive Order on Improving the Nation’s Cybersecurity,” including multifactor authentication; mechanisms for detecting and responding to malicious activity; encryption; and retaining a skilled, empowered security team. In addition, the memorandum identifies several “highly impactful steps” to help companies focus their efforts and make rapid progress in reducing risks. Recommended steps include—(1) backing up data and configurations, testing backups regularly and maintaining them offline; (2) updating and patching systems promptly; (3) testing incident response plans; (4) using third parties to test security and defenses; and (5) segmenting networks to enable critical functions to be maintained during a cyber incident. The memorandum concludes by emphasizing the seriousness and increasing frequency of ransomware attacks and reiterating the private sector’s distinct and key responsibility to combat them.

EBIA Comment: Recent ransomware attacks have featured prominently in the news, and the release of this memorandum underscores the urgency and severity of ransomware threats to the general economy. HHS has previously provided ransomware guidance to HIPAA covered entities and business associates, including a detailed fact sheet in 2016 (see our Checkpoint article) and a cybersecurity newsletter in 2019 (see our Checkpoint article). This guidance provides critical and helpful information on ransomware protection, detection, containment, recovery, and response. Given the heightened awareness of cybersecurity threats and the DOL’s recent focus on cybersecurity in the ERISA context (see our Checkpoint article), employee benefit plan sponsors and service providers should consider how HHS’s guidance may apply beyond HIPAA. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXX.B (“Core Security Requirements: Administrative Safeguards”) and XXX.D (“Core Security Requirements: Technical Safeguards”). See also EBIA’s Cafeteria Plans manual at Section XVI.E (“Electronic Administration”) and EBIA’s Consumer-Driven Health Care manual at Section XXV.I (“Electronic Administration of HRAs”).

Contributing Editors: EBIA Staff.