Welcome to the third edition of Troutman Pepper's Cyber Capsule, which recaps last month's noteworthy developments, including updates to new rules and cybercrime sharing and other tidbits relating to cybersecurity. From a legislative standpoint, the trend of preventing certain governments and agencies from paying ransom demands and sharing information following attacks continues. And true to form "As the World Turns," highlights some of the soap opera-like comings and goings of ransomware groups.

I GOT NEW RULES, I GOT NEW RULES, I GOT NEW RULES…

1. 72 Again? 72-hours has become a common refrain in the world of cyber reporting. On July 27, the National Credit Union Administration (NCUA) became the latest group to adopt "72" when it published a proposed rule, requiring federally insured credit unions (FICUs) to report substantial cyber events to the NCUA within, you guessed it, 72 hours. Under the proposed rule, FICUs must only report substantial cyber incidents, such as those involving a substantial loss of confidentiality, integrity, or availability of a network resulting from the unauthorized access to, or exposure of, sensitive data or a disruption of business operations. Comments to the proposed rules are due on September 26.

2. NIST Updates Guidance for Health Care Cybersecurity. On July 21, the National Institute of Standards and Technology (NIST) announced a draft update to its health care cybersecurity guidance. The draft provides guidance to the health care industry about maintaining the confidentiality, integrity, and availability of electronic protected health information (ePHI), as always, but also seeks to integrate this guidance with other NIST cybersecurity guidance (that did not exist when originally published in 2008). NIST is accepting comments on the draft updates until September 21.

POTPOURRI

1. Putting Your Money Where Your Mouth Is. On July 21, New York announced the launch of a $30 million program to provide cybersecurity services to its counties and cities. As part of the program, the cities and counties will have access to CrowdStrike's EDR tool.

2. After a Breach, It's Too Late. On July 15, S. Representative Eric Swalwell (D-CA) introduced the Proactive Cyber Initiatives Act (HR 8403), which focuses on providing resources and initiatives to improve federal proactive cybersecurity initiatives, such as: (1) increasing federal government penetration testing; (2) utilizing deception techniques to trap threat actors; and (3) engaging in continuous monitoring.

AS THE WORLD TURNS

1. The Korea Internet and Security Agency (KISA) released a free decryptor for the Hive ransomware variant. [link]

2. The AstraLocker ransomware group ceased operations and released its decryptors. [link]

3. Both the LockBit and Karakurt threat actor groups updated their leak sites with a new feature — users can now search the stolen data for listed victim organizations. [LockBit link, Karakurt link]

4. According to IBM's latest report, the total average cost of a data breach jumped to $4.35 million — a 12.7% increase from 2020.

FORGET ME NOT

1. On June 24, Florida Gov. Ron Governor DeSantis (R) signed two cybersecurity bills into law. The first bill, HB 7055, prohibits state agencies and local governments from paying or otherwise complying with a ransomware demand. The second bill, HB 7057, allows an agency to keep confidential certain material related to information security, including information on critical infrastructure, cybersecurity incident information, and insurance information concerning the coverage of information security systems.