Uber’s former chief security officer was convicted of failing to disclose a 2016 data breach in the first criminal prosecution of an executive related to the handling of a breach.
Details: Sullivan was found guilty of federal obstruction-of-justice charges for not informing the Federal Trade Commission, which was at the time investigating Uber’s privacy protections. Following the ransomware breach, Sullivan quietly arranged to pay off the hackers.
Agency Guide: The Federal Financial Institutions Examination Council this week released an update to its Cybersecurity Resource Guide for Financial Institutions with new ransomware-specific resources.
New Law: The Cybersecurity and Infrastructure Security Agency last month released a request for information as it develops regulations on cyber incidents and ransom payments. CISA is implementing the Cyber Incident Reporting for Critical Infrastructure Act, which requires critical infrastructure owners, including financial institutions, to report substantial cyber attacks to CISA within 72 hours and ransomware payments within 24 hours.
More: Additional community bank-focused cyber resources are available on ICBA's Cyber and Data Security resource center.