Pub 1 2021 Issue 4

30 | The Show-Me Banker Magazine THE PRESIDENTIAL EXECUTIVE ORDER ON CYBERSECURITY AND YOUR BUSINESS By Mike Gilmore, RESULTS Technology Introduction The Cyber Threat Landscape is increasingly prominent in the news, represented by the major security breaches of SolarWinds and Colonial Gas. In recent years, the United States federal government has passed several bills relating to Cybersecurity. One of the most comprehensive actions was recently established in an executive order signed by President Biden May 12, 2021: “Executive Order on Improving the Nation’s Cybersecurity.” (To view this order in its entirety, please go to: https://www.whitehouse.gov/briefing-room/ presidential-actions/2021/05/12/executive-order-on-improving- the-nations-cybersecurity/.) This executive order is primarily intended to address security in the federal government. Still, these requirements will quickly push out to any private sector business that works directly or indirectly with the government or falls under any form of federal regulation. Cybersecurity insurance providers already require the implementation of some of these new standards. Even now, banks are closely monitored for IT security and are required to have stringent controls in place. There is little in the new executive order that is not present in the newest InTREx examination program for Information Technology. But small community banks can no longer expect to get a pass from having sophisticated tools in place to meet these standards. It has becomemore critical than ever to knowwhat is happening on your network and be able to react quickly if amalicious activity occurs. Here are some important features of the 34-page order. The Key Takeaways 1. Easier Access to Intel: In the past, there have been some substantial barriers between sharing information and data with the federal government and the private sector, namely the Cybersecurity vendors. Because of this, many threat vectors that could have been mitigated were not. But with this new legislation, all barriers are intended to be removed, so there will be a free and smooth flow for information/data exchanges. In fact, Cybersecurity vendors are now required to inform the government if the agencies for whom they are doing contract work could be at risk of an impending threat. 2. A More Proactive Mindset: The federal government has been known to use outdated technology, most notably that of the Internal Revenue Service. Upon the enaction of this Executive Order, this should soon start to change, as agencies and their related entities will now be required to completely upgrade their IT and network infrastructures. 3. Adopting the Zero Trust Framework (requiring active authentication at all times): • Implementing Multi-factor Authentication (MFA) across all levels of government when access to confidential information and data needs to be accessed; and • A total migration to a 100% cloud-based infrastructure, using a platform such as AWS or Microsoft Azure. 4. Supply Chain Security RiskWill Be Addressed: This has been primarily fueled by the recent SolarWinds security breach. (For details, please visit: https://www.channele2e.com/technology/ security/solarwinds-orion-breach-hacking-incident-timeline- and-updated-details/.) This has been classified as a “Supply Chain Attack” in the sense that the cyber attacker group used just a few tools from SolarWinds to spread their malicious payload to the hundreds of customers dependent on its use. A big chunk of these victims also included significant federal government departments, including some areas in the Department of Defense (DoD). As a result, this new Executive Order nowmandates that any software product used in contractual work for any federal agency must adhere to a much