Helping customs brokers prepare for and respond to a cyber-attack is the aim of a new guidance document from U.S. Customs and Border Protection.
CBP states that this guidance is part of a broader agency focus on supply chain resilience that seeks to establish clear expectations for both industry and government actors on processes, procedures, and responsibilities in the face of manmade supply chain disruptions. Cybersecurity is the first topic CBP is exploring as part of this effort, and the guidance reflects insights gathered from recent cyber-attacks as well as collaboration with partner government agencies and customs brokers.
This guidance makes the following recommendations on how to prevent, respond to, and recover from potential cyber-attacks on customs broker data systems.
Protect
- maintain and regularly review written cybersecurity policies and procedures to protect information technology systems that follow protocols based on recognized industry frameworks
- utilize current firewall, anti-virus, and anti-spyware software and run frequent updates
- regularly test the security of IT infrastructure through vulnerability scans
- exercise due diligence to ensure IT service providers have security measures in place
- if directly transmitting data to the Automated Commercial Environment, submit an up-to-date interconnection security agreement at least every three years to give CBP accurate information on company systems and broker contacts
- protect data by frequently backing it up, storing all sensitive and confidential data in an encrypted format, keeping backup devices physically off-site (or in the cloud), connecting backup devices to a different network, and maintaining originals of records within the U.S. customs territory
- develop a plan for communicating with stakeholders about cybersecurity incidents that identifies whom to notify; when to reach out to importer clients, system vendors, CBP (bearing in mind that any breach of records relating to customs business must be reported within 72 hours), and PGAs; and what kind of information to share at each stage
- account for supply chain risks (threats to national security, trade compliance, and PGA requirements) in business continuity plans and identify how to manage these risks without system access
- have a risk-based process for screening new business partners and monitoring current partners
- have a plan to verify clients’ PGA requirements without system access
Respond
- contact CBP’s Office of Field Operations at the headquarters level to request assistance and ensure that the broker’s downtime procedures are compliant with CBP requirements
- provide a downtime letter documenting each entry with entry numbers and other required data
- be prepared to provide copies of appropriate documents for manual review
- have an offline continuity plan that includes a reserve of entry numbers to use
- plan to fulfill PGA requirements (hard-copy PGA forms alongside the commercial invoice and documentation on product specifics may help)
- maintain frequent communication with government stakeholders until the incident has been remediated and business has resumed
- remember that clearance of merchandise can be provisional and that requests for redelivery are possible
- where appropriate and legally permissible, CBP will work with brokers to make accommodations for post-release procedures
Recover
- brokers must provide evidence of system remediation before CBP will authorize reconnection to ACE
- brokers must keep a full accounting of entries during cyber incidents and input that data into ACE for CBP processing
For more information, please contact attorney Lenny Feldman via email or at (305) 894-1011.
Copyright © 2025 Sandler, Travis & Rosenberg, P.A.; WorldTrade Interactive, Inc. All rights reserved.