On Tuesday, January 14, Microsoft released a patch to close an important vulnerability related to security certificate functions in Windows 10, Windows Server 2016, and Windows Server 2019. Windows users should ensure that their systems have been updated to mitigate cyber risk and avoid possible legal exposure.
The patch is particularly noteworthy because it addresses a vulnerability that would allow malware to masquerade as legitimate, digitally signed software. This would permit malicious cyber actors to bypass existing security measures and gain access to internal networks and data. The National Security Agency discovered the vulnerability and disclosed it to Microsoft, likely after going through the Vulnerabilities Equities Process, the internal process by which the government determines whether and when to disclose vulnerabilities it discovers. The vulnerability is significant enough that Anne Neuberger, the head of the National Security Agency’s Cybersecurity Directorate, publically commented on the matter.
As we have seen in the fallout from the WannaCry and NotPetya attacks, failing to quickly patch vulnerabilities can leave systems exposed to ransomware attacks and data breaches. This risk is heightened after the announcement of a major patch as hackers may turn their focus to developing new exploits based upon the announcement or may seek to deploy an existing exploit before systems are patched.
Failure to timely patch computer systems can lead to cyber incidents and related legal liability. Equifax’s failure to timely patch its network was a critical factor in the US$575 million global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and state attorneys general. Federal regulators and state enforcement officials, particularly for those states requiring implementation of “reasonable security” for computer networks, consider patching to be a baseline requirement of any cybersecurity program. Indeed, the California Attorney General noted in the 2016 California Data Breach report that “[k]eeping up-to-date in patching newly discovered vulnerabilities is critical.” Finally, the failure to implement baseline security measures like vulnerability patching could invalidate cyber insurance coverage, depending upon the terms of the policy.
In the wake of Microsoft’s announcement, and as a general practice, in-house counsel should be coordinating with relevant IT personnel to ensure that security practices are up to date.