U.S. Customs and Border Protection (CBP) has just released a framework for how customs brokers can prepare for and respond to a worst-case scenario: a cyber attack on your data system.
The guide (PDF version here) recommends the following tips:
- Prevention and Protection
- Have a written cybersecurity policy and/or set of procedures to protect your IT system. Follow these procedures and review them frequently. Your protocols should be based on recognized industry standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- Use firewall, antivirus and anti-spyware software, and run frequent updates. Regularly test the security of your IT infrastructure using vulnerability scans. Make sure your IT service providers have security measures in place.
- Maintain up-to-date Interconnection Security Agreements (ISA). If you’re directly transmitting data to ACE, submit an up-to-date ISA at least every three years to make sure CBP has accurate information on your systems and broker contacts, which allows for streamlined coordination during a cyber incident.
- Protect your data by frequently backing up data and storing all sensitive and confidential data in an encrypted format
- Keep backup devices physically offsite or in the cloud, and connect backup devices to a separate network
- Maintain originals of records, including records stored in electronic formats, within the customs territory of the U.S. in accordance with 19 CFR 111.
- Develop a plan for notifying stakeholders about a cybersecurity incident, which includes who to notify (CBP and Partner Government Agency [PGA] contacts), when to reach out to importer clients, systems vendors, CBP, and PGA contacts, and what information to share.
- Have a plan for how to manage supply chain risks if you don’t have system access.
- Have a process for screening new business partners and monitoring current partners.
- Have a plan to verify clients’ PGA requirements if you don’t have system access. (ACE reports and similar reporting from PGAs may help.)
- Communication: Notifying stakeholders
- Immediately notify CBP’s Office of Information Technology Security Operations Center (SOC). Be prepared to provide the SOC with details on the time of the incident, involved parties, cause, impact, whether any personally identifiable information was exposed, and any known indicators of compromise. Note: Brokers must report any breach of records relating to customs business no later than 72 hours as required until 19 CFR 111.21(b).
- Community with CBP client representatives and relevant PGAs.
- Reach out to importer clients and coordinate with CBP HQ to align messaging.
- Provide frequent status updates to CBP HQ and your PGA contacts.
- Respond: Maintain the movement of lawful cargo while mitigating risk
CBP may be able to work with brokers to implement downtime procedures in order to maintain the facilitation of lawful trade and the release of cargo while systems are down.
- Contact CBO OFO at headquarters level to request assistance and ensure your broker downtime procedures are compliant with CBP requirements.
- Provide a downtime letter documenting each entry with entry numbers and other required data.
- Be prepared to provide copies of appropriate documents for manual review.
Where appropriate and legally permissible, CBP will also work with the broker to make accommodations for post-release procedures.
- Recover: Reconnect your systems to resume business
- System safety validation: Brokers must provide evidence of system remediation before CBP will authorize reconnection to ACE.
- Retroactive data entry: Brokers must keep a full accounting of entries during cyber incidents and input that data into ACE for CBP processing.
To stay informed on trade news and other important updates, stay connected with a customs broker.