May 2022 Issue
FW discusses data loss and cyber security with Courtney Adante, Alisa Charkova, Rhea Siers, Mick Summersgill and Suraj Ramaprasad at Teneo.
FW: What do you consider to be among the key trends and developments affecting data protection and cyber security in recent years? To what extent have these become critical issues for companies today?
Adante: During the pandemic, a sudden and global shift to a ‘work from home’ or hybrid workforce structure exacerbated corporate vulnerabilities. Swift, even overnight decisions regarding technology to support that shift meant expediency often came at the expense of security. Companies must craft a new security operating model to support a more permanent hybrid workforce. While the great ‘reshuffle’ has been a transformational moment in a time for employees seeking new opportunities, it has also introduced significant ‘insider’ risk. We know that employees take company information and intellectual property (IP) with them when they leave. Separately, remote working creates challenges in managing data access and data leakage and corporate espionage is still a preferred tactic for certain foreign adversaries. Employees often signal intent through anomalous activity, and leading organisations are assessing more comprehensive insider risk management programmes that include not only an information technology component, but also a human behaviour analytics component.
Siers: The pandemic highlighted the increasing speed and complexity of global ransomware attacks, moving malware and ransomware to the forefront of nearly every organisation’s risk agenda. Ransomware now encompasses operational technology, not just information technology, with attacks on elements of critical infrastructure. When the Russian criminal gang DarkSide apologised for its ransomware attack on US gas company Colonial Pipeline in May 2021, it appeared that critical infrastructure attacks finally crossed a ‘red line’. Now, the involvement of non-state or state cyber surrogates in the Ukraine war is raising alarms about cyber space behaviour without norms. Then there are recent deeper threats – where the very software that manages our technology has been infiltrated and causes pervasive risk to secure operations. In countries like the US, where private sector organisations operate a significant majority of critical infrastructure operations, the threat is substantial and the need for effective public-private collaboration is essential.
Summersgill: Cyber insurance is a relatively immature market and has experienced substantial growth in the past decade. Global cyber events and ransomware attacks such as the 2017 NotPetya attack and SolarWinds have resulted in significant and unanticipated claims payouts to victims. Sophisticated threat actors continuously search for the latest exploit to inflict damage and ransomware as a service (RaaS) continues to mature as a major cyber security disruptor. Insurers have responded by tightening coverage terms and increasing rates. However, the need for cyber risk mitigation is clearly there and many businesses remain uninsured. I expect to see the cyber insurance market evolve and innovate to help protect organisations while also identifying new revenue streams.
Ramaprasad: Organisations around the world have been focused on digital transformation and cloud migration to propel the company forward while embarking on parallel and multiyear enterprise security strategies which usually included the purchase of oftentimes expensive tools. The market is incredibly saturated with cyber security products and services and looks like an alphabet soup of buzzwords like endpoint and extended detection and response (EDR/XDR), identity and access management (IAM), security information and event management (SIEM) and anti-virus software (AV), among others. Over time, many companies fell victim to ‘over-acquisition’ of the latest and greatest security technology and in taking a step back, found that they had not necessarily maximised the value of the technology through proper integration and configuration. As a result, the technology landscape for many organisations turned into a complicated and redundant web of capabilities, potentially exacerbating vulnerabilities and taxing the teams responsible for managing all of it.
Charkova: Sweeping regulations such as the General Data Protection Regulation (GDPR) have played a central role in providing data privacy protections demanded by European Union (EU) private citizens, while providing very specific requirements for processors and controllers of personal data. In the US, states like California, Virginia, Colorado and soon Utah have or will have comprehensive data privacy laws, yet the rest of the US is challenged with a patchwork of privacy provisions, whether governed by a state or superseded by a federal agency like the Securities and Exchange Commission (SEC) or the Federal Trade Commission (FTC). Furthermore, not all privacy provisions seem to be clearly designed for protection of the end-user. This legislative landscape also makes compliance very complicated for businesses, and because of that complexity, organisations – and this is a global phenomenon – have grappled with either absorbing the cost of compliance or submitting to onerous regulatory fines.
“The market is incredibly saturated with cyber security products and services and looks like an alphabet soup of buzzwords.”
FW: How has the topic of transparency changed the game for how organisations think about and execute cyber risk management strategies?
Adante: Companies that collect and process consumer information inclusive of sensitive data such as personally identifiable information (PII) or protected health information (PHI) are subject to not only regulatory scrutiny, but that of a wide range of constituents who have an expectation of transparency in how information is used in the delivery of products and services. Over the last few years, especially in the technology arena, companies have been hiring what is known as a chief trust officer with responsibility to ensure that data collection, storage, protection, processing and dissemination are all handled ethically and responsibly, inclusive of the necessary communications to data owners in order to retain and maintain that trust.
Ramaprasad: Interestingly, alongside the topic of trust and transparency lives a strategy of ‘zero trust’ which, despite the label’s connotation, is founded on principles meant to preserve and protect an organisation’s people, their data and other assets from breach or compromise. Zero trust relies on continuous validation to enable user access to networks and applications, forcing users to perform multi-factor authentication, or limiting access privileges through specific configurations that can only be broadened through request and approval processes. Global companies are really gravitating toward a zero trust strategy as a means of effectively stopping bad actors from gaining access at the ‘front door’ of an organisation. Key for employers is transparency and messaging around the strategy, namely that a few extra validation and verification steps are in place for the protection and privacy of the organisation, its data and its stakeholders.
Siers: The US is seeing a wave of new regulations mandating the reporting of significant cyber incidents and breaches impacting critical infrastructure and proposed mandatory breach disclosure requirements for listed companies regulated by the SEC. The rationale for all of this is of course greater transparency, collaboration and intelligence into the types of threats and attack methods deployed against one critical infrastructure operator to prevent further attacks against another, while the SEC is hoping for greater transparency and insight into listed company cyber security risk management strategies and best practices for the benefit of the investment community. While the specifics of both proposed regulations still need to be defined, companies will need to factor in these requirements as part of their incident response and communications strategy in the midst of a cyber breach.
“The pandemic and the war in Ukraine have brought cyber security risk to the forefront of boardrooms around the world.”
FW: How much does the C-suite really need to know about cyber security, and what are the key questions they should be asking of their cyber risk managers?
Adante: The old way of managing cyber security risk was to relegate the topic to the IT or information security team and expect notification only if something really bad happened. The proliferation of security incidents over the last decade, certainly the devastating ransomware attacks against global organisations during the pandemic and now the Russian threat of critical infrastructure attacks on North Atlantic Treaty Organization (NATO) countries, has catapulted the topic of cyber security squarely onto the agenda of the chief executive. The chief executive, however, is not expected to be overly technical, rather able to absorb information and ask pertinent questions related to financial, reputational and operational risk facing the business stemming from cyber threats. Chief executives should be focused on a keen awareness of risk, both internal and external, to the organisation and a thorough understanding of the associated ‘mitigation on investment’ – how has our cyber security strategy and associated spend served to reduce our risk?
Charkova: The unexpected and high-stakes nature of disruptive cyber attacks associated with ransomware and the suddenness with which they reveal themselves has made it clear to chief executives and their leadership teams that preparedness is critical. Ransomware attacks have created existential and very public crises for countless organisations over the last two years – some demonstrated an affinity for managing both the operations and communications response to their specific incident and others struggled to contain the issue and manage the reputational fallout. With those lessons learned, chief executives should be demanding from their executive teams that the company has an appropriate cyber crisis management plan and protocols and should expect the organisation test those structures through not only regular and domain-specific tabletop drills, but also through full-scale and immersive simulation exercises that force the executive teams to make hypothetical and existential decisions which impact, operations, financials and reputation in preparation for an inevitable breach.
Siers: I am heartened by the unprecedented global level of partnership and information sharing between both the public and private sectors resulting from the war in Ukraine. It is my hope that this level of public-private sector collaboration endures beyond the current crisis as the standard operating model for sharing actionable critical cyber threat intelligence. Chief executives have a role to play in prioritising engagement not only with their counterparts in their sectors, but across sectors and with the public sector agencies in their respective countries responsible for cyber security. In many countries, and especially the US, the private sector operates a significant proportion of critical infrastructure and will likely see evidence of threat intelligence that could benefit not just the sector but the greater good. Chief executives should be asking how best and in which responsible forums can their organisations participate in this cyber collaboration.
“When it comes to managing cyber crises, we often see a tug of war between two strategies: containment and transparency.”
FW: Could you outline the main types and sources of cyber risk that companies need to defend against? How can data breach risks be properly identified, analysed and evaluated?
Ramaprasad: All organisations need to safeguard against cyber attacks and data breaches. These breaches could arise from web and mobile application and point of sale intrusions, loss and theft of digital and data assets, card skimming, phishing, insider and privileged misuse, crime, ransomware and cyber espionage activities. Data breach risk, or for that matter broader cyber risk, should be treated as just another enterprise risk that needs to be understood by organisations and reduced and managed to an acceptable level. Mature organisations align cyber risk with enterprise-wide risk management strategy and go through a structured process of data breach risk assessment – typically comprising inventory of data, system and users, threat source evaluation, vulnerability identification, risk probability and business and financial impact assessment.
Adante: It is not news that all organisations are at risk of cyber breaches, attacks and intrusions, which are pervasive and growing. However, some sources and threats imply more risk to a company than others. We recommend a careful audit of an organisation’s enterprise-wide risk history for the last two to three years: have most threats been internal or external? Is there significant exposure or previous history of risk materialising from the following areas: HR and conduct, geopolitical tensions, supply chain failure, customer care and recall protocol failure, and regulatory risk? If those are already known gaps or high-risk areas, then the natural transition is a heightened likelihood for the cyber counterparts of those risks: insider threat, geopolitically driven attacks, operational technology or supply chain and vendor breaches, customer data theft, product data or business intelligence data breaches.
Charkova: Data breach risks carry the same impact spectrum as other organisational risks and would benefit from more established enterprise risk management processes. The twist on the traditional impact and likelihood matrix is to add a third dimension: stakeholder expectation. This approach will allow the incorporation of reputational risk and work outside of organisational silos to get to a fuller risk picture. For example, start with identifying the most likely sources of cyber risk, then proceed to how this threat would be identified and escalated within your business, then assess its probability and operational impact. The stakeholder dimension is all about who will care the most, who needs to know first and what demands they may place on the business. An example is the relevant regulator who needs to know about a breach – if the regulator’s demand is not met, the company may face fines and potentially experience difficulty in doing further business.
FW: What steps should companies take to understand whether their cyber security is sufficient to address the data breach risks they face? How important is it to start with a thorough cyber security risk assessment?
Charkova: It is surprising how often organisations assume they understand the cyber security risk facing their businesses and believe they have implemented the necessary technology mitigations and business processes with necessary cyber insurance to stop an attack, only to find that they have suffered a substantial cyber breach in a most unexpected way. This is typically due to the fact that such organisations have not started with a process to fully understand and inventory the critical assets of the firm, followed by an evaluation of their risk tolerance and ability to withstand varying levels of disruption to those assets. While it is nearly impossible to predict every possible variation of cyber threat or data compromise, successful organisations recognise that there are core business functions, sensitive data and intellectual property which must be prioritised and protected based on a threat, vulnerability and risk assessment of probable threats facing the business.
Ramaprasad: Leading organisations increasingly quantify and forecast cyber-related financial exposure. Quantifying cyber risk in financial terms informs objective decisions around targeted investment in IT and digital infrastructure and security-related activities, such as regular penetration testing, refinement of business processes and policy and control frameworks, vendor contract review and onboarding processes reviewing and modifying contracts with external supply chain vendors and software providers, delivering internal training and communication campaigns and ensuring an appropriate level of cyber insurance coverage. Mature businesses conduct periodic cyber security risk assessments as an ongoing periodic exercise, collecting business inputs, assessing cyber policy and control frameworks and employing quantitative risk modelling of cyber threats, asset types, control levels, historical incidents and cyber actuarial data to gain an objective view of cyber financial exposure. This assessment framework makes cyber assessments data driven and repeatable versus relying on intuition, poorly defined risk scales and misleading indicators.
Siers: I am a big advocate of a focused strategy on supply chain and third and fourth party risk management. Both areas have proven to be a significant source of cyber security disruption and vulnerability for global organisations, and it is imperative that companies dig into current practices to mitigate risk stemming from lax protocols and poor oversight of their vendors and supply chain. A cyber security risk assessment in this regard would include review and documentation of how boards and management teams carry out governance of third parties and supply chain partners, evaluation of completeness with regarding to questionnaires or reporting tools, and metrics to assess and monitor third-party and supply chain risk and document compliance, as well as contractual oversight mechanisms. Additionally, organisations need to assess the degree to which the organisation has mitigated against vendor and supplier concentration risk by building in necessary redundancies and diversification.
“Data breach risks carry the same impact spectrum as other organisational risks and would benefit from more established enterprise risk management processes.”
FW: What essential advice would you give to companies on implementing effective frameworks, policies and processes to enhance cyber security and reduce their chances of suffering data loss?
Adante: The most useful advice we can give to businesses is to recognise the need for cyber resilience over cyber security and get on the resilience train as soon as possible. Cyber security means having the technology in place to mitigate, intercept and manage attacks, breaches and intrusions. This is now a bare minimum and can be compared to basic fire safety with extinguishers and evacuation plans on every office floor. Moving to a position of cyber resilience requires organisations to have the technology, the experts, the culture – all driven by leadership commitment – to successfully manage attacks when, and not if, they happen. Cyber resilience is now a critical part of organisational resilience and needs a permanent spot under the resiliency umbrella, alongside and within enterprise risk management, crisis management, business continuity, crisis communications and physical security.
Charkova: Effective frameworks and policies are built on your cyber principles. These are the core cyber values that a company will commit to at peacetime and are your north star when the speed and scale of a crisis will force business-critical decisions. At the outset, take considered time to determine communication thresholds – at what point does the organisation communicate internally and externally regarding a breach? It is equally important to consider the pay or not to pay policy in the event of a ransomware attack or extortion. ‘Not to pay’ is a fine place to start, but at which point will this be waived – when human life and safety is at risk, or when the organisation faces a business continuity armageddon?
Ramaprasad: Successfully growing a strong culture of cyber resilience is the best investment organisations can make right now. Prioritising this effort with funding, time and dedicated people to drive it forward will have a disproportionately positive impact on companies by reducing cyber risks – 95 percent of all successful intrusions have a human error factor – and future-proofing the organisation. However, it is important to understand the objective – what is a culture of cyber resilience and how do we get there? This is where we can learn from industries that have created a phenomenally pervasive organisational subculture – the culture of safety. All heavy-industry companies have floor safety wardens, begin every meeting with a ‘safety moment’, and prioritise safety incident reduction over most key performance indicators. This is the kind of loyalty and allegiance-driven culture we need to get to with cyber resilience.
“Success in a cyber crisis has two main ingredients: positive leadership behaviours and the muscle memory to recreate them at every crisis.”
FW: Amid global upheaval and uncertainty in the wake of the coronavirus (COVID-19) pandemic and the war in Ukraine, how do you expect cyber security risks to evolve over the coming months and years? What trends do you expect to emerge in the post-pandemic business environment?
Summersgill: The pandemic and the war in Ukraine have brought cyber security risk to the forefront of boardrooms around the world. We have seen a recent rise in cyber regulations, but I would expect these to continue to evolve and become more specific against new threats as they emerge. We have also seen, ahead of the war, countries working together to share cyber defence resources to ensure allied countries are adequately protected. The EU recently announced new bloc-wide cyber security regulation focused on streamlining member countries’ approaches to information categorisation and practices. If this proves successful, expect to see similar shared regulations in different regions. Insurers have a huge role to play in helping businesses proactively manage their cyber risks. By working with cyber risk management specialists, companies can both reduce their risks and obtain insurance coverage which meets their needs. Complacency in cyber risk management will likely result in tighter insurance coverage, which could leave gaps in companies’ cyber risk management strategies if not addressed.
Charkova: Disinformation and misinformation, especially with the use of artificial intelligence (AI), metaverse and deepfake technologies, are a popular item in the cyber attack delivery package and set to become even more common. This approach makes it ever harder to distinguish real content from fake and exponentially increases the attack surface area. Recent examples of this include a deepfake video of Volodymyr Zelenskyy, the Ukrainian president, calling on his troops to surrender to the Russian army, and anti-vaccine content falsely declaring that coronavirus vaccines cause infertility in women. This is where regulation needs to catch up, as disinformation is classified as ‘harmful, but not illegal’ content, while the delivery of misinformation campaigns uses darknet forums and illegal marketplaces. Expect to see disinformation becoming more convincing and pervasive before there is enough globally consistent regulation to deter this trend.
Ramaprasad: Emerging technologies such as quantum computing, generative AI and graph technologies present exciting opportunities for global organisations in terms of growth and innovation, connectedness and greater efficiencies. Those same outcomes will also benefit end-users whom those organisations serve. Digital transformation continues to be an evolutionary strategy for many companies either already on the transformation roadmap or just embarking on it with the goal of integrating digital technologies into all aspects of business operations. These very same advances come with commensurate cyber security challenges – fully digital operating environments must have the requisite security to mitigate against compromise and reinforce trust, and organisations embracing ‘yet-to-market’ emerging technologies are challenged to anticipate and prepare for cyber risk associated with untested new technology and applications.
FW: What do you consider to be best practices for C-suite executives when it comes to managing cyber incidents and data protection? What should they do, and what should they avoid doing?
Adante: Success in a cyber crisis has two main ingredients: positive leadership behaviours and the muscle memory to recreate them at every crisis. When it comes to an existential cyber breach, the chief executive owns it like any other major crisis. The chief executive creates the atmosphere and culture in the war room by doing everything it takes to get the team through a potentially long and tiring slog, where during, the team will likely experience depleted systems, loss of trust and deep exhaustion. The leader behaves with empathy and enforces a no-blame culture. Determining responsibility, ownership and accountability are activities for when the acute crisis has been managed. These admirable leadership behaviours are only possible in an organisation with a resilient culture that holds regular crisis simulations which recreate the internal and external environments as closely as possible. High-pressure practices build muscle memory and create lasting bonds within a crisis team.
Siers: When it comes to managing cyber crises, we often see a tug of war between two strategies: containment and transparency. Given the significant legal reporting requirements and regulatory ramifications of cyber incidents, it is critical to first understand external reporting obligations and to ensure that incident management does not end up creating an untenable situation with regulators and law enforcement. Once those parameters are met, companies should carefully navigate a middle ground between containment and transparency. Our advice is to always prepare for a strategy of ‘precautionary transparency’ – an approach that provides some detail, is responsive to regulatory and legal requirements but allows flexibility should the situation get worse.
Charkova: ‘Suffering data loss’, ‘falling victim to a cyber breach’ or ‘getting attacked’ are the common ways for companies to communicate around cyber incidents. However, it is our view that pulling the victim card is the fastest road to alienating customers and users, losing control of the narrative and inviting internal and external scrutiny. Although attacks and intrusions feel like a violation, the victims are always those who have been impacted through this data breach or loss. The gold standard for a response sequence in a cyber crisis is the 4Cs model: concern for those affected, immediate steps to secure systems, limit impact and communications with stakeholders, plans and steps to reduce the chance of another occurrence, and an appreciation of the complexity of the issue and impacted, isolated systems. Do so with care, as context is often used as an excuse or permission to fail.
Summersgill: A neglected component of cyber crisis management is the post-crisis activity. Tired leadership teams may shrug off the crisis memories and resume operations as quickly as possible, potentially leading to similar patterns when the next breach comes. It is important to make time for ‘hot’ and ‘cold’ debriefs. ‘Hot’ debriefs help address ways of ongoing challenges to limit impact on the next phase of the incident. ‘Cold’ debriefs are longer sessions, usually during the recovery phase to jointly assess and improve systemic cyber resilience challenges and feed successes back into the risk management process, completing the cycle. It is also critical for management to plan for the worst – assume a major breach will threaten the survival of the business. Thorough, robust contingency plans should be in place and understood throughout the business so they can be implemented when the disaster happens. Regulators are also expecting such plans to be maintained.
Courtney Adante is the president of Teneo Risk Advisory, and in addition to managing all aspects of the division, she supports Fortune 500 clients with issues of resilience and business continuity in the face of crisis. With two decades of experience in financial services and consulting, she has helped clients manage continuity of operations through a range of crises, whether related to cyber breaches or other man-made or natural disasters. She can be contacted on +1 (212) 886 9370 or by email: courtney.adante@teneo.com.
Alisa Charkova is senior vice president of Teneo Risk’s global crisis management practice. In her role, she works with C-suites, market teams and specialist functions of global organisations to prepare for and manage crises. This includes reputational and operational risk advisory, crisis system building and organisational design, crisis leadership coaching and hyper-realistic simulations. She can be contacted on +44 (0)20 7260 2783 or by email: alisa.charkova@teneo.com.
Rhea Siers is a Teneo senior adviser with more than 30 years’ experience in the US intelligence community. She formerly served as the US National Security Agency’s deputy associate director for policy leading operational and cyber intelligence production, and as an attorney in private practice. She has served as a cyber security defence executive with Bank of America and is a professor of cyber security risk and threat for George Washington and Johns Hopkins Universities. She can be contacted on +1 (301) 602 0177 or by email: rhea.siers@teneo.com.
Mick Summersgill is a senior managing director with Teneo Financial Advisory based in London. Prior to Teneo, he was a partner in Deloitte’s restructuring business focused for financial services. He has over 20 years’ experience in the insurance industry working both within the Big 4 and as part of management teams within insurance companies. Prior to joining Deloitte in 2020, he was COO of a global specialty insurer with Lloyd’s, company market, and US underwriting platforms. He can be contacted on +44 (0)20 8052 2384 or by email: mick.summersgill@teneo.com.
Suraj Ramaprasad is a managing director with Teneo Management Consulting, focused on digital transformation advisory. His client work centres largely around the CXO digital transformation agenda. He works with senior client executives to identify innovative propositions in the digital domain that unlock business value through revenue or cost plays, including ‘agile’ business and technology capabilities needed to thrive in the digital age to shape the transformation agenda and sell the case for change. He can be contacted on +44 (0)20 7398 2382 or by email: suraj.ramaprasad@teneo.com.
© Financier Worldwide