January 2017 Issue
Cyber security is among the most pressing issues facing the corporate world today. Now more than ever, a cyber attack is an omnipresent threat, requiring organisations to fully appreciate the risks and the steps needed to mitigate them. Whether the source of an attack proves to be a sole hacker, a criminal gang or a group of political activists, the consequences for firms that fail to implement robust cyber security measures are stark – ranging from severe operational disruption to irreversible corporate decay.
FW: How would you describe the magnitude of the cyber security threat currently facing companies today?
Wall: The threat is significant and growing. The pace of technology change is presenting a higher level capability of both tooling and power that is increasing the number and type of threats and actors. At the same time, the expansion of technology and digital services across society are providing more channels for attack that have greater collective impacts to these services. While there have always been individuals and groups of people willing to attack, the scale is certainly higher now that society is more computerised and digital.
Kaspersky: A really bad cyber attack has the potential to derail a business and cause immense damage, or even destroy it. Everything is digital today and our dependence on IT systems makes the risks potentially very high. Admittedly, there are not many scenarios in which attackers would choose to destroy a business or even have the tools to do it, but companies need to understand that worst-case scenarios do exist. On a different, less existential level, the threat can vary in magnitude. Generic ‘mass-market’ attacks do not pose much danger to large companies with developed cyber security capabilities; however, a ransomware attack on a small or medium business can be very painful. If we speak about high-profile advanced targeted attacks, they pose a significant threat, even to advanced businesses with high levels of cyber security. Just a few years ago this was a problem largely limited to government level espionage. Today there are more and more criminal APT-style attacks with the clear goal of stealing or extorting money.
Lo Cicero: The magnitude of cyber security threats currently facing today’s companies is well documented in the media, due to coverage of large scale attacks, particularly those that resulted in the disclosure of personal data or blacked out parts of the internet, for example. These are simply well publicised ‘tip of the iceberg’ incidents; the majority of attacks either do not receive the same level of media attention or are not being publically disclosed. The full magnitude of these attacks becomes more tangible to executives of companies that capitalise on their intellectual property when considered within the context of corporate cyber espionage and internal threats. Anything that has value and can be monetised is a target, which can have a dramatic effect on a company’s economic viability.
Marguinaud: Seemingly ever present in the media, this new type of crime is on the rise and has made a considerable impact. Sony, Target and Stuxnet are just a few of the companies that have recently succumbed to a cyber attack. The magnitude of these attacks is often severe and they frequently result in companies suffering harsh consequences such as financial losses, redundancies or even bankruptcy. IBM chief executive and president, Ginni Rometty, recently said that cyber crime “may be the greatest threat to every company in the world”. And, according to a recent study conducted by Forbes, the cost of cyber attacks could reach $2 trillion by 2019. The threat posed by cyber attacks is very real and potentially very harmful, with cyber risk being identified and ranked as one of the top 10 risks of 2016 by the World Economic Forum.
Lehmann: Given that the most sophisticated attackers will always be at least one step ahead of the providers of security services and the IT department of a company, no company can expect to successfully repel every cyber attack. Since we know that attackers have gained the capability not just to steal valuable data, but to capture all IT landscapes or even destroy physical infrastructures, the magnitude of the current cyber security threat cannot be overstated. Every company has to prepare for the worst by drafting an emergency plan and training decision-makers.
Elmer: Cyber security threats are becoming more and more significant for companies across all industries, as a result of companies’ reliance on business technologies, combined with the increased sophistication of cyber criminals and hackers. Cyber security is impacting businesses across the spectrum from very basic attacks such as Distributed Denial-of-Service attacks and phishing, to more sophisticated and long term cyber espionage incidents.
“The biggest and most common mistake when it comes to evaluating cyber security is to ask the internal IT department. It is obvious that the people responsible for maintaining cyber security will not question their work by pointing out possible vulnerabilities. ”
FW: In your opinion, how vulnerable are companies to attacks such as data theft and hacking, computer network interruptions, privacy violations and other system breaches?
Kaspersky: There are still many vulnerable companies, although many are making progress and are better prepared than just a couple of years ago. Companies increasingly understand they need to be protected, but their adversaries – small and agile groups of hackers – are increasing their knowledge at the same time. The problem is that the IT infrastructure we use remains inherently vulnerable. There are zero-day and simply un-patched vulnerabilities in software, and assorted weaknesses in network architecture that can, and will, be exploited. People are still a weak link and ‘spearphishing’ remains effective. The growing role of the Internet of Things, and the various new devices that are included in network perimeters certainly do not help. A further problem is that computer crimes too often remain unprosecuted. Even if an attack is thwarted, criminal hackers go back to the drawing board – not to prison.
Marguinaud: Companies are becoming increasingly vulnerable to attack. Cyber risks no longer represent a static threat; they are constantly evolving. The growing infiltration of, and dependency on, the internet, along with new trends such as the Internet of Things, is changing the ways in which we do business and at the same time widening the area of opportunity for hackers to attack. This exposure is not only related to technological advances, but is also deeply linked to a lack of awareness and overall low maturity level in terms of digital environments. That is why social engineering attacks are currently so successful.
Lo Cicero: Most companies are vulnerable to attacks to one extent or another. The level of a company’s vulnerability is directly related to organisational and infrastructure complexity, the narrowness of their attack surface, as well as the completeness of their ‘defence-in-depth’ approach. While the perimeter is generally the most secure aspect of a company’s infrastructure, because of the attention and security hardening it receives, it is the other middle layers in between the perimeter and the targeted ‘golden eggs’ of information which are of most concern. The three primary vectors used as a springboard for cyber attacks continue to be email, USB and the internet via browsing. Shoring up both technical and non-technical protection mechanisms is very important as those are direct entry points, perhaps inadvertently facilitated by internal staff.
Lehmann: Companies are vulnerable to attack from the outside and within. Recent surveys show that there are still many companies that see cyber security and data protection as an impediment to successful business performance. Even if companies try to achieve maximum security against attacks from without, there is still the risk that a member of staff, either willingly or unwillingly, will compromise the company’s security and will steal or leak valuable data. The reason for this is not just the fact that companies often do not recognise the importance of security training and rules for staff, but also that sophisticated attackers will try to trick members of staff into leaking data by sending them emails that mimic authentic communications from superiors or people with whom they have a business relationship. Experience from recent attacks shows that these attacks can catch most people unawares.
Elmer: Companies are undeniably vulnerable to breaches from a variety of entry points. Vulnerabilities can be through payment channels, procurement, third parties, sales transactions or financial information data of companies or their customers. Companies can follow best practices and try to firm up their risk posture, but it is unwise to believe that a breach cannot occur. In most cases, it is question of ‘when’, not ‘if’.
Wall: Recent high profile attacks show that everyone is potentially vulnerable. Examples include the US Office of Personnel Management, TalkTalk, Tesco Bank and Sony. ‘Old’ style hacks and tactics still seem to work on some modern sites, so many business and security personnel do not appear to grasp security issues particularly well. Evidence shows that good housekeeping, such as updates, patching and hardening, are not being done by default or in a timely manner. This lack of consistent approach to security architecture will inevitably create gaps in security controls that are ripe for exploitation. With the magnitude of automated probing being performed on internet-facing systems, ready for more detailed follow up, it would be a brave company that failed to factor this into both design approaches and designing security basics.
FW: Would it be fair to say that, in general, organisations are still not up to speed on detecting security breaches and privacy risks quickly enough, let alone dealing with them effectively?
Marguinaud: I am not so pessimistic. There are companies that have implemented quite impressive detection and prevention solutions. Interestingly, however, this unexpected maturity is mostly born from previous bad experiences or is due to very sensitive and highly exposed business activities. That said, many companies, predominantly small to medium enterprises (SMEs), seem unaware that they even face a cyber threat. Many SMEs fail to invest sufficiently in detection tools and believe that an attack will not happen to them. According to a 2016 Verizon study, four out of five victims of a data breach do not realise they have been attacked for a week or more after the fact. In 7 percent of breach cases, the attack goes undiscovered for more than a year.
Lo Cicero: It would be fair to say that time to detect and respond is lagging behind what it should be in order to block or minimise impact and facilitate recovery. Technical and non-technical protection mechanisms are important, but not foolproof, therefore ensuring comprehensive and effective detection capabilities, the next level of a ‘defence-in-depth’ approach, are in place is critical. Detection is one of the most technical and resource intensive aspects of a defence plan, and, as such, although most companies can and do implement appropriate technical systems, effective internal active management of those detection systems, for the purposes of appropriate response, is beyond the capability of most companies. This is one of the reasons why breaches sometimes go unnoticed for months or years, despite detection systems having identified suspicious events and why many companies choose to outsource active management of those systems, along with initial first level response.
Lehmann: There are some companies that are of the opinion that security measures are a burden and do not offer necessary protection. However, there are companies that are careful when it comes to securing their IT against attack. These companies not only put a lot of effort and money into their cyber security provisions, but have established reporting lines that make certain, as far as possible, that hints of cyber attack are detected and senior management alerted quickly. The major task in the future will be to reduce the number of the former companies and increase the number of the latter.
Wall: Modern thinking is that organisations should plan to be attacked and develop playbook responses to contain, reduce impacts and recover quickly to minimise business disruption. High profile attacks, and the legacy of those attacks, show that organisations are not detecting attacks quickly enough, are slow to respond to these attacks and do not understand the impact of an attack on their business once it is underway. This is probably due to poor planning.
Elmer: Companies need to recalibrate their approach to cyber security breaches by accepting that they are vulnerable to attacks, and implement the relevant policies and safeguards accordingly. It is imperative that firms implement a programme that involves both procedures and technical tools. Companies should also work though an incident response plan, practiced via a table top exercise, to ensure they know how to effectively respond to a security compromise.
Kaspersky: There is visible progress in this area, but many companies are lagging behind. The trend today is that many companies are re-thinking their cyber security budgets and approaches. Previously, they were spending most of their money on the prevention of attacks, like endpoint protection. While still extremely important, it is a good idea to re-think this approach and to invest more in prediction and detection capabilities, as well as in response procedures. Even the best endpoint security is unable to prevent every attack from getting inside the network, so early detection of anything able to breach the company’s defences could be vital. There are advanced technologies and solutions for this, such as anti-APT systems, but they remain far from universally applied.
“There are several methodologies and standards to guide companies in addressing cyber risks, and some of these tools have even been customised for different sectors.”
FW: What methods can companies use to evaluate their cyber risk exposure and determine the most suitable countermeasures to employ?
Elmer: As a best practice, many companies will engage a third party to review their risk posture. This exercise can then be used to determine where gaps in the programme may exist, and utilise the third party to provide recommendations on the best avenues to address these gaps.
Lehmann: The biggest and most common mistake when it comes to evaluating cyber security is to ask the internal IT department. It is obvious that the people responsible for maintaining cyber security will not question their work by pointing out possible vulnerabilities. Therefore, the assessment of cyber security should at least be undertaken by bringing in someone from another department of the company or, often even better, by bringing in outside experts. The latter also applies because the internal IT department often has no experience with the consequences of a successful attack, while experienced advisers know what happens when security measures are compromised. Experienced advisers will not only have a view on a single company but will offer comparisons to other companies in order to more easily detect weak spots.
Kaspersky: We recommend companies use an expert third party company for a good cyber security audit. It should start with an all-round security assessment of all your network assets. Thorough penetration testing should also play a central role in such an exercise. It can show vividly the weak points of the corporate infrastructure. A good team of experienced white-hat hackers can really make a difference in improving corporate cyber security. We would also recommend reviewing how existing security operations are organised and operated; check available capabilities and how adequate they are, and test existing response and detection procedures. Such an audit would provide a very good basis for improving defence capabilities.
Wall: Better assessments are needed as part of system developments. Changes must also be made to help identify the threat, the threat vectors and how attacks can be detected through improved or focused monitoring and control systems. These assessments must be linked to what the business values most. Security is not without standards, and approaches to evaluate cyber risk include NIST, ISO, C2M2 and ISF, but those security measures selected should best fit the organisational approach and culture to maximise its effectiveness. Most of these approaches develop threat and risk models that create controls for consideration, but the key is how an organisation interprets these and then implements them effectively. Regulation-driven assessment also plays a part. So, for example, in privacy terms, the new EU General Data Protection Regulation (GDPR) will raise the bar above the Data Protection Act (DPA). As a result, attacks on personal data will have both a high cost and high reputational impact. Better controls will therefore be needed to secure that type of data.
Lo Cicero: A common means of evaluating cyber risk is through an assessment and potentially via a more technical security auditing and penetration test, in order to develop appropriate risk based cyber security and data privacy improvement roadmaps or plans of action. The scoping of the assessments and audits, in terms of target – what areas are being assessed or audited – as well as breadth and depth, will have a direct correlation to both the completeness of the exposure discovery across the entire organisation, and the variety of countermeasures recommended to be deployed. The eventual prioritisation – or elimination from consideration – and execution of those measures would be contingent upon several factors, including the organisation’s compliance requirements – internal and external policies, standards and regulations – and the company’s risk appetite and maturity goals.
Marguinaud: As with any risk, a company should first determine its related expectations in order to establish a clear risk strategy. It is crucial to map out key assets, potential threats and existing vulnerabilities to identify the risks. Only after that process has been completed should companies work on risk mitigation, as well as determining suitable risk transfer solutions. There are several methodologies and standards to guide companies in addressing cyber risks, and some of these tools have even been customised for different sectors. Companies should select the most appropriate methodology or standard, and then work with a cyber specialist to tailor an appropriate cyber resilience strategy. Every company has different cyber risks, so one size definitely does not fit all.
FW: How should companies initially respond to a cyber attack, in order to maintain confidence and credibility in their daily operations?
Lehmann: There are some rules that will help in every case. Firstly, the most important task is to mitigate the consequences of the attack and, if possible, stop the damage of the attack from spreading. Sometimes companies concentrate on finding out who is responsible for the attack, which does not help with the defence. Second, in the case of a major security breach, there is the question of whether and how to address the public. Any major attack will naturally result in reduced business performance or even a shutdown of the business for some time, which, if the company is successful enough, cannot go unnoticed. The best way to lose the confidence of customers and the public is trying to hush up things for too long and only to offer information that is already publicly known. Instead, an adequate measure of transparency is often the right approach. Finally and naturally, the best way to deal with the crisis is to prepare beforehand.
Kaspersky: Companies should assume that a cyber attack and resulting breach will happen one day, and prepare as if it was inevitable. It is important to keep various detailed logs for further investigation, so we recommend always keeping records of what is going on in the network. Response speed matters, so one needs to act quickly. The first step is to contain the breach, which may require suspending some sections of the network, assessing the damage and starting to fix everything. The next step is to initiate an investigation, report to the relevant authorities, and manage the PR around the case. Be mindful that a breach will cost you dearly even if you manage the response well.
Wall: Incident response is a growing area and is an important component within an organisation’s security control capability. Knowing that you will be attacked and planning for this, testing cyber protection plans and evolving them as the threat develops, is critical to minimising disruption. The first thing an organisation should do is build a response capability and then test it rigorously across technology, people and processes. Following this process will help build confidence and credibility that your company is prepared. The aim must always be to identify the attack vector and the signs of attack, contain the attack, purge it from organisational systems and then recover. Without these tested plans, an organisation can only respond in ad hoc ways, determining the protocols and response activities as it goes, without optimising the results. The negative business impacts in these circumstances will certainly be higher and last longer.
Lo Cicero: Companies should have properly prepared, comprehensive incident response, IT disaster recovery and business continuity plans, which are regularly tested and undergo iterations of refinement with the active support of multiple departments in addition to information technology such as legal, enterprise risk, crisis management, communications and human resources. Even for companies with plans, many do not to test the complete plan, and instead choose to periodically test relatively simplistic elements, such as restoration of data or recovery of a handful of systems, without having any executives or critical decision makers involved in the scoping, planning and execution of plan testing, thereby leaving a great deal to be desired in ultimate effectiveness if the need should arise.
Marguinaud: Most companies will experience a cyber attack at some point. They must be ready for it. Their ability to maintain confidence and credibility will depend largely on how well prepared they are to absorb any impact and maintain continuity despite the incident. That is why companies need to work on their business contingency plan and define a clear incident response plan (IRP). Without these, companies may either fail to detect, contain or quickly recover from a cyber attack. These plans need to be fully tested and continually reviewed and updated, in line with the evolving risk landscape. Several studies show that companies with a tested cyber IRP respond much better to a cyber related crisis.
Elmer: Companies should consider employing the following strategy after an attack: activate the incident response team, contain the attack, secure assets, investigate and record, assess responsibilities as per regulatory compliance and the company’s own concerns, and communicate. This strategy allows companies to address the attack and its implications in an immediate and comprehensive way.
“The real complexity lies in the level of integration that exists between the various interrelated compliance, legal, risk, privacy and data security functions.”
FW: With the uptick in cyber security threats having led to a more stringent regulatory environment, how are companies coping with greater compliance requirements? How should they go about managing the cost and complexities involved in fulfilling their obligations?
Elmer: Regulation is definitely driving the cost of compliance and this spend is not going to decrease any time soon. Companies do not have a choice once the regulation has been passed, and complexities will always vary from firm to firm. As more companies adopt a standardised technology stack, this could potentially make the exercise less complex and daunting.
Lo Cicero: Dealing with myriad compliance requirements has become the cost of doing business. Thankfully, regulatory requirements are rarely more onerous than related good practice or international standards which companies should be following anyway as a matter of appropriate due diligence and fiduciary responsibility. Although, that is not to say that there is not a burden. One too many relationships do exist across these various information and cyber security, data privacy and critical infrastructure protection regulations, where many of their requirements are identical, similar or overlapping. This can be mapped accordingly, and, to a certain extent, addressed once to comply with many. The real complexity lies in the level of integration that exists between the various interrelated compliance, legal, risk, privacy and data security functions, so that parallel and overlapping efforts are cohesive rather than run in silos.
Marguinaud: Strengthened data protection legislation means companies have to adapt their business models and processes to be compliant. The best way to manage related complexities is to seek legal advice and to plan ahead. For this, a top-down approach is crucial. Make sure that the design and enforcement phases are approved and coordinated between the board, top management and internal legal counsel. Changes take time to implement, and while many large companies are already in the midst of change, SME and mid-market companies seem much slower in acknowledging the need for change or taking any preparatory steps towards it. Adaptation may increase costs, but it is important not to underestimate fines and penalties being imposed by official bodies for non-compliance – up to $1.8m for corporations in Australia or up to 4 percent of annual worldwide turnover according to the new EU GDPR.
Wall: I would not necessarily agree that there is a more stringent regulatory environment. Rather, legislation affecting computer systems and personal data has evolved over several years to what it is today – for example, the Computer Misuse Act, DPA, Payment Card Industry Data Security Standard, SOX and others. Compliance in most organisations is an ongoing challenge: getting visibility, obtaining appropriate funding, establishing and running a programme and keeping to it, as well as educating staff that following processes and demonstrating compliance is important. However, we are seeing organisations pay little attention to compliance, and even being grudgingly forced to do it to enable continued operations. It is rarely a board level issue that attracts profile and funding. Even in the hands of compliance practitioners, it often defaults to checklist audit approaches. Better linking of compliance to business outcomes, and higher visibility at senior management level, would increase the rationale and understanding for performing it.
Kaspersky: Compliance requirements are often very helpful in improving cyber security. Sometimes they also drive up costs. Obviously, rising costs are not something to celebrate, but regulations normally represent just the bare minimum of cyber security anyway. Meeting such basic requirements is a good idea for ensuring a basic level of protection for an organisation, but by no means would it make a company completely safe from cyber attacks. With all the complexities of being compliant, particularly in heavily-regulated industries, it is really important not to limit the whole cyber security effort to just meeting these requirements. The threat landscape can be change faster than the rules.
Lehmann: Companies often try to cope with the new requirements by putting more people to the task and by spending more money. This is, of course, not a bad thing, but equally important is raising the awareness of all the staff in the company and, if applicable, third parties that have access to the company’s IT. Then, at least from a German perspective, it is necessary to contact the relevant governmental authority, the federal office for security in the field of information technics, in order to address questions and to find a reasonable way of dealing with the legal requirements. German regulatory bodies in the field of cyber security and data protection are open to reasonable solutions. They are even willing to take economic necessities into account.
FW: When reviewing their extant systems and controls, what key questions should companies be asking to ensure their security framework is properly assessed and policies and procedures are satisfactorily implemented?
Lo Cicero: There are a number of key questions regarding the framework and whether it has been properly assessed. Firstly, is the framework based on an internationally recognised framework or methodology commonly used in the company’s industry? Has the organisation been risk assessed and audited for security vulnerabilities, and the findings used to develop the framework’s associated programme of improvement activities? Does the capability exist for automated and continuous maturity level monitoring and dash boarding, based on recognised metrics that represent organisational risk posture? Questions should also be asked about the policies and procedures being satisfactorily implemented. How well ingrained is the education or awareness of organisational policies and procedures? Does the capability exist for automated and continuous monitoring of compliance with policies and procedures, or based on recognised good practice benchmarks? Finally, how is discovery of noncompliance addressed and exceptions tracked?
Marguinaud: Aside from their initial cyber risk assessment, companies should seek advice from external experts when reviewing systems, controls and policies. Setting up a board level cyber committee is now popular practice in large corporations. These committees assess the relevance of existing protection plans, which is very helpful. Companies should also conduct a series of virtual or physical penetration tests, in order to highlight weaknesses. Last but not least, it is crucial to design and set up a cyber resilience continual improvement strategy, as technology, people and processes will all change along with the evolution of the business. All of this takes time and money to implement, but a full understanding of how inadequate protection can impact the company will allow the board to evaluate the cost against the growing exposures they face.
Wall: Organisations should work out what they really want to know about their systems and controls, rather than just undertaking ‘going through the motions’ reviews. Selecting the most appropriate measures and assessing these is difficult to do in a meaningful way. The key objective is to confirm that the controls are in place and are effective. Companies should utilise focused selected data that measures this effectiveness. In other words, they need to make sure they pick the right KPIs, collect the data and analyse and interpret it properly.
Kaspersky: An audit of the security framework would include a pretty long list of key questions. But it is a good idea to understand why the company is conducting a review. Is it purely a compliance issue, or do you want to achieve a competitive advantage by having a robust and resilient system?
Elmer: When looking to a third party to provide an assessment of their security frameworks, companies should take a vigorous approach to evaluation. Specifically, they should ensure that the third party is looking at their access controls, service level agreements and vulnerability assessment programme. Other key questions companies should be asking are whether the third party has tested incident response, are they monitoring the company’s environment proactively, and are they mitigating potential vulnerabilities by conducting scans on a regular basis?
Lehmann: The first key question is whether the current security against attack from external actors complies with the industry standard. If that is not the case, then the company’s cyber security definitely needs an upgrade as there is no excuse for not complying with the current standard. The second key question is how the company is going to maintain the standard once it has been achieved. Security measures need consistent monitoring and upgrading. The third question regards staff and their awareness of cyber threats. A final question is whether there is an emergency plan and whether staff have been evaluated by a test alarm.
“With all the complexities of being compliant, particularly in heavily-regulated industries, it is really important not to limit the whole cyber security effort to just meeting these requirements.”
FW: To what extent is cyber security, as a risk management item, climbing the boardroom agenda? Are you seeing more organisations creating clear cyber policies and disseminating them from the top down?
Marguinaud: Boardroom awareness depends on company size, sector and operating territories. Inevitably, an intuitu personae factor will also affect risk sensibility and the priority given to managing cyber risks. Companies in countries with restrictive cyber legislation or that offer a highly litigious environment or operate in industry sectors that are frequently targeted – such as financial institutions, healthcare or retail – increase the involvement and willingness of any board to address cyber issues. In most cyber mature organisations, these risks will be put on the agenda before they become the agenda. Unfortunately, companies – particularly SMEs – often ask their IT departments to deal with cyber security, focusing only on a technology based solution, whereas an efficient cyber resilience strategy should also encompass people and processes. Of those companies that do release cyber policies and procedures, very few disseminate them appropriately or involve specific training.
Kaspersky: Cyber security is certainly very high on boardroom agendas today, which was not the case just a few years ago. Companies in those industries that have been affected by cyber attacks are putting a lot of effort into developing better policies with regard to cyber risks. And there are not many industries that remain unaffected.
Elmer: Cyber security has now become a permanent fixture on board agendas. Companies are recognising that a compromise of their environment can have a major impact on everything from day to day operations, shareholder value, investor redemptions and public relations. A strategic and comprehensive programme should always be driven from firm leadership and senior management. Board member buy-in is integral – not only in making a stringent cyber programme effective, but also to ensure organisational awareness of vulnerabilities and the adoption of policies.
Lehmann: While cyber security has probably not gained the top position of every agenda, it has certainly climbed up the ladder. Due to recent successful cyber attacks in Germany over the last few months, several complete IT landscapes have been captured and their owners had to pay a lot to regain control. Also, we know now that it is possible to destroy physical infrastructures using cyber attacks. Most companies, therefore, are putting far greater effort into maintaining their cyber security provisions. Companies also tend to appoint more people responsible for IT security, particularly at higher management level.
Wall: Cyber security is moving up the agenda, but not quickly or highly enough. In many ways, security is still often thought of as a technical IT concern rather than an overall risk management one. However, we are seeing more organisations integrating cyber security as a core part of their overall organisational risk management programmes. Without this, security is effectively implementing point solutions for specific issues. Enlightened organisations will also want to align their cyber security spend so that it maximises return in the areas they most worry about – the holistic view driven by threat and risk. Many companies are starting to elevate cyber up the agenda through formal risk appetite analysis, which feeds risk management based on organisational assets worth protecting.
Lo Cicero: Cyber security has been steadily climbing the boardroom agenda, and is receiving additional focus so that, in many cases, the issue has escalated into the top 10 of many enterprise risk registers. In addition to boards and audit committees now regularly asking for periodic updates on the ‘state of information security’, many companies have begun to restructure their governance and compliance functions accordingly, to ensure appropriate controls are in place and conflicts of interests minimised. Although we do see more organisations expanding on and clarifying their acceptable use policies (AUP) to encompass cyber and social media, the majority of what is now being created and disseminated is more detailed internal information classification or handling and operational security standards and procedures to set clear global expectations and baseline requirements for informational and technological assets.
FW: Could you outline the main risks that cyber issues pose to D&Os on a personal level? What measures should a company take to ensure that robust D&O liability cover addresses cyber security and data breaches?
Wall: The one clear item that stands out is ‘cyber understanding’. If D&Os do not really understand what they are dealing with in a cyber context, then they are not likely to make the best choices in response or liability terms to protect themselves and their company. Key measures include senior management awareness and training to highlight impacts and consequences, risk assessments that potentially quantify cyber issues and risks as input into insurance considerations, regular reporting on the state of cyber security controls, and risks within the context of organisational risk management. Tailored knowledge is critical to enabling appropriate decisionmaking.
Kaspersky: As managers of Sony Pictures learned the hard way, a data breach may mean that all your business emails, which you believed to be private and confidential, can be exposed to the public, and whatever stupid things you might have said about a colleague can be exposed publically in newspapers. A truly damaging breach would stick to the name of the company, and affect the future careers of the relevant managers. There have been lawsuits, like in the Target case; however, no directors or officers have been found liable for a data breach.
Lehmann: Personally, the greatest threat to D&Os from cyber attacks is the damage inflicted when a company is attacked. If it turns out that the security measures in that company were insufficient, the owners might question why their security measures were below-standard. Since D&Os in Germany are by law bound to protect their company against any harm, a successful cyber attack might be an indication that the people responsible neglected their duties. Under German law, the D&Os responsible would have to demonstrate that they applied the necessary care, or that the damage would have occurred even if they had applied the necessary care. This can be an uphill battle, particularly in court.
Lo Cicero: As an example, subsequent to the cyber attack at Target, which resulted in a breach of financial and personal data, a proxy adviser urged shareholders to overhaul the company’s board and vote against seven out of 10 directors “for failure to provide sufficient risk oversight” as members of the audit and corporate responsibility committees. This was in addition to both the CEO and CIO resigning. When you couple that example with the fact that new information security and privacy laws in certain countries have provisions for personal liability of company D&Os, you can begin to comprehend the potential impact. The most effective measure is simply to ensure that indemnity coverage of personal fiduciary liability, which is neither inexpensive for a company to obtain nor a silver bullet remedy, is provided.
Marguinaud: Given that D&Os need to act in good faith for the success of the company, we can easily assume that denying or underestimating the consequences of any cyber threats could lead to claims made directly against them. In some countries, legislation makes the appointment of a chief data officer (CDO) who bears responsibility for the enterprise-wide data and information strategy, governance, control and exploitation, mandatory. The liability of the CDO can be sought for any failure to comply with legislation, so it goes without saying that such situations should be covered under a D&O insurance policy. Every company should perform an insurance gap analysis to make sure that there are no coverage gaps between their different policies – D&O, cyber, PI, MDBI, and so on – and adapt the scope of each policy accordingly.
“Board member buy-in is integral – not only in making a stringent cyber programme effective, but also to ensure organisational awareness of vulnerabilities and the adoption of policies.”
FW: What final piece of advice can you offer to companies seeking effective strategies to mitigate cyber risk and strengthen their defences?
Lo Cicero: Companies should ensure they have well developed and tested incident notification, response and recovery plans and capabilities. These plans have to integrate holistically with an organisation’s IT disaster recovery plan, business continuity plan and crisis management plans. There should also be a comprehensive internal and external communications plan covering all of these areas. Responding to cyber incidents in an ad hoc manner is neither effective nor prudent, as this type of response can only lead to mistakes that aggravate the situation and make an organisation appear incapable of managing itself. Although having these plans in place and tested regularly is paramount, part of doing the right thing includes having a sustained and comprehensive programme of assessments and audits of a company’s environment, which, in turn, should lead to continuous improvements. These are the foundations of demonstrating that appropriate due diligence is being applied.
Wall: Effective cyber security requires a truly holistic approach that covers all dimensions: technical, physical, people and process. An effective strategy should consider security as an integral part of all stages from inception and design through to operation. It needs to range across an organisation’s whole supply chain to avoid third parties introducing unexpected vulnerabilities to the organisation’s security. It requires appropriate awareness to be embedded across all levels of the organisation, from the board down. And finally, it should be considered as not just the prevention of attacks but also the response and recovery measures required to provide true resilience. Though this may sound simple in theory, in practice it can be very hard to implement and will take time. Nothing can be 100 percent secure and security budgets are always finite, so it is best to focus investment on the right areas to protect your organisation’s ‘crown jewels’ and to develop agile approaches to cyber resilience that can evolve over time to keep pace with ever-developing threats.
Lehmann: The most important piece of advice is to accept the fact that at one time or another a successful cyber attack will happen. The only question is whether the company will then be prepared for it or not. If the company is adequately prepared, the chance is that negative consequences will not be disastrous, and can be handled. The second piece of advice is that companies must realise that cyber security is not an impediment to successful performance; it is actually the basis for success. Finally, companies should look for a good cyber insurance policy.
Elmer: Companies need to focus on several key elements to mitigate cyber risk and shore up their defences. Creating a written information security programme (WISP) and measuring their cyber security risk posture will help companies avoid a breach by identifying potential security holes before an attack occurs. Another key focus for companies should be to implement an incident response programme, and regularly test this programme to ensure it is up to date against the evolving types of breaches. Finally, conducting vigorous vendor due diligence before engaging a third party will enable companies to select the appropriate party to evaluate their systems and prevent potential attacks.
Marguinaud: Being cyber resilient is key. Just being able to prevent, detect and correct any impact that cyber incidents can have on a business is a good first step. Good cyber resilience means a complete and collaborative approach that is driven by the board, involves everyone within the organisation and extends to the supply chain, partners and customers. This strategy’s main focus is to prevent an incident and to quickly recover after an incident. Insurance is crucial in this process. Also, companies should avoid the common mistake of becoming over-reliant on technology. Well-informed people and well-designed processes need to also be taken into consideration. Keep in mind that there are three pillars upon which companies are safeguarded – people, technology and processes.
Kaspersky: Remember that cyber security is an endless process, and what works well today may not work at all tomorrow. To achieve a decent level of protection, and to maintain it, takes a lot of effort. But it is worth it. One day there will be a breach and you must be prepared to deal with it.
“If D&Os do not really understand what they are dealing with in a cyber context, then they are not likely to make the best choices in response or liability terms to protect themselves and their company.”
FW: Looking ahead, how do you expect the cyber security landscape to evolve, in terms of its impact on companies? Given the seemingly constant threat of attack, how should companies view their chances of falling victim?
Lehmann: Companies have to redesign their structures in a way that makes them less open and less vulnerable. And we all will probably have to come to terms with the fact that sometimes security prevails over speed and convenience.
Kaspersky: Companies should act under the assumption that the chances of coming under attack and being a victim are very high. Act like you are constantly in the crosshairs and that the bad guys are looking at how to make you a victim at any given moment. Any reasonable company should hate the idea of being an easy target.
Lo Cicero: We expect the impact on companies to increase, particularly in terms of costs to protect, detect, respond and recover as support and technologies become more expensive. The impact will also increase in terms of reputation and business sustainability, due to more frequent public disclosure of sensitive and personal information gleaned from attacks, and the increasing rate of international corporate cyber espionage targeting intellectual property. There is an industry adage that ‘it is not a matter of if you will be breached but only a matter of when’. Based on more recent history, the latter part will evolve into: ‘…but only a matter of how often and how vicious’. At present, companies are mostly suffering from easily recoverable ransomware Trojan data encryption type attacks and the chance of that occurring is nearly 100 percent, whereas the chance of falling victim to a headline making attack is much lower due to the requirement for a confluence of circumstances.
Marguinaud: Every year, a large number of studies and analysis on cyber threats and the security landscape evolution are released. Unfortunately, none of them are optimistic. There are good reasons for this – attackers are becoming more sophisticated and organised, legislation is more strict and, as we change the way we do business, the area of opportunity for hackers widens. The question is no longer ‘if’ but ‘when’ a company will suffer an attack. Companies can improve their means of managing cyber risks in order to slow down and limit the impact of such threats. Obtaining a tailored insurance policy is key to that improvement. In business, and also in risk management, it is vital to expect the best but plan for the worst. So, it is time to boost your company’s cyber resilience strategy and get ready.
Elmer: The cyber security landscape is continually evolving as cyber criminals employ new and different methods of attacks. It is essential for companies to take a proactive approach in order to stay abreast of these changes and update their policies accordingly. Adhering to the mantra of ‘it is not if an attack or breach will occur, but when’ is the best way for firms to be confident in their prevention of attacks, and if a breach occurs, to be able to react swiftly and effectively.
Wall: In the future, corporate and industrial control networks will continue to converge due to cost, flexibility and support requirements. Each of these benefits will need to be balanced against the potential security risks created by this convergence. Future cyber threats might include access to cheap, or free, ubiquitous technology that will make it easy for an actor to innovate and attack infrastructure. Or artificial intelligence actors that can be provided with some basic parameters and an end objective and are just left to find a way in. Quantum computing will ultimately introduce a paradigm shift that will compromise the currently robust security offered by public key infrastructure encryption. And extensive penetration of mobile and wearable technologies will make it nearly impossible to set up strong geographical ‘security boundaries’. Unfortunately, companies must conclude that they will be attacked at some point and no percentage guesswork will apply. How the company detects and responds is critical.
Andrew Wall is the head of cyber security at Atkins. He is a specialist adviser in security risk with over 25 years’ experience in the industry, and has led and delivered multiple security projects in the UK, Europe and the Far East. Mr Wall currently consults across UK government and critical national infrastructure enterprises, architecting business-driven security solutions. He can be contacted on +44 (0)1242 546 278 or by email: andrew.wall@atkinsglobal.com.
Jason Elmer joined Duff & Phelps as a managing director in February 2016 to launch the firm’s global cyber security practice. He is responsible for developing product offerings and leading related sales and marketing efforts globally. Based in New York, Mr Elmer has more than 15 years of experience within the alternative investment space, specifically in providing FinTech solutions to the hedge fund and private equity vertical. He can be contacted on +1 (212) 871 6366 or by email: jason.elmer@duffandphelps.com.
Eugene Kaspersky began his career in cyber security accidentally when his computer became infected with the ‘Cascade’ virus in 1989. His specialised education in cryptography helped him analyse the encrypted virus, understand its behaviour and develop a removal tool for it. After successfully removing the virus, Mr Kaspersky’s curiosity and passion for computer technology drove him to start analysing more malicious programmes and developing disinfection modules for them. He can be contacted on +44 (0203) 549 3499 or by email: info@kasperskylab.co.uk.
Claudio Lo Cicero is the chief information security officer for Maersk Oil. Mr Lo Cicero holds a Master of Science with an information security specialisation, and several information security and data privacy professional certifications including the CIPM, CISSP, CRISC and CISM. He is also a member of several industry organisations, such as the IAPP, ISACA, ISSA and ISC2. He can be contacted on +974 (44) 013 233 or by email: claudio.locicero@maerskoil.com.
Xavier Marguinaud oversees and coordinates Tokio Marine HCC’s cyber strategy for EMEA, APAC and LATAM. Previously, he worked at Marsh as New Zealand cyber risk specialty head and as financial lines senior risk adviser as well as cyber product champion in France. He launched his career in the risk and insurance department of Publicis Groupe. He can be contacted on +34 93 530 7439 or by email: xmarguinaud@tmhcc.com.
Dr Jochen Lehmann has been a partner at GÖRG since 2007 and specialises in IT matters with a particular focus on data protection and data security matters. He has built up his expertise in that particular field of law since he started working for GÖRG about 16 years ago. He is a regular speaker on the subject of data secrecy and data protection in various contexts, such as data secrecy and director’s liability or data secrecy and insurance. He is also a member of GÖRG’s IT group. He can be contacted on +49 221 33660 244 or by email: jlehmann@goerg.de.
© Financier Worldwide
THE PANELLISTS
Atkins Ltd
Duff & Phelps
GÖRG
Kaspersky Lab
Maersk Oil
Tokio Marine HCC