Pub. 2 2021 Issue 5

cbak.com 18 In Touch The Presidential Executive Order On Cybersecurity and Your Business Introduction BY MIKE GILMORE, RESULTS TECHNOLOGY A s s o c i a t e M e m b e r T he Cyber Threat Landscape is increasingly prominent in the news, represented by the major security breaches of SolarWinds and Colonial Gas. In recent years, the United States federal government has passed many bills related to Cybersecurity. One of the most comprehensive actions was just recently enacted in the Executive Order signed by President Biden on May 12, 2021 – “Executive Order on Improving the Nation’s Cybersecurity.” This particular executive order is primarily intended to address security in the federal government. Still, these requirements will quickly push out to any private sector business working directly or indirectly with the government or falling under any form of federal regulation. Cybersecurity insurance providers already require the implementation of some of these new standards. Banks already closely monitor for I.T. security and are required to have stringent controls in place. There is little in the new executive order not presently noted in the newest InTREx examination program for Information Technology. But small community banks can no longer expect to get a pass from having sophisticated tools in place to meet these standards. It has become more important than ever to know what’s happening on your network and react quickly if a malicious act occurs. The Key Takeaways of the 34-page order: • Easier Access to Intel In the past, there have been some strong barriers between the sharing of information and data with the U.S. federal government and the private sector, namely the Cybersecurity vendors. Because of this, many threat vectors that could have been mitigated were not. But with this new legislation, all barriers are intended to be removed, so there will be a free and smooth flow when it comes to information/data exchanges. Cybersecurity vendors are now required to inform the government if the agencies for which they provide contract work could risk an impending threat. • A More Proactive Mindset The U.S. federal government has been known to use outdated technology, most notably the Internal Revenue Service. Upon the enaction of this executive order, this should soon start to change, as agencies and their related entities will now be required to completely upgrade their I.T. and Network Infrastructures by adopting the following: • Adopting the Zero Trust Framework (requiring active authentication at all times). • Implementing Multi-factor Authentication (MFA) across all levels of government when access to confidential information and data needs to be accessed. • A total migration to a 100% Cloud-based infrastructure, using a platform such as AWS or Microsoft Azure. • The Supply Chain Security Risk Will Be Addressed Fueled in large part by the recent SolarWinds security breach, this was classified as a “Supply Chain Attack” in the sense that the cyber attacker group used just a few tools from SolarWinds to spread their malicious payload to the hundreds of customers dependent upon its use. A big chunk of these victims also included the significant departments of the federal government, including some areas in the Department of Defense (DoD). As a result, this new executive order now mandates any software product used in any contractual work for any agency must directly adhere to a much stricter set of security requirements, in addition to the accessing and processing of shared resources (such as that of data sets). • The Establishment of Greater Oversight In this regard, a National Cybersecurity Safety Review Board will be established, made up of individuals from both the public and private sectors. The intention is to have the ability to investigate major security breaches and is