January 2020 Issue
Across every industry sector, the magnitude of the cyber security threat is increasing dramatically. Every organisation with employees and computers is vulnerable. The fundamental question is the level of vulnerability and preparedness. To improve safety and security, organisations need to be vigilant in their efforts to instil a culture of cyber compliance and regularly test their ‘cyber hygiene’. Constantly evolving, cyber security threats are a frequent hazard set to persist in perpetuity.
FW: How would you describe the magnitude of the cyber security threat currently facing companies today? In your opinion, how vulnerable are companies to attacks such as data theft and hacking, computer network interruptions, privacy violations and other system breaches?
Gu: The cyber security threat is increasing dramatically, with many cyber attacks occurring around the world. From these incidents, we can see data theft and data-centric attacks are the most popular type. Whatever ways hackers or insider attackers see fit to use, the purpose is to monetise the stolen data. Companies are still vulnerable to these anonymous attacks.
Weber: An all-hazards approach to risk identification and prevention is essential for every organisation, as well as fundamental to business resilience and continuity planning. The ever-growing and evolving cyber threats landscape poses one of the most frequent hazards that will persist in perpetuity. We have moved from ‘not if, but when’ to ‘how frequent?’ Candidly, the war is unwinnable, and organisations must focus on how best to manage each battle through a multidisciplinary and multilayered approach combining offensive and defensive tactics.
McCormack: It has generally become the norm that across any industry sector, the magnitude of the cyber security threat could not be larger. In the last few years, we have seen cyber risk elevated to one of the top risks that boards and chief executives worry about. All companies are vulnerable; the fundamental question is the level of vulnerability and the level of preparedness. As long as a firm has employees and computers there are risks. Our job as chief information security officers (CISOs) is to help manage the risk for the board and chief executive and translate the risk of doing business into a coherent risk matrix to allow them to make the cost-benefit analysis. There are plenty of people trying to scare executives about the coming cyber armageddon, but our job must be to inform, not inflame.
Oikonomopoulos: Cyber threats continue to rise, as evidenced by the BA, Equifax and Marriott examples. All three companies experienced cyber breaches on a significant scale, impacting millions of customers. It should be no surprise that cyber threats have gained board-level attention given their potential magnitude. Despite executive awareness, companies will continue to be vulnerable to cyber threats, often due to reasons outside a company’s direct control. Business digitalisation, third-party interdependencies, unauthorised third-party software and a lack of customer awareness are all factors which could impede a company’s efforts to reduce cyber risk. Customers, for example, are not always conscious of cyber threats. A common practice is using the same password for accessing multiple online services. As a result, cyber breaches can propagate, with consequences for individuals and companies alike. Nothing suggests, from published reports to empirical data, that the level of cyber threat will reduce any time soon. Regulators, such as the Financial Conduct Authority (FCA), have identified cyber attacks as one of the most common sources of operational resilience incidents.
Reddig: Just as physical security infrastructure can no longer be simply deployed at the perimeter, security teams must also be fully integrated into the corporate structure to foster cross-training and the sharing of strategic information. Today, security professionals are monitoring service provider and critical infrastructure networks and receive often more than 10,000 cyber security alerts each day. Not all these are security breaches. Many are false alerts and duplicate information. Yet, the sheer number of alerts can overwhelm a company’s security team, resulting in incidents that are not investigated. Teams need better ways to automatically prioritise alerts that allow them to focus on the most severe ones first.
Doss: Cyber security threats are continuing to grow in scope and complexity. The risks are no longer limited to breach of payment card information or social security numbers – although that information remains a target for hackers. Other kinds of cyber risk are also growing, including increasingly widespread and sophisticated uses of ransomware to shut down business operations and social engineering to lure unsuspecting companies into transferring data or money to fraudulent accounts. Whether it is a malicious insider, a sophisticated external hacker or opportunistic cyber crime, such as criminals taking advantage of easily exploitable weaknesses, companies continue to face risks that cyber incidents will compromise privacy-protected information, interrupt business operations, cause reputational harm and even result in the direct transfer of funds to hackers’ accounts.
Navetta: Unprecedented and getting worse every day is my take on the current cyber threat landscape. As a society, we tend to adopt technology and ask questions later – this appears to be an organic process for the most part. Businesses fall prey to this mode of thinking, and perhaps to a greater degree. Why? First, companies rely on technology to maximise their efficiency and, ultimately, profit. The concern is the bottom line, not ‘hypothetical’ risks that could impact the company. Chief executives, product managers and salespeople have one motive: get product to market quickly in order to beat the competition. Adequately securing the organisation is often a second thought, or not a thought at all. We especially see this in the emerging market space where getting to market first can be the difference between a unicorn and a failure. Second, our reliance on technology in every facet of an organisation results in systemic fragility. Many organisations have multiple ‘single points of failure’ that can literally disable all of the operations of an organisation. We are seeing this now with the proliferation of ‘big game’ phishing attacks. It is too easy to infiltrate an organisation’s network using a phishing attack or remote desktop protocol, and from there decimate the company’s bottom line. Ironically, the fact that revenue is completely halted in such an attack may open the eyes of senior management and result in a more proactive approach to security. Third, a robust economy has built up around hacking and computer fraud. Attackers are differentiating their skillsets to improve results, achieving economies of scale and developing fluid markets. In short, attackers are utilising the same concepts and techniques that corporations use to maximise profits. Where this profit incentive exists, especially in countries where economic opportunity is limited, people will be strongly encouraged to organise and commit crime.
“Every company should consider how best to use a multilayered strategy to protect its systems and information.”
FW: What methods can companies use to evaluate their cyber risk exposure and determine the most suitable countermeasures to employ?
Weber: Companies must be vigilant in their efforts to instil a culture of cyber compliance and must regularly test the ‘cyber hygiene’ of their organisation. Tone from the top is essential and the C-suite must set and reinforce the need to take cyber security seriously and ensure that all employees embrace the effort. Social engineering and phishing will remain some of the most common and effective methods to gain unauthorised access to an organisation’s data, intellectual property (IP), funds and other assets. It is therefore imperative that the entire employee base is part of the first line of defence.
McCormack: It has become, like everything else, a cost vs benefit analysis. Just like buying insurance, the level of funding you give allows us to buy down a commensurate portion of risk. Companies should be using one of the many industry standard control frameworks to allow them to use a standard language to identify and quantify their risk landscape. Once that has been done, the board should accept the level of risk that they feel matches their risk appetite and balance it with the investment they are willing to make. You can never get to zero risk, it is not possible, but a well-informed board and chief executive are very valuable in your daily fight against the bad guys.
Oikonomopoulos: Companies should apply a combination of ‘back-to-basics’ cyber hygiene, combined with cyber capability and residual risk assessments. In terms of getting the foundations right, patching, using authorised versions of third-party software and effective vulnerability management are still fundamental in preventing or reducing cyber attack impact. Maersk and BA incident analysis provides lessons learnt and insights on how to avoid cyber exposures by following standard control practices. An increasing number of vendors and consultancy firms offer methods for assessing residual risks and benchmarking cyber control maturity against industry frameworks, such as the National Institute of Standards and Technology (NIST). These methods could supplement cyber remediation planning and prioritisation, enabling companies to spend their budgets more wisely. Governance, risk and compliance (GRC) tools are also invaluable, in terms of enhancing risk governance and providing additional data points for estimating residual cyber risk.
Reddig: One of the most important success factors in security is reducing the length of time a hacker goes undetected – the more time they have, the more chances they get to hunt around the network for valuable data to steal. However, using an orchestrated analytics and automation system, a hacker’s ‘dwell time’ can be cut by up to 80 percent. Intelligence gathering and analysis correlates data from across the network, devices and cloud layers to spot suspicious anomalies, and provide insight into the nature of the threat, the associated business risk and the recommended response. When using a security product that includes machine learning (ML), you will want to augment the things you have done in the past – like the Internet of Things (IoT) malware or distributed denial-of-service (DDoS) signature collection and automated malware or user behaviour analysis – and combine them with the machine’s capability to determine new, malicious content or an intruder.
Doss: Every company should consider how best to use a multilayered strategy to protect its systems and information. In the information security business, this has traditionally been referred to as ‘defence-in-depth’ and the essence of what that means is that any one security measure might fail or be circumvented, but it is far more difficult for even the most motivated cyber adversary to thwart a whole suite of different protection measures. For example, a company that has robust IT security, clearly documented information security policies, thorough vendor management processes, and a regular programme of employee training is far better able to withstand cyber incidents than a company that relies on just one of those measures. Perhaps the most important point is that each company should plan its cyber security and privacy programmes in a way that is individually tailored to its unique needs: to its industry sector, the types of information it holds, the regulations it is subject to and the realities of its financial constraints. Spending more should not be the goal; investing wisely should be.
Navetta: The best method for evaluating cyber risk is to stop viewing the problem as a technology issue, and instead treat it as a business impact issue. When viewed through a business impact lens, companies are better able to calculate the resources they need to minimise material impacts. Those responsible for data security often lack this context, and as a result may be more focused on addressing attacks rather than risk and potential impact. Unfortunately, getting to this point is difficult for companies, because the IT and security function is still very much siloed from broader business strategy. It takes specialised leadership on both the IT and the business side to bridge the gap.
Gu: Normally, I would suggest that all companies use the ISO 27001 international security management framework – a risk management process used to review and confirm security controls in light of regulatory, legal and contractual obligations. The Information Systems Audit and Control Association (ISACA) enterprise security risk assessment methodology is another good tool to determine countermeasures for high-risk priorities.
“Companies must protect access to personal data to comply with regulations, such as the GDPR. But compliance will be difficult to achieve without a strong privileged access management strategy.”
FW: With the uptick in cyber security threats having led to a more stringent regulatory environment, how are companies coping with greater compliance requirements? How should they go about managing the cost and complexities involved in fulfilling their obligations?
McCormack: Compliance is the cousin of security. In today’s global company, you cannot have one without the other. The challenge is that the backgrounds and experiences of the two disciplines are typically very different. Many firms are starting to migrate much of the compliance function underneath a CISO as the two focus areas are so intertwined, but I would only recommend this if a CISO has a strong background capable of adopting compliance tasks. Missteps in compliance can bring about fines, bad press and corrective action plans, all of which are dreaded. Automation is helping significantly to standardise many compliance tasks, but you will never be able to completely automate this work. There will always be an aspect of the unknown at work in compliance that requires a human being. I have several peers who have tried to outsource their compliance teams with varying levels of success. The challenge is that the company can never forgo its compliance requirements and outsourcing simply moves work somewhere else. You can never alter the responsibility and accountability. Regulators have also gotten significantly better in the technical realm, and with the multiple data breaches in the news constantly, this is a keen focus area for them.
Oikonomopoulos: Cyber breaches, further to business disruption, can often trigger additional regulatory scrutiny and increased compliance costs. For example, the Capital One breach has potentially marked the genesis of new cloud regulation and the BA breach could set a precedent for General Data Protection Regulation (GDPR) enforcement. Nevertheless, companies can still employ strategies for achieving effective compliance while containing budgets. Mapping regulations to corporate controls and considering them in the early stages of system design reduces the likelihood of increased costs due to retrofits and fines. Embracing regulatory change proactively and engaging with regulators is also important. New tools and technologies are available for managing regulatory engagements and increasing compliance efficiency, such as automated regulatory reporting and using ML to identify rogue trading. Another consideration is putting and thinking customer first. Customers are the epicentre of new regulation. Applying the same principles as regulators is not only good for businesses, but it also aligns companies with regulatory thinking upfront.
Reddig: Companies must protect access to personal data to comply with regulations, such as the GDPR. But compliance will be difficult to achieve without a strong privileged access management strategy. This strategy must safeguard privileged accounts that have access to systems and applications containing personal data. A privileged access strategy should allow an organisation to enforce the GDPR’s privileged credential usage control requirements, with capabilities such as live user activity monitoring and session recording. It should also isolate privileged sessions, especially those that come from outside the network or from unmanaged third-party devices. Further, it should ensure individual accountability with privileged access to help an organisation fulfil its notification and reporting requirements.
Doss: Whether obligations are industry-focused, technology-specific or geographically driven, companies need to be attuned to the ways in which an increasingly complex privacy and cyber security regulatory environment is reshaping their obligations and potentially affecting their bottom line. The past few years have brought about significant expansion in corporate risk relating to cyber security and privacy. This includes sector-specific obligations, such as those imposed on the financial services industry through regulations issued by the New York Department of Financial Services, the expansion of previous data protection frameworks, as we saw with the European Union’s transition from the Data Protection Directive to the GDPR, the recently-invigorated enforcement of previously existing laws governing the collection of biometric information, such as the Illinois Biometric Information Privacy Act, or the establishment of new frameworks such as the California Consumer Privacy Act (CCPA), set to take effect in January 2020. Each of these statutory frameworks, along with increased momentum behind consumer class actions and shareholder derivative lawsuits, are heightening the regulatory risk faced by companies that collect, process or share personal information.
Navetta: Organisations dealing with data security and privacy regulations typically employ a risk-based approach. If potential regulatory requirements are difficult or costly to address with 100 percent compliance, companies will look for alternate approaches. From a legal perspective, especially because many of the regulatory requirements are vague and have room for creative interpretation, companies will seek to develop reasonable compliance positions that minimise cost while presenting an acceptable level of risk. Ultimately, a herd mentality arises whereby organisations recognise their colleagues’ approaches to compliance and emulate them, even if the herd is not actually ‘fully’ complying with the laws. In turn, regulators are typically loathe to go after organisations that are in line with the herd, and instead tend to focus on outliers. This, in turn, reinforces the parameters of the herd and identifies safe boundaries. Ultimately, organisations that can develop reasonable legal positions and adhere to industry standards can manage the increasingly complex data security regulatory environment.
Gu: Compliance requirements are soaring so quickly for all companies as business operators handle cyber security threats around the world. For example, China cyber security law imposes high-level enforcement for companies to be compliant. Companies need to undertake a very clear mapping toward the law, concentrating especially on data inventory, gap analysis and remediation tasks, which can fix these gaps.
Weber: On balance, the burgeoning cyber legal and regulatory environment is a good development. While many may take issue with the potential financial exposure under some of the new laws, such as the GDPR and the CCPA, these new laws provide guidance and clarity to what was, just a few years ago, a milieu of ambiguity. The greater compliance requirements do result in enhanced costs and the need for even more assistance from third parties. However, no organisation wants to be a ‘test case’ or made an example of by regulators or the plaintiffs’ bar, which will ultimately cost more than developing an effective compliance programme. Cost is not just monetary, it is also brand and reputation.
“Cyber professionals, more than ever before, have their executives’ full attention.”
FW: To what extent is cyber security, as a risk management item, climbing the boardroom agenda? Are you seeing more organisations creating clear cyber policies and disseminating them from the top down?
Oikonomopoulos: Over the years I have encountered senior management in denial and lacking an understanding of how critical cyber risk is. Nowadays, corporate mood towards cyber has radically changed. I have yet to encounter a cyber professional working for a bank or any other organisation where cyber risks are not seen as critical. Even in less regulated sectors, digital channels are very important for delivering customer value. As a consequence, boards are increasingly aware of the disruptive potential a cyber threat has for business loss and unhappy customers. Cyber professionals, more than ever before, have their executives’ full attention. The burden is now on CISOs and their teams to deliver credible mitigations, while continuing their efforts to educate stakeholders and customers on cyber risk.
Reddig: Boardrooms need members who can recognise the urgent threats posed by cyber attacks and provide leadership that clears a path to stronger network security. But also, the role of cyber security teams in chief information officer (CIO) or CISO organisations must expand from protecting the operations and infrastructure and add to the value proposition of digital services and applications. It is important for security leadership to understand the needs of customers; they must move from being a ‘back-office function’ to immersing themselves as a vital contributor in the delivery of extraordinary customer experiences. For a successful digital business, a defined cyber security posture and its metrics must accurately report the value of its controls to all relevant stakeholders, especially the board. Board members and C-suite level executives benefit from security metrics aligned with business goals that clearly show the likelihood of impacts and costs.
Doss: Cyber security and privacy absolutely must be board-level items. The scope of potential fines under legal frameworks like the GDPR and the CCPA means that any company subject to those regulations can face existential threats for violating the requirements created under those schemes. And recent class action litigation rulings in the US have made clear that companies face increasing risk from lawsuits whose claims fall outside the more traditional scope of compromised credit card information. Two recent litigation examples from the US are instructive. First, the Ninth Circuit held that plaintiffs stated a claim against Facebook for its use of facial recognition technology – this case is striking because many courts have, in the past, held that plaintiffs lacked standing to sue for alleged privacy violations unless there was a concrete risk of financial injury, such as from breached credit card information. The second was a decision in the Equifax shareholder derivative litigation, in which the judge held that the Equifax chief executive could be held personally liable for the damages resulting from that company’s data breach because of the chief executive’s knowledge of the company’s cyber vulnerabilities, his failure to address them and his public statements to the contrary. In other words, courts as well as legislatures and regulators are expanding the scope of risk faced by companies, and by individual corporate executives. Consequently, boards should absolutely be paying attention and taking note.
Gu: Cyber security is a now an essential topic for discussion in the boardroom, as cyber security posture can impact the stock price of listed companies. So, it is necessary to present the company’s cyber security maturity and gain the attention of board members. I am already seeing more business operators creating clear cyber policies and broadcasting them in a top-down approach. Management members that advocate these policies are making a very strong statement.
Weber: The board-level approach is mixed and there is a good deal of lip service given to cyber security. While on an individual basis many board members will tell you that they are concerned about cyber security, boards as a group are not as involved as they should be. Cyber security is now squarely part of a board’s fiduciary duty and board members must be informed and involved to ensure that the organisation is constantly improving its cyber security programme. It is incumbent on the chief executive, chief information security officer, general counsel and chief compliance officer to regularly inform and engage the board, which will also benefit senior management when a breach occurs. The board will more likely support senior management post-breach if the board understands the depth and breadth of the cyber security efforts undertaken by the company over time.
Navetta: Cyber security is on the radar of many boards, but in most cases it still appears to be high level and light touch. Boards tend to get more interested after major breaches occur, rather than before. There is a lack of expertise at board level that limits the effectiveness of boards to manage cyber risk. Boards can influence priorities and help secure resources, but for the most part their depth of knowledge is low. In that sense, smart officers, risk managers and CISOs can utilise the board as a tool to secure more resources and focus more attention on data security. In essence, the extent of board involvement is a political issue within many organisations. That said, for some business models, data security is a higher priority, and we are beginning to see board members selected for their IT expertise, and the chartering of board-level cyber security committees.
McCormack: Cyber security is simply a risk management item, the same as compliance or privacy. Mismanagement of any of those can lead to the same detrimental outcomes for the company, including fines, bad press, critical area protection areas (CAPAs) or auditor findings. This is why there is an industry trend toward CISOs working for chief financial officers (CFOs) or chief risk officers (CROs). The challenge for some of these models is that CIOs have been working security issues much longer than some of these other executives. This means, to be effective, you need an active and engaged leadership model to work if the CISO reports to one of these other individuals. I have reported to CIOs, CFOs, chief digital officers (CDOs) and general counsels in the past. I have found all to be successful as long as I am able to translate security risk into the language they speak. It is incumbent on me to speak to them, not expect the other path. This is why it is critical for CISOs to learn to be comfortable speaking to all these varied executives and how to put security into an understandable business case. CISOs have become insurance salesman, really.
“While many may take issue with the potential financial exposure under some of the new laws, such as the GDPR and the CCPA, these new laws provide guidance and clarity to what was, just a few years ago, a milieu of ambiguity.”
FW: Could you outline the main risks that cyber issues pose to D&Os on a personal level? What measures should a company take to ensure that robust D&O liability cover addresses cyber security and data breaches?
Reddig: Careful planning can help company leaders orchestrate an effective response that minimises the shock and confusion that follow a successful cyber attack. But it takes practice to execute this kind of plan under intense pressure. By simulating attacks and rehearsing response scenarios, executives can avoid big mistakes, make smart risk mitigation investments and ensure a fast recovery. A good simulation of a data breach will test a boardroom’s command and control capabilities, commercial judgement and coordination. It will teach executives where critical data is stored, how it could be compromised and what is required to protect it. It will also reveal vital insights about responding to cyber attacks. Why is it important to detect and respond to attacks quickly? Who should lead the response to a breach? What legal and moral responsibilities need to be met? How much could a breach cost the company? What is the best way to communicate with customers and stakeholders?
Doss: The Equifax court’s ruling that the chief executive could be held personally liable for the consequences of the cyber breach is instructive, as is Securities and Exchange Commission (SEC) guidance for publicly traded companies. Broadly speaking, the standard for personal liability of directors and officers (D&Os) is still tied to principles of scienter that have existed in the past. There has not yet been a wholesale shift towards imputing corporate liability to individuals. However, legislators and regulators are taking increasing note of the role of executives in making these decisions, as evidenced in the call by a number of US senators for legislation that would hold corporate executives personally – and perhaps even criminally – liable for cyber security and privacy failures within a corporation. In light of this growing risk, companies should be looking closely at the intersection between their cyber coverage, their D&O coverage, and even their crimes coverage to make sure there are no unintended gaps created between them. The crimes coverage is relevant because coverage for incidents like business email compromise, that involve tricking company personnel into wiring funds to fraudulent accounts, is often found under crimes policies rather than cyber policies.
Navetta: In the US at least, we have not seen much enforcement on the personal level for D&Os around cyber security. Moreover, under US case law, the threshold for board negligence is still high. Even relatively high-level board involvement around cyber can excuse mistakes that lead to security breaches. However, we have begun to see some high-profile settlements of shareholder class actions and derivative suits. Of course, this leads organisations to ensure that their D&O coverage responds appropriately. Ultimately, with the advent of big game phishing where the core operations of an organisation are brought down, we could see more D&O lawsuits because these breaches go directly to an organisation’s core mission.
McCormack: Many corporate board and executive policies do not cover for cyber incidents anymore. Many board and C-suite officers have to get their own D&O policies to cover cyber breaches. It is quite telling that the insurance market does not want to comingle cyber incidents with the other issues that could cause a claim against a D&O policy.
Gu: The main risk that cyber issues pose to D&Os is a social engineering attack. A social engineering attack can use diverse technologies, and D&Os are the most popular target. As for mitigation measures, education and training can raise awareness and comprehensive monitoring about users’ behaviour can ensure unintended leakage is avoided.
Oikonomopoulos: D&Os are prime targets for hackers for multiple reasons. Impersonating an authority figure is an effective way to achieve a successful social engineering attack and commit fraud. D&Os, due to their roles, may have access to privileged accounts which again increases their importance in a potential attack. D&Os should follow increased measures in terms of protecting their identity. Social media profiles should be stripped down of any information which could be exploited in an attack or for tracking the individual’s whereabouts. In addition to being targets themselves, executives could be susceptible to litigation from shareholders and customers, as well as regulatory scrutiny. Robust cyber risk governance, combined with an audit trail of decisions and actions taken to mitigate risk, could reduce the likelihood of such scenarios.
“Identify what your critical data or systems are and focus there. You cannot protect everything equally, so do not bother trying.”
FW: What final piece of advice can you offer to companies seeking effective strategies to mitigate cyber risk and strengthen their defences?
McCormack: Identify what your critical data or systems are and focus there. You cannot protect everything equally, so do not bother trying. Do not rely solely on the tools your CISO has bought; always follow the people, process, technology model, where technology is last. You have to train your people how to use the tools you have given them. The most damaging breaches of recent years are not overly complicated, they are typically making use of a user’s logon and password to gain access. The most cost-effective method of elevating your security is to train your employees. Also, be realistic in what expectations you set for your board and C-suite. As a CISO, never over promise, because you will always get called out. Be honest, even when what you are saying is not popular. And the reverse is true for boards and chief executives. Do not expect superhuman abilities from your security team. I can guarantee you they are working themselves at maximum pace every day. Grade them not on if something bad happens, but on how well they handle it when it does happen.
Weber: There is an old joke: ‘How do you get to Carnegie Hall? Practice, practice, practice’. The same is true in the world of cyber security. Tabletops at the operational and management levels are key and must include senior management and the board. Data breach and incident response plans should not be left to collect dust. Rather, those plans should be tested regularly and modified based on what is learned during tabletop and other exercises. An effective cyber security programme must be structured in a manner that maximises the attorney-client privilege and includes a multidisciplinary team consisting of representatives from information security, legal, human resources, risk, finance and outside partners.
Gu: Companies can utilise threat intelligence to proactively prepare for potential cyber risks, also based on correlative threat, to ensure they are not vulnerable to incidents and can take remediation action. In addition, companies can design more effective strategies to prevent attacks happening.
Oikonomopoulos: Companies should not underestimate the benefits of getting the basics right. A number of breaches are still happening due to bad ‘hygiene’. It is also critical for companies to quantify their exposures, as well as measure risk mitigation achieved by their cyber programmes. Effective residual risk assessment could supplement cyber planning efforts and mitigation prioritisation. Intelligence sharing and comprehensive GRC and control framework benchmarks can all contribute to more accurate assessments. Finally, investing in cyber awareness and innovation is paramount. Security is as weak as the weakest link. Ill-educated employees could become a liability for corporate security defences. Innovation could enrich risk-mitigation strategies, providing additional techniques and tools for addressing cyber threats. A plethora of new vendors in cyber space exist, offering innovative products and defence capabilities.
Navetta: Break down the barriers between IT and security, and broader business stakeholders. Chief executives, directors and other senior managers who view data security as some sort of ‘other’ and distinct from an organisation’s core mission are making a mistake. Organisations must determine how to bridge the gap and get all of the stakeholders to understand how security fits into the broader mission of the business. Because of the serious differences between these stakeholders, we recommend that companies find a translator or to translate and find a common denominator.
Doss: First, any cyber security and privacy programme should be bespoke, tailored specifically to the individual risk profile, needs and resources of the particular company. Second, the most effective privacy and cyber security programmes are interdisciplinary in nature. That is, they involve close and ongoing collaboration among the corporate departments responsible for IT, risk, finance, legal, HR, operations, marketing procurement, and potentially other corporate departments as well. None of these components can unilaterally develop and implement the full range of multilayered or defence-in-depth strategies that are needed in today’s environment. Finally, cyber and privacy risk need to be viewed as strategic imperatives and corporate-level risks in the same ways that overall business strategy traditionally has been. Cyber incidents and privacy missteps can threaten a company’s very existence. Consequently, the C-suite and board need to dig into these issues, and not simply relegate them to a subordinate company department to manage on its own.
Reddig: An attack response plan needs to be supported by effective security technologies. Cyber criminals are now using automation and artificial intelligence (AI) to attack companies and networks more efficiently. They are also exploiting an attack surface that is growing as companies embrace cloud, IoT and 5G technologies. To protect their assets and interests, companies need to invest in security orchestration, analytics and response (SOAR) solutions that can automate security for business processes, regulations and policies, provide end-to-end security for network operations and processes, correlate security data from networks, devices and cloud layers to spot suspicious anomalies and provide insight into threats and protect data with multi-layer encryption. Solutions that provide these capabilities will help security teams detect indicators of compromise, identify harmful actors, prioritise risks and respond to threats faster. They will support an active security approach that enables companies to streamline processes, accelerate decision making and optimise costs while keeping security threats from becoming damaging data breaches.
“With the advent of big game phishing where the core operations of an organisation are brought down, we could see more D&O lawsuits because these breaches go directly to an organisation’s core mission.”
FW: Looking ahead, how do you expect the cyber security landscape to evolve, in terms of its impact on companies? Given the seemingly constant threat of attack, how should companies view their chances of falling victim?
Navetta: We are beyond trying to prevent every breach from occurring, and the cliché of ‘not if, but when’ is in full effect. Companies now need to focus on resiliency. That requires translating data security risks into business impacts. It requires organisations to develop methods for mitigating not only the immediate technical threat, but also the specific business impacts. The latter is a broader endeavour that requires coordination among a broad set of stakeholders. Companies that are fragile, that break instead of bend, will suffer the consequences, and in some cases the consequences mean no longer being able to conduct business. Again, this concept is being tested in real time with the ransomware wave we are currently facing. It has woken up the business side to the real threats to an organisation – the threat of being literally unable to provide core products and services. Optimistically, the current threat landscape is going to open the eyes of senior management and boards more than ever before, will result in barriers being broken and will lead to better cyber risk management in the long run.
Gu: With an increasing number of cyber security incidents happening around the world and in a range of industries, the trend is for cyber security threats to be increasingly rapid and changeable. And the magnitude of the impact of such incidents is greater than we may expect. If companies want to prevent a cyber security attack, they need to tailor their people, policies and processes accordingly. If a company is prepared for a threat, then the risk may prove less than imagined.
Oikonomopoulos: The cyber security landscape will evolve in terms of sophistication and scale. The global economy will continue to digitalise and, as a result, incentives for committing cyber fraud will also grow. Reducing cyber threat will require extensive collaboration and investment across companies, government and regulatory bodies. New tools and AI-driven technology could be used to reduce cyber impact, but this could also introduce new threats. Until AI defence and cross-industry collaboration reaches maturity, companies and society as a whole need to continue their efforts to manage evolving cyber threats.
Doss: Companies should recognise that the cyber threat landscape has been undergoing steady growth and constant change for over a decade. These are fundamentally asymmetric threats. That is, there are myriad ways in which malicious cyber actors can steal information and defraud companies from a distance, in many cases entirely via remote means, and at very little risk to themselves of getting caught. This low-risk-high-reward crime model has made cyber crime increasingly attractive, not just for individual criminal actors, but also for sophisticated organised crime rings. Given these incentives, companies should expect that cyber criminals will continue to look for ways to exploit companies’ defences and take advantage of vulnerabilities. Cyber threats are likely to get more diverse, pervasive and complex in the foreseeable future, not less. That makes this the perfect time for companies to engage in a regular, disciplined process of assessing their current risk profile and the individually tailored ways that will be most effective in mitigating risk.
Reddig: Criminals are quickly learning how to leverage botnets, running sophisticated malware as the infrastructure for massive, illegitimate moneymaking machines. Botnets are overlays of software that run, typically unknown to the owners of those systems, on large collections of internet-connected machines. Even if demanding a ransom, the use of ‘untraceable’ cryptocurrency like Bitcoin makes it easy to see why botnets are emerging as a preferred platform for cyber criminals. Companies need to adapt their traditional security with perimeter firewalls, security information and event management (SIEM) and signature-based anti-virus to an adaptive, dynamic security orchestration that allows data information gathering to ensure a constant collaboration between point product of multiple vendors and technologies – a system that helps security experts to detect threats and accelerate response actions earlier.
McCormack: Awareness of the criticality has grown steadily. I am not sure it can rise much more. Every chief executive I speak with understands the risk. It is whether or not they can afford the programme they need. A company will fall victim or experience an incident. Every, and I emphasise every, company will have or has had incidents. Not all rise to the level of reportable or result in catastrophic damages or costs. But I can say that with full confidence we will all have our time in the barrel. So, prepare you boards for that event and do not try to solve it all yourself. Always have a good law firm and breach response vendor on retainer. You will need them at some point.
“With an increasing number of cyber security incidents happening around the world and in a range of industries, the trend is for cyber security threats to be increasingly rapid and changeable.”
Great Gu is a cyber security, risk management and IT governance expert. He is an International Association of Privacy Professionals (IAPP) Asia Advisory board member. He won the (ISC) 2017 Asia-Pacific Information Security Leadership Achievements (ISLA) award, as well as the only one from China mainland. He is frequently invited to speak on cyber security topics for online seminars and large-scale conferences across Asia-Pacific (APAC), and to host elite cyber security panels. He can be contacted on +86 189 1652 7303 or by email: wgu01@amgen.com.
David Navetta is a vice chair of Cooley’s cyber/data/privacy group. Mr Navetta has focused on technology, privacy and information security law since 2002. His work ranges from privacy compliance and product development, and transactional work, to breach notification, regulatory response and litigation. He is a certified information privacy professional through the International Association of Privacy Professionals (IAPP) and previously served as a co-chair of the American Bar Association’s (ABA’s) information security committee. He can be contacted on +1 (720) 566 4153 or by email: dnavetta@cooley.com.
Scott Weber has extensive experience in complex civil and criminal litigation, including, class action and mass tort defence, and regulatory actions and government investigations. Before joining DLA Piper, he was executive vice president and general counsel of CNA Financial Corporation. He was the managing director and inside threat leader for Stroz Friedberg, a global cyber security firm. He also served as senior counsellor to Michael Chertoff, secretary of the Department of Homeland Security. He can be contacted on +1 (212) 335 4825 or by email: scott.weber@dlapiper.com.
Matthew McCormack is the SVP & chief information security officer (CISO) at GlaxoSmithKline, one of the world’s largest pharmaceutical and consumer healthcare companies. He is responsible for the cyber security and risk management of GSK’s global network of 100,000 employees and over 100 manufacturing facilities. A 20-year industry veteran, he was previously the CISO of EMC and the global chief technology officer (CTO) of RSA. He can be contacted on +1 (202) 262 2122 or by email: matthew.x.mccormack@gsk.com.
Nassos Oikonomopoulos is the head of technology controls for regions at HSBC. He has over 19 years of experience in global financial services senior technology risk and cyber roles including a partnership role for a Big 4 and an interim chief information security officer (CISO) for a global bank. Further to these roles, he has been actively involved in providing thought leadership on FinTech, open banking, cloud and privacy, participating in industry forums and publications. He can be contacted on +44 (0)20 3268 3179 or by email: nassos.oikonomopoulos@hsbc.com.
Gerald Reddig is a senior business leader with more than 20 years management experience in the IT and telecommunication industry. He leads Nokia’s portfolio marketing for security solutions and signs responsible for all global campaigns in this regard. He has also held positions in product management and business development, including leadership responsibilities for European projects in the field of mobile internet and communication services. He can be contacted on +49 170 632 3498 or by email: gerald.reddig@nokia.com.
April Doss is a partner at Saul Ewing Arnstein & Lehr, where she chairs the firm’s cyber security and privacy practice. Prior to this, she spent 13 years at the National Security Agency (NSA) where she was associate general counsel for Intelligence Law. She also teaches privacy and internet law at the University of Maryland law school and is a frequent commentator on issues relating to national security, cyber security and privacy. She can be contacted on +1 (410) 332 8798 or by email: april.doss@saul.com.
© Financier Worldwide
THE PANELLISTS
Amgen
Cooley LLP
DLA Piper LLP (US)
GSK
HSBC
Nokia
Saul Ewing Arnstein & Lehr