Mullen Coughlin, Cybersecurity & Data Privacy

Partner Paul McGurkin participates in a Biocom California virtual webinar, “Tales from the C-Suite: Protecting Corporate Assets & Cyber and Management Liability (D&O) Insurance,” on June 22, 2021 from 10:00 am-11:00 am.

This panel discussion, presented by Biocom California and Quan Insurance, discusses recent events which triggered coverage, including cyber and ransomware incidents. As part of the Cyber Panel, Paul and his co-panelists Chris Ballod (Associate Managing Director, Kroll) and Ted Doolittle (Vice President, RT Specialty) provide essential tips for before and after a cyberattack, as well as respond to questions about common mistakes organizations make when responding to a data privacy and security incident (and how to avoid them). The panel is moderated by Jeff Quan – Principal, Quan Agency Insurance.

Biocom California is the largest advocate for life sciences organizations in California. For over 25 years, Biocom has provided the California life sciences industry with resources and industry advocacy to grow faster, work more efficiently and thrive.

Admission to the virtual webinar is free, and more information and registration can be found on the Biocom event webpage.

On May 12, 2021, President Joe Biden signed an Executive Order on Improving the Nation’s Cybersecurity (the Order) mandating “bold changes and significant investments” to advance the nation’s efforts to identify, deter and defend against cybercriminals. The Order institutes ambitious cybersecurity requirements for “information systems used or operated by [Federal agencies] or by a contractor of an agency or by another organization on behalf of an agency,” and further calls for the advancement of private sector data security practices to enhance the security of U.S. cyberspace and infrastructure.

The Order consists of 11 sections, each including several requirements. At a high-level, the Order addresses four (4) primary cybersecurity interests:

1. expanding incident reporting and information sharing;
2. modernizing federal information systems;
3. improving software supply chain security; and
4. remodeling the federal government’s policies and procedures to better detect, respond to, and mitigate cybersecurity events.

While the Order focuses on the federal government and its agencies, many of the requirements are expected to impact federal government contractors and the private sector at large, either directly or indirectly. The Order mandates that guidance be issued, and new requirements be adopted, in a number of areas over the next several months, and the cybersecurity industry will be closely monitoring this activity.

Information Sharing and Reporting

The Order seeks to remove obstacles in contracts between the federal government and its information technology service providers to increase information sharing requirements and opportunities. The Order requires more stringent reporting requirements for service providers. As part of this effort, the Order calls for a review of the Federal Acquisition Regulation (FAR) and recommends new conditions on federal contracts, including severity-based cyber incident reporting deadlines – some as early as three (3) days after discovery of a cyber incident. The Order seeks to not only improve the flow of information sharing from the private sector to the federal government, but also to standardize the collection and sharing of information between agencies and coordination of agency responses and approaches to cybersecurity, as discussed in more detail below.

Paul Caron, Cybersecurity Incident Response Lead at Arete Advisors, notes that the Order aims to provide a common lens to view cybersecurity so that those performing critical roles across defense, technology and incident response can seamlessly facilitate cross-functional information sharing in a transparent manner. Paul is reminded of the intelligence community’s experience following 9/11, when security professionals encouraged flattening the information sharing landscape to achieve national security goals.

Others are less certain about the Order’s potency when it comes to information sharing. To be sure, the federal government has advocated for information sharing for decades, and, while the Order goes to great lengths to funnel threat intelligence to the appropriate authorities, government contractors should brace for significant growing pains as the conditions and procedure for reporting begin to materialize.

Modernizing Federal Government Cybersecurity

The Order requires federal entities to accelerate the transition to cloud-based architectures, including Software-as-a-Service (SaaS), and adopt security practices including encryption standards, zero-trust architecture and multifactor authentication (MFA). The Order also emphasizes critical risk areas such as Secure Software Development Lifecycle (SSDLC), where many code vulnerabilities are overlooked and subsequently exploited. These vulnerabilities are found across both Information Technology (IT) and Operational Technology (OT) environments. While the requirements target government agencies, government contractors and suppliers should be prepared to facilitate these requirements.

Supply Chain Security

The Order addresses the lack of transparency and security controls in software development and calls for guidance that will enhance software supply chains, including securing production environments, attesting to secure development practices and requiring contract language that would mandate that private suppliers of software available for purchase by agencies to comply with the directive. Suppliers will need to attest to certain standards and those that fail to meet the standards may be removed from contracts.

Further, the Order instructs agencies to require vendors to provide a “Software Bill of Materials” (SBOM), or “a formal record containing the details and supply chain relationships of various components used in building software.” Open-source software developers and service providers, in particular, should take note of potential risks when attesting to the integrity and provenance of open-source software.

Federal Vulnerability and Incident Detection, Response, and Remediation

The Order seeks to improve detection of cybersecurity vulnerabilities and response to incidents involving Federal Information Systems. For instance, the Order explicitly identifies Endpoint Detection and Response (EDR) software and requires the Office of Management and Budget (OMB) to issue requirements for agencies to adopt a uniform EDR approach.

In addition, agencies and their contractors are directed to increase efforts to collect and maintain network and system logs on Federal Information Systems. The Order solicits recommendations on the retention schedules and types of logs to be collected, and vendors should be on the lookout for updated guidance in the FAR.

Conclusion

Much of the Order is a recitation of well-established, yet unrealized, cybersecurity goals. However, with this directive, the President establishes aggressive timelines for implementing large-scale information security measures across federal agencies, which will ultimately affect current and future government contractors and suppliers. Mandating that security measures liked EDR and MFA be adopted may have a significant positive benefit on federal government information systems, depending on the implementation specifications. In addition to creating more stringent reporting requirements for contractors and suppliers, the private sector can also expect to see greater government investment in certain technologies, and such contracts will surely be aggressively sought.

Time will tell if the new cybersecurity standards materially improve the federal government’s cybersecurity defenses. In the meantime, businesses that provide information technology products and services to federal agencies should begin evaluating the Order and positioning for compliance. If you have any questions or would like additional information, please contact Edward Finn (; 267.930.4776) or Ryan Gallagher (; 267.930.2308). Thank you to Paul Caron, Cybersecurity Incident Response Lead at Arete Advisors, for contributing to this article. He can be reached at or 847.274.5607

Mullen Coughlin is proud to announce that Partner and General Counsel, Claudia D. McCarron, has been selected as a 2021 Pennsylvania “Super Lawyer” in the Class Action & Mass Torts practice area by Super Lawyers. The annual “Super Lawyer” selection is based off an evaluation of 12 indicators, including peer recognition and professional achievement in legal practice. Claudia was previously selected as a “Super Lawyer” in 2014, 2015 and 2016.

Claudia chairs Mullen Coughlin’s Litigation practice and serves as the firm’s General Counsel. She has over 35 years’ experience arguing novel and developing legal issues in data privacy and security for her clients in the insurance, financial services, healthcare and non-profit industries. She represents these organizations in class action and other data privacy and security-related litigation in federal and state courts around the country, as well as before regulatory bodies during post-incident investigations.

Ms. McCarron has been with the firm since its founding. Since then, she has steadily grown the firm’s litigation practice to better position the firm to defend organizations when they are named as a defendant in a single-plaintiff or class action lawsuit stemming from an alleged data privacy and security incident.

This selection further solidifies Mullen Coughlin as the preeminent law firm that is exclusively dedicated to counseling organizations in the context of data privacy and cybersecurity under the umbrella of cyber insurance.

Congratulations, Claudia!