Dear Clients and Friends,

As a reminder, telecommunications carriers and interconnected Voice over Internet Protocol (VoIP) providers (communications providers) must file their annual certification documenting compliance with the Customer Proprietary Network Information (CPNI) rules by March 2nd. Please let us know if your company needs assistance in completing and submitting this certification.

While on the topic of CPNI and the duty to protect CPNI and telecommunications networks, we wanted to highlight a recent Public Notice issued by the FCC’s Public Safety and Homeland Security Bureau (“Bureau”).

The Public Notice encourages communications providers to implement cybersecurity best practices to protect their networks from malicious attacks, including ransomware. Ransomware is a type of malicious software that encrypts files on a device and prevents access to files, systems, and networks. Malicious actors typically demand a ransom in exchange for restoring access. Ransomware can impair a communications provider’s ability to conduct business, is costly and time-consuming to address, and may require reporting of the attack to the FCC or law enforcement.

Over the past year, the FCC has learned of ransomware incidents that disrupted service, exposed information, and locked providers out of critical files.

The Public Notice recommends the following Best Practices for Preventing and Mitigating Ransomware Attacks:

1. Develop a Cybersecurity Risk Management Plan. This should include an incident response plan with concrete steps to follow if an attack occurs.

2. Regularly Update and Patch Software and Disable Unnecessary Features. Install updates and promptly apply applicable security patches.

3. Enable Multi-Factor Authentication (MFA). MFA helps guard against unauthorized network access.

4. Regularly Back Up Data. Robust back up data processes that have been tested are essential for data restoration in the event of an attack.

5. Train Employees in Cybersecurity Awareness and Security Principles. Knowledgeable and aware employees help to reduce vulnerabilities and increase network security.

6. Segment Network Appropriately While Implementing a “Zero Trust” Architecture. Controls on network access help reduce the impact of an attack.

7. Deploy Detection and Protection Processes and Regularly Scan for Vulnerabilities. Implement intrusion detection and prevention systems (IDS/IPS), endpoint detection and response (EDR), run regular vulnerability scans, monitor logs and set alerts for unusual login attempts or network activity, and stay up to date on threat intelligence by subscribing to threat monitoring sources.

8. Evaluate Third-Party Risk. Evaluate and monitor the cybersecurity practices of third-party vendors.

Consistent with the Public Notice, we recommend that all of our communications clients take a fresh look at their existing security policies, practices, and training. If your company needs to refresh, replace, or create policies, we would be happy to help.