Insights

Washington — Dec. 3, 2024: Crowell & Moring represented Microsoft and LF Projects in seizing 240 fraudulent websites linked to an Egypt-based criminal organization. On November 21, 2024, the U.S. District Court for the Eastern District of Virginia unsealed a temporary restraining order against Abanoub Nady (known online as “MRxC0DER”) and John Doe Defendants (collectively the “Fake ONNX Defendants”), who developed, sold, and implemented “do it yourself” phishing kits under the predominant brand names “ONNX” and “Caffeine,” among several others. In selling these kits under the ONNX name, the cybercriminals misappropriated and misused the “ONNX” trademark, which is owned by LF Projects. LF Projects uses the ONNX name and logo in connection with the Open Neural Network Exchange, a platform that enables interoperability between AI models throughout the tech industry. Numerous cybercriminal and online threat actors purchased these kits and used them in widespread phishing campaigns to bypass additional security measures and break into Microsoft customer accounts.

On July 26, 2023, the SEC finalized long-awaited disclosure rules (the “Final Rules”) regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.  While the end results are substantially similar to rules proposed by the SEC in March 2022, there are some key distinctions. 

The risks faced by companies in light of new federal cybersecurity regulations are particularly acute for government contractors, who must also be aware of compounded exposure from the False Claims Act (FCA). The U.S. government is increasingly scrutinizing corporate cybersecurity programs, and companies are vulnerable to new risks of civil and criminal liability related to data breaches. The specter of individual criminal liability looms large since the 2022 conviction of the chief security officer at a leading rideshare company for actions related to his response to data breaches. And now, the SEC has charged the CISO of SolarWinds in his individual capacity with securities fraud related to the company’s cybersecurity regime. All companies—especially government contractors—should consider mitigating risk by auditing their cybersecurity protocols and updating their incident response plans.

With stronger rules requiring disclosure of cyber risk and cyber breaches, 2023 has seen heightened SEC enforcement of companies’ obligations in cyber breaches and, notably, enforcement charges brought directly against Chief Information Security Officers (CISOs).