Insights
Privacy & Security

FCC Issues Cybersecurity Best Practices for Defending Against Ransomware Attacks

The Public Safety and Homeland Security Bureau's notice highlights heightened risks to small-to-medium sized communications providers and lists mitigation and response best practices
By   Michael T. Borgia and Soraya Mohamed
02.05.26
Print this page

The Federal Communications Commission's (FCC) Public Safety and Homeland Security Bureau (Bureau) recently released a public notice (Notice) emphasizing the threat of ransomware to communications networks and urging providers to adopt various cybersecurity best practices. The Notice, dated January 29, 2026, is geared toward small-to-medium sized providers, but its recommendations are relevant to larger providers as well. The Bureau's guidance underscores that providers of all sizes, including those with potentially more limited technical and financial resources, have been targeted by ransomware actors and have faced significant operational disruption, data loss, and public safety impacts as a result.

The Notice describes various common ways that attackers may gain a foothold in victims' networks to launch ransomware attacks, including phishing and other types of social engineering, exploitation of unpatched software vulnerabilities, and insecure remote access tools and credentials. Ransomware attacks frequently involve deployment of ransomware—i.e., malicious software that encrypts files on a victims' systems—as well as theft of sensitive data. Attackers then demand that the victim company pay a ransom for decrypting its files and deleting or returning its stolen data. Attackers often publish stolen data on dark web sites if a ransom is not paid.

The Notice provides best practices for preventing and mitigating ransomware attacks, as well as for responding to such attacks once they are detected. Many of these best practices are drawn from the Cybersecurity and Infrastructure Security Agency's (CISA) #StopRansomware Guide.

Prevention and mitigation recommendations include:

  • Developing a risk management plan that identifies responsibilities for cybersecurity and incident response.
  • Regularly patching software and disabling unused features.
  • Enabling multifactor authentication (MFA).
  • Regularly backing up sensitive data.
  • Providing cybersecurity awareness to employees.
  • Implementing network segmentation.
  • Deploying industry standard tools such as endpoint detection and response (EDR) software and intrusion detection and prevention (IDS/IPS) systems to detect and respond to intrusions.
  • Conducting regular scans to identify and fix software and other security vulnerabilities.
  • Overseeing vendors' cybersecurity practices.

Recommended practices for responding to ransomware attacks include:

  • Following the company's incident response plan.
  • Quickly identifying and isolating infected systems to contain the spread of ransomware and minimize the impact of any intrusion.
  • Preserving key evidence (including by capturing the memory of infected machines, which often contains crucial forensic evidence that is lost when a machine is shut down).
  • Patching systems, changing passwords, and introducing new security controls.
  • Restoring affected data.
  • Reporting the attack to the FCC and federal law enforcement. The Notice reminds providers of their obligations to report breaches of customer proprietary network information (CPNI) to the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI), and to report certain facility and system outages to the FCC.

The Notice illustrates the FCC's continued emphasis on voluntary guidance and industry cooperation for defending networks against cyberattacks. In November 2025, the FCC repealed a January 2025 ruling (issued under the prior Administration) that the Communications Assistance for Law Enforcement Act (CALEA) required carriers to adopt various enterprise-wide cybersecurity measures. In voting to rescind the prior order, FCC Commissioner Olivia Trusty (nominated by President Trump to the Commission in June 2025), wrote that the recission "does not signal a retreat from our cybersecurity mission" but rather "reflects a recognition that one of the most effective defenses against foreign threats comes from a dynamic partnership between the federal government and the private sector."

Less than a week after the FCC repealed the prior CALEA ruling, on November 26, 2025, the Bureau issued another set of voluntary guidelines urging broadcasters to adopt cybersecurity best practices, particularly to secure studio-transmitter links (STL) to prevent attacks resulting in misuse of the Emergency Alert System (EAS) Attention Signal.

Conclusion

Communications providers—particularly small-to-medium sized providers with possibly more limited cybersecurity resources—should review the Notice and assess their current practices against the Notice's recommendations. Even with its emphasis on voluntary compliance, the FCC may look to see whether providers have implemented the Notice's recommendations following a ransomware attack or other cybersecurity incident. Plaintiffs' attorneys also may point to the Notice's recommendations—if a provider fails to follow them—in a class action suit following a data breach.

+++

Michael Borgia and Soraya Mohamed, have extensive experience spanning data strategy and information security, providing insights to help clients navigate complex challenges in the cybersecurity sector. For more insights, contact Michael, Soraya, or another member of Davis Wright Tremaine's privacy and security team or sign up for our alerts.

Related Insights