In EternalPetya’s Wake, How Could Regulators Punish Victims?

The EternalPetya (aka NotPetya, NonPetya, ExPetr) virus that quickly spread to innumerable systems at the end of June left a trail of destruction across the globe. Businesses of all sizes have publicly acknowledged that they will suffer materially negative economic consequences from the attack, with more sure to come.

The impact of EternalPetya’s rampage extends far beyond the immediate concerns of restarting and rebuilding information technology capabilities. Threats of criminal charges loom for some in Europe, while here in the U.S. regulators are ramping up investigations into why and how badly companies fell victim to this cyber campaign.

In the lead is the New York Department of Financial Services (DFS), which has implemented one of the toughest cybersecurity regulatory schemes in the nation. In a Wall Street Journal Pro Cybersecurity Commentary & Analysis piece emailed to subscribers, New York DFS Superintendent Maria T. Vullo said her agency has already been in contact with regulated entities to "ensure appropriate steps are taken," as attacks like EternalPetya "reinforce the critical need for minimal regulatory standards and robust cybersecurity programs."

In light of Superintendent Vullo’s statement, what sections of new cybersecurity rule should DFS regulated entities focus on when New York pays them a visit? Here are some thoughts:

  • 500.02 – Cybersecurity Program: DFS is sure to look to see whether the overall program was adequate/sufficient.
  • 500.03 – Cybersecurity Policy: DFS will no doubt investigate the sufficiency of individual policies, including business continuity/disaster recovery and incident response policies.
  • 500.05 – Penetration Testing and Vulnerability Assessments: Questions will likely be asked about whether penetration testing should have caught the entry points used by EternalPetya, as well as whether its consequences were adequately considered.
  • 500.09 – Risk Assessments: DFS is sure to investigate whether the underlying risk assessment was "sufficient."
  • 500.11 – Third Party Service Provider Security Policy: This will be a big question mark for DFS, as even if the regulated entity itself wasn't hit, almost assuredly some of its service providers were. DFS can ask whether the due diligence and minimum security procedures hit the appropriate benchmarks in light of EternalPetya-caused disruptions.
  • 500.16 – Incident Response Plans: This is self-explanatory. For any regulated entity that suffered some sort of service disruption, DFS will carefully examine whether its incident response plans were properly designed to allow for "prompt" response and recovery. This is especially true since the rule explicitly talks about incident response plans in the context of cyber attacks impacting the integrity, availability, and continuing functionality of information systems and business generally.

Two important notes here. First, the aforementioned sections are by no means intended to be exhaustive. Rather, it is intended to show how much leeway the new rule gives DFS to declare that a regulated financial entity is out of compliance and thus potentially subject to fines.

Second, the DFS cybersecurity rule is still being phased in. DFS does not yet have the authority to impose fines, and in some cases will not have the power to do so for upwards of 18 months.

Part of the inquiries into the scope of EternalPetya’s impact will no doubt focus on how vulnerable companies are to exploits and hacking tools allegedly taken from U.S. government agencies. Hackers have quickly grown adept at weaponizing these exploits to conduct prolific malware campaigns that impact hundreds of organizations across the globe.

EternalPetya and the WannaCry campaigns leveraged an SMB (Server Message Block) exploit dubbed EternalBlue to allow the malware to spread rapidly within a penetrated organization. The propagation mechanism enabled the rapid distribution of the malware both within a compromised network and over the public Internet.

EternalBlue was leveraged in the EternalPetya campaign as well, but additional tactics were also deployed to ensure effective propagation in environments where EternalBlue was not effective. The ramifications for the incorporation of worm-like features within ransomware, or destructive or disruptive malware in general, substantively intensifies threats within an already massively expanding threat landscape. Furthermore, the widespread availability of ransomware and these exploits coupled with the highly-publicized effectiveness of these campaigns – at least in terms of propagation – has undoubtedly resonated among a variety of different threat actors, all with different motivations.

Even before this development, FireEye had observed a significant escalation in the scope and sophistication of cyber extortion tools. Having already demonstrated utility in financially-motivated campaigns, it is also possible for these tools to be increasingly used by nation-states, likely as a means of compellence. Given the likely nexus to nation-state actors, the WannaCry and EternalPetya campaigns subscribe to this narrative.

The lessons of EternalPetya should be painfully clear then to New York DFS regulated entities and for others who fall under the jurisdiction of some form of government regulation: regulators will have plenty of ways to declare that the security measures of cyber victims were somehow inadequate, thereby exposing them to punishment.

So beware those who are regulated – the actual cyber attack is likely to be only the first round of pain to be inflicted.

For more information, please contact the FireEye team at cyberrisk@fireeye.com or Brian Finch at Pillsbury at brian.finch@pillsburylaw.com.