FTC issues warning to companies in light of Log4j risks

As 2021 came to a close and the ever-present threat of ransomware attacks continued to loom large, there was arguably no greater security risk in the minds of cybersecurity professionals than the Log4j vulnerability. Jen Easterly, director of the US Cybersecurity & Infrastructure Security Agency, referred to Log4j as the most serious security flaw she had ever seen, which may not be fully resolved for years to come.[1]

For those not yet familiar, Log4j is a nearly ubiquitous software used in various everyday programs to record routine performance and diagnostic information to systems administrators and users. For example, Log4j is at work when a user receives a 404 error message after clicking on a non-existent or otherwise unavailable weblink. Log4j is also working behind the scenes when the server for software such as an online game or other consumer-facing service attempts to log web activity associated with available computer memory or user commands entered into the system. US officials have stated that the flaw potentially places hundreds of millions of devices at risk, and indeed in late December 2021, cybersecurity company Akamai Technologies Inc. claimed to have tracked 10 million attempts to exploit the Log4j vulnerability per hour in the US alone.[2]

In early 2022, in response to this threat, the United States Federal Trade Commission (FTC) issued a stark warning:

When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action . . . The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.[3]

The FTC further made direct reference to the now widely known Equifax legal proceedings where a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers, and where Equifax agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states.

In light of the above, underwriters must be increasingly vigilant in the application process when evaluating whether to underwrite certain risks, whether under cyber, media, and technology; E&O; D&O; or related coverages. As with other exposures based upon cyber threats and exploits over the years, underwriters must be increasingly proactive in identifying known cybersecurity threats and vulnerabilities in order to address these issues with potential new insureds and at the policy renewal phase alike. This is especially true given that (i) the Log4j flaw was discovered only weeks before the FTC issued its strong warning[4]; (ii) the FTC impliedly likened the Log4j vulnerability to that which caused Equifax to agree to issue settlement payments well into the nine figures, even though Equifax involved a different vulnerability known as CVE-2017-5638[5]; and (iii) the FTC stated that it would use its full legal authority in pursuit of companies that fail to take “reasonable steps” to protect consumer data from “similar known vulnerabilities” to Log4j, without providing further detail as to what constitutes “reasonableness” or a “similar” vulnerability. Further, and given that insureds are often held liable for processing, storage, or other use of consumer data by third-party vendors, underwriters should continue to focus on third party vendor risks within the insured’s data and security infrastructure, including the specific measures these vendors have in place to maintain the confidentiality, integrity, and availability of consumer data.

As cybersecurity flaws seem to continually increase in frequency and breadth, and sensitive consumer information becomes increasingly at risk, the FTC has continued to make it clear that it remains intent on identifying and preventing the next Equifax – and pursuing those companies that fail to take “reasonable” proactive measures. Underwriters should continue to take heed of these potential risks and sources of exposure.

 

[1] https://www.cnbc.com/video/2021/12/16/cisa-director-says-the-log4j-security-flaw-is-the-most-serious-shes-seen-in-her-career.html

[2] https://www.wsj.com/articles/what-is-the-log4j-vulnerability-11639446180

[3] https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability

[4] https://www.cisecurity.org/log4j-zero-day-vulnerability-response

[5] https://archive.epic.org/privacy/data-breach/equifax/