Security – International World Of Business

Increasing efficiency in cross-border treasury operations

wpdesigns — Wed, 04 Mar 2026 17:19:04 +0000

To compete and grow, many corporations have expanded their business internationally. With this growth comes cross-currency transactions that are routinely used by corporates in support of daily business such as vendor/supplier payments, payroll, taxes, and funding local accounts for treasury activities. However, some businesses that pursue this opportunity may encounter inefficiencies brought on by transacting in foreign currencies, especially in higher volumes. Even well tenured practitioners with a lot of FX volume can still struggle to make processes more efficient.

There are are a wealth of existing and evolving technologies that can help automate, improve efficiency, and bring transparency to the management of cross-border transactions.

Corporate treasurers should evaluate their current practices to ensure they are achieving high levels of automation, efficiency, and transparency. There are multiple benefits to this, including reduced costs, simplified reconcilement, and improved forecasting and control.

Fortunately, there are a wealth of existing and evolving technologies that can help automate, improve efficiency, and bring transparency to the management of cross-border transactions. Here, we look at some of the strategies and objectives that treasurers should consider to get started on this path.

Getting started: Objectives

When looking to improve efficiency in FX operations, here are some broad objectives that corporates should strive to achieve:

Show text version

Four steps toward operational efficiency

The path to efficiency includes four key elements that treasurers should follow in evaluating and optimizing their processes:

1) Determine the best connection

Decide how to maximize execution through omni-channel connections with the FX provider. Choosing the best one depends on each organization’s capabilities, security protocols, and preferences. There are several connection channels available that accommodate the varying technology of different organizations, including:

Web portal
File transmission
API
Mobile
ERP
TMS

2) Choose the right payment type

Determine the best payment type to suit your needs, considering cost, efficiency, and reach.

High value/low frequency: Wire
Low value/high frequency: In-country low-value clearing
Real-time: Instant cross-border payments
Alternative payment methods: digital wallets and international pay-to-card – Ability to pay a beneficiary directly with only their debit card number

3) Manage currency fluctuations

Traditional risk management programs can be resource intensive and difficult to manage. Some banking providers have begun to offer alternative risk management solutions to derivatives such as providing fixed FX rates for a predetermined period of time. This provides users the benefit of managing the associated FX risk without having to undertake the operational burden of a full-fledged risk management program. This enables a more efficient and accurate means to forecast working capital flows, automates the account reconciliation process, and eliminates the requirement for credit or contracts.

Global expansion presents tremendous opportunities for businesses looking to grow.

4) Reconcile

Utilize advanced trade and settlement reporting to power data-driven decision making. Analyzing transaction patterns can inform decisions and strategies.

Ongoing strategies for FX management

Once the operational practices are in place, corporate treasurers should turn their focus to long-term practices to manage their rates and mitigate risks. These include:

Reducing FX rate exposure and limiting accounting noise by creating a risk management framework that fits within their operating capacity. This may include outsourcing exposure management to drive efficiency.
Optimizing intercompany transaction flows and minimizing costs by centralizing intercompany transfers and aggregating activity toward a reduced net obligation
Improving forecasting by automating complex hedging and eliminating manual processing to reconcile accounts.
Integrating ERP and TMS systems to enable automation of FX flows from origination to settlement and reconcilement.

Don’t go it alone

Global expansion presents tremendous opportunities for businesses looking to grow. But along with it comes operational complexities around risk, efficiency, and management that can seem daunting. Fortunately, businesses can turn to international financial institutions, like Bank of America, that understand these challenges and offer cutting-edge solutions and expertise.

The rise of smart contracts and strategies for mitigating cyber and legal risks

Press Room Team — Fri, 27 Sep 2024 03:05:41 +0000

Smart contracts – self-executing agreements embedded in blockchain – offer the promise of seamless execution without human intervention.
However, the rapid adoption of this revolutionary technology comes with significant technological, legal and cybersecurity-related risks.
Here’s why adopting a multi-faceted approach is essential to addressing these risks and enhancing the security and reliability of smart contracts.

Imagine a world where contracts are executed seamlessly without human intervention, reducing costs and enhancing efficiency across industries – from finance to real estate. This is the promise of smart contracts, self-executing agreements embedded in blockchain technology.

However, the rapid adoption of this revolutionary technology comes with significant risks. In 2016, a coding flaw in the Decentralized Autonomous Organization (DAO) smart contract on the Ethereum platform led to a theft of $50 million worth of ether, illustrating the potential vulnerabilities.

Discover

How is the World Economic Forum promoting the responsible use of blockchain?

The World Economic Forum’s Platform for Shaping the Future of Blockchain and Digital Assetsensures equity, interoperability, transparency, and trust in the governance of this technology for everyone in society to benefit from blockchain’s transformative potential.

The Forum helped central banks build, pilot and scale innovative policy frameworks to guide the implementation of blockchain, with a focus on central bank digital currencies.
TheRedesigning Trust with Blockchain in the Supply Chain initiative is helping supply chain decision-makers implement blockchain, while ensuring that this technology is utilized in a secure, responsible and inclusive way.
The Centre for the Fourth Industrial Revolution UAE is testing the application of digital assets and tokenization to improve financial systems.

With the smart contracts market projected to reach $73 billion by 2030, expanding at a compound annual growth rate (CAGR) of 82.2% as reported by Grand View Research, the urgency to address these risks is paramount.

Smart contracts are playing an increasingly important role and being more widely adopted across various sectors. As platforms like Ethereum continue to dominate the market, ensuring their security and reliability is crucial for the broader adoption and trust in smart contracts.

Technical risks of smart contracts

Smart contracts are highly dependent on the precision of their code and the security of the blockchain infrastructure they operate on.

Even minor flaws or oversights can lead to severe consequences such as unauthorized access, fund misappropriation or unintentional legal disputes. To enhance the security and reliability of smart contracts, adopting a multi-faceted approach is essential.

Three Smartphone Trends to Advance an Inclusive Digital Future

Press Room Team — Sun, 15 Sep 2024 19:28:51 +0000

With democratization, coverage and access to mobile devices, more and more people will have an increasing wealth of technologies at their fingertips. The challenge is to unleash the power of smartphones to advance progress.

Driven by a rapid increase in usage, smartphones are becoming critical to a more informed society and a more resilient economy.

This transformation showcases three main trends shaping the region’s technological landscape.

The first one is democratization. With an adoption rate expected to exceed 80% by 2025, Latin America and the Caribbean’s smartphone penetration levels are comparable to those in developed countries—a remarkable shift towards greater digital inclusion.

This phenomenon highlights the importance of mobile devices as the front door to services and opportunities in an increasingly digital era.

Unequal Connectivity

The second trend is the dramatic increase in mobile network coverage, reaching most of the population. Despite this, the quality of connectivity between urban and rural areas is notably different.

This disparity suggests the need for continued infrastructure investments to ensure high-quality connectivity for all.

VIDEO – “Digital Transformation for Financial Inclusion in Latin America and the Caribbean” Content in Spanish. Use the CC option to read the subtitles in your preferred language.

The third trend is leadership in the mid-range mobile device market.

With their affordability and advanced features, these devices are gaining ground and are preferred by consumers because of their cost-performance ratio.

Critical Components

This preference reflects market maturity, with purchase decisions driven by a price-quality rationale.

IDB Invest and NTT Data have conducted a series of studies to provide findings, insights, and recommendations about how new technologies are transforming different industries and how crucial it is to access new tools, such as smartphones, to bridge the digital gap in the region.

As part of that series, the study “Smartphones: Unleashing their Potential and Overcoming Challenges in Latin America and the Caribbean” shows how the increasing adoption of smartphones is driving digital transformation.

These devices have become critical components for socioeconomic development, offering access to information and services that strengthen regional integration and productivity.

Inclusion and Access

These three major trends have a considerable impact on several key sectors. Regarding financial inclusion, smartphones make access to bank and financial services easier for those who have historically been outside the traditional banking system.

In education, smartphones open new horizons for students and teachers, offering interactive teaching resources and enabling more flexible and personalized learning.

Telemedicine has become increasingly vital in healthcare. It enables remote medical services and improves the quality of care at a more competitive cost.

Smartphones offer innovative solutions in the mobility and transportation industry, especially in urban areas. These solutions boost efficiencies and planning.

A Wealth of Opportunities

The use of mobile devices produces a far-reaching effect on different user groups, from rural communities that can now access critical information for their livelihoods to urban entrepreneurs who use them to expand their business.

Every person with a smartphone reflects not only the wealth of opportunities afforded by technology, but also its ability to level the playing field and foster greater equity.

The region is on the threshold of substantial change, with smartphones playing a catalyzing role.

As the penetration rate is almost as comparable as the one for developed markets, the promise of an inclusive and accessible digital future is coming true.

Now the challenge lies in expanding the benefits of this digital revolution to every corner in Latin America and the Caribbean, while ensuring that connectivity and technology advance, rather than impede, progress.

BIS Imposes Penalty on Texas Company Airbus DS Government Solutions Inc. to Resolve Alleged Violations of the Antiboycott Regulations

Press Room Team — Wed, 05 Jun 2024 19:56:36 +0000

WASHINGTON, D.C. – Today, the Department of Commerce’s Bureau of Industry and Security (BIS) imposed a civil penalty of $44,750 against Airbus DS Government Solutions Inc. (ADSGS), a satellite communications and networking systems company located in Plano, Texas, to resolve three violations of the antiboycott provisions of the Export Administration Regulations (EAR), as alleged in BIS’s Proposed Charging Letter. ADSGS voluntarily self-disclosed the conduct to BIS, cooperated with the investigation by BIS’s Office of Antiboycott Compliance (OAC), and took remedial measures after discovering the conduct at issue, all of which resulted in a significant reduction in penalty.

“Our antiboycott rules against furnishing prohibited information and failing to report boycott-related requests apply with the same force even when another U.S. company is the one making the information requests,” said Assistant Secretary for Export Enforcement Matthew S. Axelrod. “U.S. companies are reminded to be vigilant in examining all transaction documents, regardless of the source, to ensure that the terms and conditions comply with our antiboycott rules.”

Case Background:

As part of the settlement with BIS, ADSGS admitted to the conduct set forth in the Proposed Charging Letter, which alleged that ADSGS violated the antiboycott provisions of the EAR by furnishing information about its business relationships with boycotted countries or blacklisted persons and failing to report the receipt of a request to engage in a restrictive trade practice or foreign boycott against a country friendly to the United States. Specifically, ADSGS participated in a trade show in Kuwait in 2019. In connection with the shipment of products and items for display at the trade show, the company furnished to its freight forwarder a commercial invoice/packing list certifying that the goods were not of Israeli origin and not manufactured by a company on the “Israeli Boycott Blacklist.” Furnishing such information is prohibited by Section 760.2(d) of the EAR. In addition, the company failed to report to BIS the receipt of the request to furnish this information, as required by Section 760.5 of the EAR.

The Order, Settlement Agreement, and Proposed Charging Letter are available here.

Additional Information:

These BIS actions were taken under the authority of the Anti-Boycott Act of 2018, a subpart of the Export Control Reform Act of 2018, and its implementing regulations, the EAR. The antiboycott provisions set forth in Part 760 of the EAR discourage, and in certain circumstances prohibit, U.S. persons from taking certain actions in furtherance or support of a boycott maintained by a foreign country against a country friendly to the United States (an unsanctioned foreign boycott).

In addition, U.S. persons must report to OAC their receipt of certain boycott-related requests, whether or not they intend to comply with them. Reports may be filed electronically or by mail on form BIS 621-P for single transactions or on form BIS 6051P for multiple transactions involving boycott requests received in the same calendar quarter. U.S. persons located in the United States must postmark or electronically date stamp their reports by the last day of the month following the calendar quarter in which the underlying request was received. For U.S. persons located outside the United States, the postmark or date stamp deadline is the last day of the second month following the calendar quarter in which the request was received. Forms for both electronic transmission and mail submission may be accessed from the forms request page.

Pursuant to Section 764.8 of the EAR, a party may submit a voluntary self-disclosure if it believes that it may have violated Part 760 or Part 762 of the EAR (recordkeeping requirements relating to Part 760).

For additional information regarding the application of the antiboycott provisions of the EAR, please contact the OAC Advice Line at (202) 482-2381 or through the online portal.

Microsoft launches new generation of cybersecurity with Secure Future Initiative

Press Room Team — Thu, 09 Nov 2023 21:54:14 +0000

This new initiative will bring together all areas of Microsoft for the development of new cybersecurity tools.
The initiative is built on three pillars: AI-based cybersecurity, advances in software engineering, and advocacy for greater enforcement of international standards.
The company is committed to developing an AI “cyber shield” that will be designed to protect customers and countries around the world.

In recent months, Microsoft has concluded that the speed, scale and increasing sophistication of cyberattacks require a new global response. To that end, the company today launched a new initiative to continue the next generation of cybersecurity protection, the Secure Future Initiative (SFI), which will have three pillars focused on AI-based cybersecurity, advances in software engineering and advocating for greater enforcement of international standards to protect civilians from cyber threats.

As shared last month in Microsoft’s Digital Defense Report, implementing cybersecurity practices enables effective protection against the vast majority of cyber attacks. However, attackers, with greater funding power, are innovating and responding with more aggressive and even more sophisticated practices than in the past. About 40% of nation-state attacks in the past two years have targeted critical infrastructure such as power grids, water systems and healthcare facilities. While enterprises with an effective level of security can manage these threats, attacks are becoming more frequent and complex, targeting mainly smaller and more vulnerable organizations, including hospitals, schools and local governments.

AI-based cybersecurity

Microsoft is committed to developing an AI-based “cyber shield” that will be designed to protect customers and countries around the world. Its global network of data centers and use of advanced AI models place the company in a leading position in putting this technology to work for cybersecurity.

As part of the Secure Future Initiative, Microsoft will accelerate this goal on several fronts. The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Threat Analysis Center (MTAC) are already using advanced AI tools and techniques to detect and analyze threats and cyberattacks. These features are being extended directly to customers who, through Microsoft security technologies, can extract and analyze data from a variety of sources.

In addition, AI is a game-changer because it also addresses one of the biggest challenges in cybersecurity: the shortage of skilled professionals. Microsoft Security Copilot combines large language models with a security-specific model that has a variety of Microsoft competencies and threat intelligence. This tool is able to generate natural language recommendations from complex data, resulting in greater effectiveness and responsiveness in threat monitoring to help organizations prevent and stop attacks at machine speed.

New advances in engineering
In addition to new AI capabilities, a more secure future will require new advances in software engineering. Through the Secure Future Initiative, Microsoft seeks to create a new standard of security that is present in how technology is designed, built, tested and how it will work.

The challenges of today’s cybersecurity threats and the opportunities created by generative AI have been a tipping point for software engineering. The evolutionary phase of the security development lifecycle (SDL), which Microsoft created in 2004, will now be called “dynamic SDL” or dSDL. This will allow you to apply systematic processes to continuously integrate cybersecurity against emerging threat patterns as engineers program, test, deploy and operate Microsoft systems and services. It is also combined with additional engineering measures, including AI-driven secure code analysis and the use of GitHub Copilot to audit and test source code against advanced threat scenarios.

As part of this process, over the next year, Microsoft will provide customers with more secure default settings for multi-factor authentication (MFA). This will augment current standard policies for a wider range of customer services. The next step is to strengthen identity protection against highly sophisticated attacks: identity-based threats, such as password attacks, have increased tenfold in the last year, and nation-states and cybercriminals have developed more sophisticated techniques for stealing and using login credentials.

More effective enforcement of international standards
Finally, Microsoft believes that AI-based defenses and engineering advances must implement a third critical component: more effective enforcement of international norms in cyberspace.

In 2017, during the Geneva Convention, Microsoft advocated for a set of principles and standards that should govern the behavior of states and non-state actors in cyberspace. There is a need to strengthen and elevate the norms necessary to protect civilians in cyberspace from a wide variety of digital threats. Six years after that call, there is an urgent need for stronger and broader public engagement by the community to more forcefully oppose cyberattacks against civilians and critical infrastructure for all. Microsoft is renewing its efforts to bring together governments, the private sector and civil society to advance more effective implementation of international standards that promote cybersecurity.

House Subcommittee Highlights Danger of Restrictive Independent Contractor Tests

Press Room Team — Sun, 23 Apr 2023 17:48:34 +0000

Witnesses testified to Congress on the dangers of California’s AB-5 and pending DOL rule on independent contractors.

On April 19, the House Education and Labor’s subcommittee on Workforce Protections held a hearing titled: “Examining Biden’s War on Independent Contractors.” The hearing focused on the harmful economic impact of California’s AB-5 law and the U.S. Department of Labor’s (DOL) pending rule defining independent contractors (IC) under the Fair Labor Standards Act (FLSA).

Witnesses at the hearing testified about how AB-5 had cost California workers jobs and income, bred endless confusion, and led to litigation. They also noted that DOL’s pending regulation would impose a vague and open-ended IC test that in some ways mirrors AB-5.

As this blog has noted in the past, AB-5 imposed a strict version of the so-called “ABC” test. Under AB-5, a worker has to demonstrate that they meet three specific factors or lose their independent contractor status. The bill was targeted at the “gig” economy, but as its supporters soon found it was a rather blunt instrument. As witnesses at the hearing highlighted, entire categories of independent workers found their livelihoods taken away, forcing the legislature to pass more than 100 exemptions to the law. Those exemptions themselves are now the subject of litigation in California related to whether they constitute a violation of the Constitution’s equal protection clause. AB-5 also resulted in the successful passage of Prop 22, a ballot initiative that exempted gig companies from the law so long as they provided certain benefits to workers. That initiative is also being litigated. Suffice to say, AB-5 has resulted in considerable chaos and uncertainty in the Golden State.

Related
Congress Introduces Much-Needed Employee Rights Act
As to DOL’s pending rule, witnesses discussed how it is vague, unclear, and would allow DOL enforcers considerable leeway as to how the FLSA should be enforced — the opposite of what a rulemaking should seek to achieve. And while the rule states that DOL can’t impose the ABC test via rulemaking, the U.S. Chamber has pointed out that it would effectively impose part B of the ABC test, which is the most problematic element of the test. Not only that, but the PRO Act, which every Democrat on the Subcommittee supports, includes a word-for-word copy of California’s ABC test.

A key element of what supporters of AB-5 and the DOL rule miss is that there is a difference between deliberate misclassification of workers, which is already illegal, and a reasonable IC test that allows legitimate businesses, including those in the gig economy, to function and individuals to seek independent work. There is no question that deliberate misclassification occurs and DOL and other agencies have tools at their disposal to prosecute such illegal behavior. There is no need for laws like AB-5, which was meant to increase the number of “employees” subject to unionization. In fact, the chief author of AB-5 subsequently left the legislature to work for the California Labor Federation. Nor is there a need for DOL to revisit the prior administration’s IC test under the FLSA, which has been the law for two years now and, as a plethora of DOL press releases on misclassification cases show, is working.

Independent workers form a critical and growing portion of America’s labor force. If today’s hearing demonstrated anything, it is that the government should allow these workers to flourish and avoid the mistakes of California.

United States Will Host the 10th Conference of the States Parties to the UN Convention against Corruption in Atlanta, Georgia

Press Room Team — Tue, 10 Jan 2023 14:31:55 +0000

The United States will host the 10th Conference of the States Parties (COSP) of the UN Convention against Corruption (UNCAC) in Atlanta, Georgia from December 11-15, 2023. The conference is the preeminent global forum focused on implementation of the anti-corruption commitments enshrined within the treaty. It will convene the 189 states parties to the UNCAC, as well as a variety of civil society stakeholders from around the world to focus on ways to advance anti-corruption obligations and policy priorities. The United States looks forward to hosting this important meeting during the 20th anniversary of the UNCAC.

Need for Regulatory Harmonization Highlighted at Annual U.S.-EU Cyber Dialogue

Press Room Team — Wed, 04 Jan 2023 01:41:36 +0000

These pillars of regulatory harmonization dominated the appeals from industry at the recent U.S.-EU Cyber Dialogue. On Friday, December 16th, I had the honor and privilege of participating in the latest installment of this Dialogue—an annual event initiated in 2013 to facilitate transatlantic cooperation in cybersecurity. This year’s event saw participants from the European Commission and European Agency for Cybersecurity to the U.S. Office of the National Cyber Director and the State Department’s Bureau of Cyberspace and Digital Policy. During the industry session, hosted by the U.S. Chamber of Commerce, European, American, and multinational companies shared a variety of viewpoints focused on the importance of public-private partnerships in cybersecurity, and nearly every viewpoint included a call for harmonized regulation.

Technology-minded policymakers worldwide are engrossed in the alarming increase in devastating cyberattacks on critical infrastructure, government networks, small and midsize businesses, and individual citizens. Policymakers have homed in on the need to increase the level of cybersecurity within critical infrastructure, vendor products and services, and associated supply chains – all while increasing incident reporting and information sharing with the goal of inoculating entire industries from cyber threats at machine speed. Protecting citizens and critical infrastructure from cyber threats is exactly what policymakers should do. We all agree on this point.

But the need for harmonization in these sprawling regulatory approaches is needed now more than ever. Since coming into force of the European Union General Data Protection Regulation (GDPR) in 2018, the regulations targeting technology and cybersecurity have increased markedly. Since 2018, we’ve seen the introduction of policies such as the Network and Information Systems Directives 1.0 and 2.0, the Cybersecurity Act, AI Act, Data Governance Act, Data Act, and Cyber Resilience Act in the EU; Cybersecurity Review Measures, Personal Information Protection Law, and Data Security Law in China; and the EO on Improving the Nation’s Cybersecurity, Department of Defense Cybersecurity Maturity Model Certification (CMMC), TSA Pipeline Security Directive, Cyber Incident Reporting for Critical Infrastructure Act of 2021 (CIRCIA), and the Cybersecurity Performance Goals in the U.S.—just to name a few.

What’s more alarming than the pace of new regulations is that the underlying requirements of these regulations often require industry to comply with local, national standards as opposed to existing international standards. This is costly, counterproductive, and unnecessary. The body of existing international standards in cybersecurity is both broad and deep. There are entire suites of standards and guidelines for applications such as consumer internet of things devices (e.g., ISO/IEC 27402, IoT Security Foundation (IoTSF) (2018) IoT Security Compliance Framework, European Telecommunications Standards Institute (ETSI) (2019) Cyber Security for Consumer Internet of Things, and Council to Secure the Digital Economy (CSDE) (2019) The C2 Consensus on IoT Device Security Baseline Capabilities.), industrial control systems (e.g., IEC/ISA 62443 suite), and cloud applications (e.g., ISO 27000 series). This is not to suggest that international standards are a panacea or that they exist for every application or use case, but they are a logical starting place and should be leveraged as a first step in the regulatory harmonization process by governments globally.

I left the U.S.-EU Cyber Dialogue feeling encouraged. By the end of our two-hour meeting, it was clear that the message had been received as both U.S. and EU policymakers reiterated the need and importance of regulatory harmonization multiple times. In fact, this week began with a joint statement from the U.S.-EU Trade and Technology Council (TTC) where, importantly, the two governments stated that future collaboration would be focused on the area of cybersecurity standards and that the US-EU Cyber Dialogue would be a central place to facilitate these collaborations.

The moment has arrived for both the U.S. government and European Commission to translate this momentum into practical wins. This fall, the European Commission released its proposed text of the Cyber Resilience Act, a foundational proposal for the mandatory adoption of cybersecurity features in digital products spanning multiple industries. Days later, the White House announced its intention to facilitate a cybersecurity labeling scheme for IoT products, based upon the good work of the National Institute of Standards and Technology (NIST) on IoT security. On both sides of the Atlantic, there is a real opportunity to ensure that these efforts are well coordinated, leverage existing international standards, and potentially even demonstrate mutual recognition where conformance to one scheme would satisfy the requirements of the other and vice versa. Through this collaboration and harmonization, we can focus our collective resources on improving the baseline of cybersecurity across various industries, but in a way that makes sense for policymakers and industry.

How Businesses Can Be Prepared This Cybersecurity Awareness Month

Press Room Team — Mon, 17 Oct 2022 12:30:25 +0000

Cyberattacks can be catastrophic for businesses and individuals, crippling essential services and causing breaches of confidential business and personal information. In 2021, Americans were hit by an unprecedented rise in cybercrime, with nearly 850,000 reports to the FBI and combined losses nearing $7 billion. Cybercrime can steal valuable and sensitive data such as medical records, disrupt telecommunications and computer networks, and paralyze entire operating systems, making business and personal data unavailable.

Christopher Roberti, senior vice president for cyber, space, and national security policy at the U.S. Chamber of Commerce, has been talking to senior administration officials, law enforcement, business leaders, and news stations across the country about the cyber threat, risk management, and cyber resilience during National Cybersecurity Awareness Month. Read on for his insights on top cybersecurity questions.

What do businesses need to know about current cyber security threats?

Today, thousands of businesses will be successfully attacked by criminal gangs using ransomware, which is a malicious malware blocking access to a computer system until some form of ransom is paid to the attacker. Attackers can include individuals, criminal gangs, or hostile nation-states. The average downtime due to a ransomware attack is 21 days and, on average, it takes a business over 280 days to fully recover from this kind of attack. Businesses are outnumbered and law enforcement doesn’t have the resources to keep up.

The first step is acknowledging the reality of the situation. No entity—large or small, government or private sector—is immune to this threat. No company stands a serious chance facing an attack from a sophisticated nation-state actor, regardless of the resources it may devote to cybersecurity. Nor can the government fight these actors alone. It is often private sector networks that are attacked, and the private sector provides the innovation necessary to detect and defeat attacks.

It is time for the U.S. Government to act decisively against these criminal cyber attackers and stop them from operating with impunity. The U.S. and allied governments must work together with the private sector to confront these challenges head-on and create a credible deterrent to malicious cyber activity.

What are the most persistent cyber threats for businesses and individuals?

Two of the most common cyber threats are ransomware and business email compromise (BEC). Both usually leverage social engineering to gain access into victim’s networks. Ransomware is still the best-publicized cyber threat facing public institutions, but in monetary terms, fraud enabled by BEC has proven more costly (if less dramatic and disruptive). In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 complaints relating to BEC, with losses from these incidents totaling $2.4 billion.

Cyberattacks and ransomware attacks have disrupted public school systems, police departments, hospital systems and local governments around the country. Researchers have observed 34 successful cyberattacks on local governments in particular this year and since September 13 alone, at least seven state and local governments have reported cyberattacks. America’s second-largest nonprofit hospital chain recently announced that it is confronting an incident impacting facilities across the country, forcing ambulance diversions, system shutdowns, and rescheduled medical procedures.

Victims of ransomware attacks, BEC attacks, or traditional cyber intrusions (e.g., those designed to steal intellectual property or trade secrets, conduct espionage, or engage in disruptive or destructive activities) all can have debilitating effects on victim companies in terms of direct financial losses, brand damage, loss of customer confidence and, in some cases, physical harm. Despite all the bad news and threats, there are steps that all companies – large and small – can take to make themselves harder targets and prepare for an incident, should it occur.

How can businesses and individuals best defend themselves against cyber threats?

Here are some steps companies (and individuals) can take to harden their defenses and improve their chances for a full recovery if faced with a cyber or ransomware attack:

Enable multifactor authentication organization-wide. Strong passwords are still a must, but multifactor authentication means that a password alone will not allow access to a network.
Deploy endpoint protection, including antivirus, antimalware, or email filtering software to protect the network edge from known malicious activity.
Regularly update and patch network software in keeping with the latest manufacturer supported versions.
Educate employees about clicking on links in emails and text messages. Employees should be trained to be alert to suspicious activity and should have a clear reporting process about what to do when they receive what they believe could be a malicious link.
Empower IT teams to make decisions quickly to protect networks. Teams should maintain secure offline backups that are not tied to primary systems. IT teams must also maintain an active inventory of company IT assets and related security configurations.
Companies should establish relationships with local law enforcement agencies, the Cybersecurity and Infrastructure Security Agency (CISA), the Secret Service, the FBI, and others. The U.S. Chamber can help member companies build these critical relationships.
Businesses should constantly be thinking about how they can move their systems and networks to “zero-trust architecture.” This generally means granting access to corporate networks on a per-session basis and granting gradual levels of access based on a user’s position and “need to know.”

What is being done at a local and national level?

There are two key activities at the local level I want to highlight.

First, Congress passed legislation to authorize $1 billion in cyber grants for applicable state and local cybersecurity enhancements. These grants, which will be available over the next five years, will facilitate meaningful IT modernization investments in local government infrastructure and beyond that, will greatly improve state cyber policy.

Second, this fall, the Cybersecurity and Infrastructure Security Agency is hosting listening sessions with the business and critical infrastructure community across the country. CISA wants to hear from businesses large and small on steps the public and private sectors need to embrace to close the visibility gap in cyber incidents and ransomware attacks.

What resources are available to learn more and to protect yourself?

CISA’s theme for this month is “see yourself in cyber.” The message to individuals and businesses is to take action to protect yourself online. This includes updating your software (to the most updated manufacturer supported versions), thinking before you click, using strong passwords or a password manager, and enabling multifactor authentication. According to CISA, implementing these four actions will significantly reduce cyber risk.

For more information visit the U.S. Chamber of Commerce website: uschamber.com/security.

The U.S. Must Lead the World in Cybersecurity – And Lead by Example

Press Room Team — Tue, 10 May 2022 02:39:05 +0000

In Europe, the new Digital Markets Act (DMA) threatens to compromise the world’s cyber defenses. Washington must defend the ability of American companies to protect the nation’s cybersecurity.

As recent events have emphasized, the United States must lead the world in cybersecurity. On a daily basis, both public and private institutions face cyberattacks from hostile foreign actors as well as from routine cybercriminals. Security experts caution that Russia soon may ramp up cyberattacks against the United States and its allies.

Unfortunately, our cyber defenses are now under assault from another source: proposals in Europe and elsewhere that would compromise the ability of our technology companies to protect their cyber infrastructure from bad actors, to update their security systems, and to shield sensitive consumer data from unfriendly foreign governments. In response, Washington must defend the ability of American companies to protect the nation’s cybersecurity – and that includes leading by example.

In Europe, the new Digital Markets Act (DMA) threatens to compromise the world’s cyber defenses. Set to take effect next year, the DMA would allow developers to circumvent current security systems and place their software applications directly onto platforms with fewer security constraints. These provisions would also prohibit the platforms from restricting or downgrading these applications, including those with links to foreign governments often hostile to American interests.

Moreover, the DMA would require the platforms to share data more freely with their competitors, again including foreign competitors. As a result, foreign companies may gain access to sensitive consumer data, thereby making consumers more vulnerable to identify theft, phishing attacks, and other breaches of their privacy. Unfortunately, as former national security officials have pointed out, the DMA passed “without any consideration of national security repercussions” or “potential cybersecurity risks.” Indeed, some European policymakers appear not to care about security; a few days after revelations that spyware had infected the phones of many European public officials, Europe’s top digital regulator shrugged that her phone contained only “boring” information.

Other countries may follow Europe’s lead. Japan, India, Australia, South Korea, the United Kingdom, and other nations are becoming more assertive in terms of regulating the tech platforms, often, as in Europe, with a heavy focus on American companies. Within Europe itself, the European Commission must determine to how aggressively to enforce the DMA and how much deference to afford the security concerns (for instance, regulators are still working out the details of mandatory interoperability).

Leading by example

Related
U.S. Chamber Letter on S. 977, the “No Oil Producing and Exporting Cartels Act” (NOPEC)
Comments to FTC on Impact of Pharmacy Benefit Managers’ Practices
Against this backdrop, it is imperative that Congress reject proposals here at home that would further weaken our global cybersecurity. Like the DMA, the American Innovation and Choice Online Act (AICOA) and the Open App Markets Act would require American companies to share sensitive data with their foreign counterparts. For example, AICOA would forbid covered platforms from “materially restricting” a business’s access to interoperate with the platform’s features that are available to the platform’s own products, or to “materially restrict” a business from accessing data generated on the platform by the business’s activities. Remarkably, AICOA also constrains a company’s ability to update its own software, in ways that could deter the company from addressing security concerns.

On both sides of the aisle, many senators have highlighted some of these security concerns. At a markup on the bill, Senator Diane Feinstein pointed out that, “this bill would prevent companies … from taking steps to ensure that an app is safe before you download it from your phone. This makes no sense. We’re requiring companies to take down protections that are in place today and instead allow hackers, and those looking to steal personal data and to access the devices.” Senator Alex Padilla worried that “consumer privacy and cybersecurity don’t seem to be consideration or priority in the bill.”

Turning to national security, Senator John Cornyn noted that the bill would facilitate “the relentless ability and willingness of the Chinese Communist Party and the People’s Republic of China to vacuum up private data and use it for its own purposes.” Senators Patrick Leahy, Chris Coons, Jon Ossoff, and others all raised similar concerns about the bill’s harmful impact on privacy, cybersecurity, and national security.

With the Biden Administration, the national security team also may share these concerns. For instance, although the Justice Department recently issued a letter that sets out qualified support for AICOA, neither the Department’s National Security Division nor its Criminal Division signed onto the letter. Moreover, during the markup on AICOA, Senator Feinstein asserted that “federal agencies have concerns about these provisions.” Indeed, President Biden himself recently pointed out that the United States is facing an extraordinary threat from Russian cyber-attacks, and the private sector “must accelerate efforts to lock their digital doors.”

If enacted, however, these proposals would compromise our defenses at home and our ability to encourage cybersecurity around the globe. The United States would have less ability to persuade foreign governments to maintain tight cyber defenses if Congress is undermining those defenses here at home.