Cyber security
January 2024 | ROUNDTABLE | RISK MANAGEMENT
Financier Worldwide Magazine
January 2024 Issue
Cyber attacks are on the rise, impacting organisations of all sizes across all sectors. Ransomware, spoofing, phishing, supply chain attacks and denial of service threats remain among the most prevalent. But rather than being used in a shotgun approach as before, targeted attacks are now driving the threat landscape. Coupled with the use of artificial intelligence, machine learning and other advancing technologies, cyber security is sure to remain at the top of organisations’ cyber risk agenda.
FW: Could you provide an overview of the cyber risks currently facing businesses, organisations and governments across the globe? What are some of the common types of cyber threats, and how have they evolved in recent years?
Navetta: Institutions are faced with escalating cyber risks that are continuing to evolve in parallel with technology advancements and the explosion of and reliance on big data. The threats overall have remained consistent: ransomware, spoofing, phishing, supply-chain attacks and denial-of-service to name a few. However, these threats are growing in sophistication in conjunction with technologies like artificial intelligence (AI) and machine learning (ML), making them harder to detect and defend against. Moreover, threat actors are better organised and have more diversified skillsets and tools for deploying attacks. On some level, threat actors use the same market-oriented methods and approaches of top corporations to gain an advantage. Finally, the impact from cyber threats has increased significantly. Organisations of all types now face threats that directly affect their ability to provide goods and services and to operate.
Gottehrer: Ransomware is one of the most common cyber risks that businesses and governments worldwide are facing. Ransomware attacks have steadily increased in recent years, targeting a wide range of organisations including hospitals, educational institutions, critical infrastructure and law firms. In the US, government agencies on the federal, state and municipal levels have also been frequent victims of ransomware attacks. Insider threats also continue to pose cyber security challenges for businesses and governments. Disgruntled employees who have access to an organisation’s computer network and confidential data may take advantage of that access to harm the company. As phishing schemes become more and more sophisticated, even loyal employees can be a source of risk for an organisation if they are not sufficiently trained to identify suspicious emails and to report them rather than open them or click on links within them.
Paraskeva: Cyber risk transfer helps organisations address a vast array of loss scenarios. However, these can be split into two main buckets: data breaches and disruptive activity. With regard to the former, data protection regulation is expanding, not only in depth of requirements, but also in footprint across the globe, leaving organisations to face the colossal task of correctly handling, storing and protecting both personal and corporate data. A material breach or leak of data can lead to compound fallout, including punitive action from regulators, large-scale class actions against the company, and even a mass exodus of the customer base due to loss of trust. With regard to disruptive activities, we have seen a substantial uptick in attempted and successful cyber attacks from 2020 through to the present day, driven in no small part by organisations seeing a more fluid workforce requiring access to company resources from remote locations. A virtual ransomware pandemic has seen companies locked out of their critical systems, subjected to notable ransom demands, and often forced to spend vast amounts to conduct forensic sweeps or rebuild their networks. In many cases, the disruptive activity hinders revenue generation, threatening an organisation’s bottom line and leaving executives and boards facing challenging questions from regulators and shareholders alike.
Moore: Phishing threats remain at the heart of all cyber attacks but they are not used in the shotgun approach they once were. Much more specifically targeted attacks are now shaping up the threat landscape and, coupled with the use of ML, AI and other improving technologies, we are starting to see a rise in more sophisticated attacks where legacy protection is not cutting it. The surge in AI attacks is starting to feed its way into becoming the norm. We are currently at the cusp of a new era of technology and, by proxy, cyber crime too.
Papadopoulos: The biggest change we have seen in recent years has been the evolution from ransomware to a broader category of extortion threats. With ransomware, hackers encrypted a company’s data or systems and tried to extort the company to pay a ransom in exchange for releasing the data or systems. Increasingly, hackers are extorting companies by stealing data and threatening to publish it, or by threatening to embarrass executives or harm customers. Looking to the future, one troubling, anticipated trend is threat actors’ use of AI to power their offensive campaigns at much greater volumes and speeds than ever before. This will apply to all kinds of cyber attacks, from social engineering to hacking into systems. Threat actors will also use AI to generate deepfakes, for example of the voice of a company’s chief executive or chief financial officer (CFO), that will be used to compromise systems or trick companies into sending money to criminals’ bank accounts.
Armstrong-Smith: The digital world is moving at an unprecedented pace, with attacks becoming more sophisticated and frequent in recent years. According to our latest ‘Digital Defense Report’, users are particularly vulnerable to phishing campaigns, and we have seen this style of attack evolve even further over the last year. Identity-based attacks, such as password sprays and brute force attacks, are skyrocketing. Other attacks, such as business email compromise, are at an all-time high, and the deployment of malware and ransomware is also increasing. In addition, the increase in geopolitical tensions has also meant that many nation-sponsored actors have increased the global scope of their cyber operations. Organisations involved in critical infrastructure, education and policymaking were among the most targeted, in line with geopolitical goals and espionage-focused remits. Cyber attackers recognise the enormous value that can be extracted by gaining access to systems and data and have developed methods to scan thousands of environments across the internet, looking for those with the lowest security posture. Frequently, victims are not specifically targeted, but rather fall victim to unfortunate circumstances whereby an attacker is able to identify vulnerabilities that can be exploited.
FW: In your experience, how are companies coping with the regulatory environment around cyber and data? To what extent are they meeting their compliance requirements?
Gottehrer: Compliance with cyber security and data protection laws and regulations is an ongoing and evolving challenge for companies. The complexity of this challenge is magnified in the case of global companies because of the number of different and often inconsistent laws and regulations that apply to them in the different jurisdictions in which they operate around the world. For example, in the US, while there is no federal cyber security law, companies in certain sectors can be subject to federal cyber security and data protection regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Companies that do business in multiple states within the US can also be subject to the cyber security and data protection laws in those states and companies in certain industries will be governed by state regulatory agencies, such as the New York Department of Financial Services (NYDFS), which has its own cyber security regulations. All this is in addition to the cyber security, data protection and reporting obligations under the General Data Protection Regulation (GDPR) and other European Union (EU) cyber security regulations.
Paraskeva: We are seeing a broad range of maturity with respect to regulatory awareness and readiness. From organisations that are still struggling to grasp both the requirements as well as the available solutions, to those that have successfully mapped and tracked territory-specific regulation and gone even further by conducting in-depth compliance checks. The most successful organisations we see are those that have identified the most stringent regulation or frameworks applicable to the company’s territories of operation as a whole, and then applied measures to meet the relevant requirements under that particular regulation. Building and implementing this sort of ‘catch-all’ blanket approach can often prove more efficient, as well as forcing all business units or subsidiaries to uplift either to the necessary level of data protection, or above and beyond.
Moore: Since the beginning of time, criminals have always been one step ahead, and with new regulations on the fringe of becoming standard, we are once again behind the curve. Companies struggle with new technologies while governments struggle with new regulations. Add in AI and relatively new regulations governing cyber security and data, and problems and mistakes can arise. For example, the GDPR became a simple guideline rather quickly as very few fines were ever issued, giving many companies more time to adapt and follow procedure instead of making an example of them.
Papadopoulos: The biggest companies are generally keeping up with compliance requirements, but most other companies are struggling or will struggle to stay compliant. No security programme is perfect. As regulators have ramped up incident and risk disclosure requirements, they should expect to hear from companies that all is not as ‘clean and compliant’ as it once seemed. If regulators are to help create a rising tide that lifts all boats, they will need to become increasingly mature at identifying when a company may have been acting in good faith and building a reasonably secure or compliant programme, even if it did not quite achieve compliance. Company executives will also need to remember that compliance does not equal security, so while the compliance burden grows, they also need to keep their eye on the ball: securing the enterprise and protecting its stakeholders, including customers and investors.
Armstrong-Smith: It is clear that organisations are facing increasing pressure to comply with data and cyber security regulations, as governments need to keep up with the pace of technological change, as well as the evolving threat landscape. Information protection remains a focal point in the cyber security space and organisations understand that they are ultimately responsible for protecting all types of sensitive and confidential data, no matter where it resides. Data protection authorities have reportedly issued a total of $1.25bn in fines over breaches of the GDPR since 28 January 2021. This highlights why businesses should adopt a proactive stance toward data and cyber security, implementing sound data governance principles to safeguard their data and systems.
Navetta: Companies are continuing to methodically adapt to the increasingly stringent regulatory environment concerning cyber and data security. This is especially true in the US where a flurry of new state privacy laws, as well as topic-specific privacy laws, are coming into effect. Moreover, privacy class action litigation and aggressive regulatory enforcement at the state and federal level are common. Finally, the new Securities and Exchange Commission (SEC) Cyber Rule, combined with its enforcement action against SolarWinds, are game-changers causing ripple effects all the way up to the board. Increased knowledge and transparency of data breaches and their impacts resulting from the SEC’s new rule is going to fundamentally alter how organisations view and address cyber risks.
FW: What advice would you offer to boards and senior management in terms of protecting their company networks and the data housed within them? What key questions should they ask when reviewing and reinforcing frameworks, policies and processes?
Parakeva: What is becoming apparent through numerous recent events is that companies have typically not had a sufficient understanding of the scale, type and location of data within their networks. It is very difficult to secure an asset that remains unknown. Therefore, boards and senior management might consider driving top-down directives for their information security and privacy teams to conduct comprehensive identification, classification and labelling exercises. Once complete, it would become a far more feasible and cost-efficient task to purge data that does not need to be held, thereby reducing the data breach footprint and potential fallout, and also to build and apply the relevant protections around the remaining data. Organisational self-awareness is a crucial first step in any risk transfer lifecycle and will help boards and executives to work with their compliance teams to map the current state of maturity versus where they need or want to be.
Moore: Boards and senior management need to have direct lines of communication with their information security teams with full trust and support in whatever is suggested. Far too many companies make mistakes when advice is dismissed or underestimated, which often impacts a firm financially. Reviews, policies and procedures must be followed through and regularly checked. But cyber resilience attracts a multifaceted approach which requires full attention, where often only good simulation attacks can truly put the best answers forward.
Papadopoulos: The board or senior management should ask a range of questions with regard to protecting their company. What are our highest-consequence business risks that can result from cyber activity? How are we mitigating those risks, including planning to keep our business operating during a sustained cyber attack or technology disruption? When was the last time our executive team participated in a tabletop exercise to stress-test their crisis response? Who does the chief information security officer (CISO) report to? If they report to the chief information officer (CIO), who sometimes has competing interests, how does the CISO access the chief executive and board to make sure that security is not short-changed? If the chief executive or CISO had an extra million dollars in the security budget or a few extra people, what else would they put on the security roadmap that is not currently there, and how much would it reduce our risk? How are the CISO and security incorporated into new technology, product or business initiatives? Does the CISO have the right to stop or alter the course of a project due to security risks? If not, who makes that call?
Armstrong-Smith: When a breach occurs, senior management is accountable for delivering effective crisis management that puts people front and centre of their decisions. Data and communications protection forms a crucial part of their organisations’ reputation, goodwill, customer trust, revenues and operations. To holistically protect their organisation, therefore, they must understand that cyber security is not just an IT issue, but a critical business issue. Ensuring they have a comprehensive cyber security strategy in place is key, which includes having a holistic enterprise risk framework that incorporates cyber security, top-down awareness and training that is relevant to different aspects of the business, as well as a robust crisis management response that includes the strategic and operational response to a major incident. When establishing and reinforcing frameworks, policies and processes, senior management should ask themselves a number of key questions. What are our most valuable assets and how are they protected? What are our biggest cyber risks and how are we mitigating them? Are our current investments sufficient for what threats may be on the horizon? How do we ensure that our employees are equipped with the right tools and training to help protect from cyber attacks? And how do we ensure that there is resilience across the interconnected supply chain?
Navetta: Boards and senior management should prioritise cyber security as a risk management issue and tie their cyber security programmes into the company’s overall risk management programme. The key consideration for management and the board is understanding which existing or foreseeable cyber security threats could result in material quantitative and qualitative business impacts. They then need to work with IT and information security to understand how the risk of such impacts can be mitigated by organisations, including through detection, prevention and response. On the response side, organisations need plans to contain incidents, and remediate not only the incident but also the actual or potential business impact of the incident. When assessing a company’s cyber security programme, leadership’s key considerations should include identifying critical company assets, assessing current security measures, understanding potential cyber threats, and making sure the company’s security frameworks, policies and processes are tailored to company and sector specific risks.
Gottehrer: It is crucial to build a corporate culture where employees feel comfortable disclosing to senior management when they think they may have inadvertently opened a suspicious email or done something that could jeopardise corporate data or the network, so that management can take immediate action to investigate and contain any damage resulting from the error. Phishing emails have become extremely sophisticated and much more difficult to identify than they once were. Business email compromise and vishing have become more common due to advances in deepfakes and voiceprints. Even employees who are well trained and have strong cyber awareness can fall into a cyber criminal’s trap. Accordingly, along with updating incident response plans (IRPs) and conducting tabletop exercises, a key component of an effective cyber security programme is partnering with employees to make it a team effort to protect the organisation from the operational, financial, legal and reputational harm caused by cyber attacks and data breaches.
FW: Given that the chances of falling victim to a successful cyber attack are high, how should companies prepare in advance to respond quickly and effectively to potential scenarios? What are the essential elements of the planning process?
Moore: Given the increased risk of cyber attacks, companies must reinforce their defences and ensure readiness for a rapid response. This means conducting regular risk assessments to identify potential vulnerabilities and implement preventive measures. A well-defined and practiced IRP is crucial, outlining roles and swift actions to mitigate any damage. Employee training is also hugely important, emphasising awareness and vigilance in identifying threats such as phishing attacks. Finally, a clear communication strategy should be established to openly inform all stakeholders during incidents to preserve trust and reputation – we have all seen certain companies struck by disaster try to cover it up.
Papadopoulos: It is essential to have a plan and to test that plan with the right internal and external resources. Some of the best cyber crisis management plans I have seen are very short. The key is to pull the right resources together around the right decisions in the right ways. Testing the plan via executive tabletop exercises as well as technical IT drills is essential. Finally, it is important to bring the right resources to bear. Internally, this includes a whole-of-enterprise team, in addition to deputies and backups in case an executive is away or the crisis goes on a long time. Externally, this includes cyber insurance carriers and brokers, outside counsel, forensics and incident response, a breach coach, and probably a PR firm.
Armstrong-Smith: As cyber attacks increase in frequency and sophistication, it is important that organisations remain prepared to handle and quickly react to an array of cyber attacks. Organisations need an ‘assume compromise’ mindset that considers how and why threat actors may be trying to access key people, systems and data, and therefore what controls are needed to successfully mitigate those threats. Before an incident occurs, it is important to proactively identify and reduce vulnerabilities and define security policies and procedures. Then, it is important the security team identifies the type of threats they may be exposed to, and how to mitigate them. There is often a balance of risk that has to be carefully managed and reported, so that senior management is aware of the extent of the threats, how well the business is protected – or how exposed it may be – and what help may be required to prioritise and contain the threat. We often talk about security being a ‘team sport’, because cyber security touches on every part of the business and therefore every part of the business has a role to play in keeping it safe. In fact, our research shows that basic security hygiene measures still protect 99 percent of attacks. The minimum controls that every company can adopt include enabling multi-factor authentication, applying zero-trust principles, assuming there has been a breach, explicitly verifying, using least privilege, using extended detection and response, keeping systems up to date, and protecting data.
Navetta: To mitigate the high risk of cyber attacks, companies should develop and test a robust multidisciplinary IRP. The IRP should define roles and responsibilities, include a predefined list of vetted third party incident response vendors, such as outside breach counsel, forensic investigators, communications and ransomware negotiation firms, establish clear and safe communication channels, and enumerate risk mitigation methods. Importantly, IRPs should not reflect only IT or security response activities but should also define the role of a multitude of stakeholders whose response is critical for mitigating business impacts. Additionally, developing tailored incident response playbooks for specific cyber incidents will help streamline an effective response.
Gottehrer: To be prepared to respond quickly, companies should have IRPs that clearly identify the members of the organisation who will be involved in the company’s response to the cyber attack or data breach, and which delineates each person’s role and responsibilities. The IRP should be updated on a regular basis so that it reflects changes in the company’s risk profile due to a merger or acquisition, new timeframes to report breaches to regulators in different jurisdictions due to new laws or regulations, and emerging cyber threats facing the industry. The company will want to conduct tabletop exercises to test the IRP and identify gaps in the plan and components of it that may not work as intended. Tabletop exercises give team members the opportunity to practice their roles and get a sense of what a response to a cyber attack is like. Following the tabletop exercise, the company will want to debrief and discuss what went well, what did not go as planned, and other areas for improvement. Based on that debriefing, the company should update its IRP to incorporate the lessons learned.
Parakeva: There are two principal measures that have repeatedly proved to be the difference between a well-managed event and a poorly managed one: communication and backups. Communication includes establishing clear and widely understood escalation channels within an organisation, to ensure that the right teams and individuals can be contacted to make decisions efficiently and effectively. But it also encompasses communication with insurers should a company have a cyber policy in place. Insurers have not only seen countless similar events, but they will also have access to specialist third-party resources, ranging from forensic analysts to cyber-specific public relations teams that can actively support and guide a company through the many pitfalls of post-event management. The reference to backups cannot be stressed enough. We see network breaches at some of the most mature organisations with extensive cyber security budgets and tools, so companies need to approach the topic of cyber events on the basis of ‘not if, but when’. Having well-protected backups with strict access restrictions removes much of the urgency imposed by disruptive ransomware demands, enables a swifter return to business as usual and greatly reduces the cost of network infrastructure rebuilds.
FW: In what ways has the appetite for cyber insurance increased in recent years? How would you describe trends in the coverage, limitations and premiums on offer?
Papadopoulos: Cyber insurance is increasingly a contract requirement, so most organisations must arrange a policy. Additionally, it sends a positive signal to business customers that a cyber carrier has assessed and accepted your company’s cyber risk and security programme. Rates spiked in 2022 but moderated in 2023, however coverage is narrower, especially as it relates to cyber war exclusions. Ultimately, cyber insurance is necessary but insufficient. Cyber insurance also offers many preventive services that can be leveraged before an incident, and not enough companies take advantage of these services.
Navetta: The demand for cyber insurance has surged recently due to the increasing frequency and severity of cyber attacks and the realisation of the core business impacts, customer relations issues and legal fallout resulting from security incidents. Coverage is evolving to include broader protection against a variety of cyber threats, including income loss and remediation expenses. The market has been in flux between a ‘hard’ and ‘soft’ market, with a lean now toward a soft market that provides broader coverage and competitive premiums. Overall, it is crucial for companies to understand the extent of their coverage and ensure it aligns with and is tailored to address their risk profile and the specific potential impacts that may affect their organisation. Working with an experienced cyber insurance broker with an understanding of current trends, pricing and exclusions, can help significantly reduce the cost associated with cyber incident response.
Gottehrer: Given that the average cost of a data breach is in the millions, we have seen a steady increase in the number of companies purchasing cyber insurance. Small and medium-sized companies have recognised that cyber insurance is not only for large technology companies, and that they too need to insure against the cyber risks they face. Cyber insurance policies vary considerably in terms of what is covered and what is excluded, and many companies work with brokers, attorneys or other experts to ensure they select the right policy. Key factors to consider when evaluating a cyber insurance policy include the premiums, the deductibles and the list of vendors, such as law firms, breach coaches, technical experts and PR firms, approved by the insurance company, that the company will be required to select from in order to have those services be covered by the policy.
Paraskeva: Cyber remains a relatively young line of insurance, however it has continually proven to be one of the most innovative. As the threat landscape shifts, bringing new exposures and pressures to organisations, cyber insurance has tried to evolve to provide the relevant solutions as seamlessly as possible. Almost all mature and maturing companies now recognise the importance of cyber risk transfer in protecting their balance sheet, reputation and intellectual property (IP), and increasingly appreciate various value adds such as pre- and post-event support offerings. The hard market period from mid-2021 to late 2022 saw a pause in the expansion of coverage options while markets sought to consolidate and protect their existing portfolios in the face of a huge spike in loss activity. Following a fairly short period of softer pricing, the collective market is again exploring what coverage and capacity solutions it can provide to the ever-increasing pool of potential purchasers.
Moore: I used to feel that cyber insurance was unnecessary if appropriate security measures were in place. However, as the industry has matured and policies have become more bespoke to their clients, my mind has changed, and I am now a huge advocate of what is on offer. Companies have slowly bought in to the idea too, and now have access to the best minds and services on offer. Premiums on offer are now broken down to fit the needs of the business, with companies being offered what is right for them. Prior to bespoke planning, firms were often recommended blanket premiums that did not meet requirements post attack.
FW: Could you outline the main risks that cyber issues pose to directors and officers (D&Os) on a personal level? What measures should a company take to ensure that robust D&O liability cover addresses cyber security and data breaches?
Navetta: Notably, in the SEC’s recent action against SolarWinds, the company’s CISO is named as a defendant. This comes on the heels of a CISO being held criminally liable for his handling and testimony related to a data breach. Some of these professionals are frustrated because they have been sounding the alarm bell due to labour and resource shortages, and do not want to be left responsible without management cover. As such, security professionals are very concerned and are naturally inquiring as to whether they are personally covered under directors and officers (D&O) policies for any wrongful acts, errors or omissions in their professional capacity. Significantly, there is not aways a clear line as to whether a particular security professional, especially without an ‘officer’ title, is covered under D&O insurance. We are already seeing risk management departments working to determine who should be covered and the level of coverage that should be provided in this context.
Gottehrer: We have seen derivative actions filed following data breaches in which shareholders allege that corporate officers and directors breached their fiduciary duties to the company by failing to ensure that appropriate cyber security measures were in place, resulting in harm to the company. To date, these actions have been largely unsuccessful. We are now seeing a trend developing where prosecutors and regulators are seeking to hold chief security officers (CSOs) personally responsible for their roles in connection with cyber attacks. In 2023, the former CSO of Uber was criminally convicted for his actions in connection with a 2016 data breach at the company. Also in 2023, the SEC brought a civil enforcement action against SolarWinds and its CISO in connection with a 2020 cyber attack, alleging that the company violated certain reporting and internal controls provisions of the federal securities laws and that the CISO aided and abetted the company’s violations.
Paraskeva: D&O policies are designed, first and foremost, to protect the actions of the insured in managing their organisation, provided they adhere to a standard of duty and care in doing so. It is rare for D&O policies to specifically exclude liabilities emanating from a cyber incident. Instead, cyber risk is just one of the countless direct exposures that could trigger a D&O policy due to a perceived wrongful act. Consequently, there is a real requirement for anyone involved in senior level decision making related to managing cyber risk to be aware of their role and responsibility in mitigating such threats. This does not solely relate to investment in technology but extends to fostering a security-aware culture and defensible security governance programme across the organisation. Failure to properly execute these duties could even lead to actions being interpreted as criminal, and therefore excluded under a D&O policy, leaving the individual personally liable.
Moore: Cyber issues pose significant risks to D&Os on a personal level, as they can be held liable for negligent data management or inadequate cyber security practices that lead to data breaches or cyber attacks. These risks include financial losses from regulatory fines, legal costs and damages from class action lawsuits. Additionally, reputational damage can also affect an individual’s professional standing and career prospects. To mitigate these risks, companies should ensure that their D&O liability insurance comprehensively addresses cyber security concerns. This includes tailoring policies to cover costs associated with legal defence, regulatory penalties and civil damages arising from cyber incidents.
Papadopoulos: Companies should evaluate how much D&O coverage is enough, considering the broad range of cyber attacks that could affect a company and how they could harm the company’s business over a prolonged period of time. Defending against cyber claims can be very complicated and expensive. Importantly, individual executives should also make sure they are covered by the company’s D&O policy – and if they are not, they should seek iron-clad, written guarantees from the company that it will indemnify and defend them at its own cost.
FW: Looking ahead, how do you expect the cyber security landscape to evolve, in terms of its impact on companies? What major trends are on the horizon?
Armstrong-Smith: The number and veracity of attacks will continue to grow, as companies need to contend with everything from opportunists through to advanced, nation-sponsored actors. This will only increase with the growing advancement of AI, as attackers look to utilise this technology for nefarious purposes. As the cyber security industry faces a paradigm shift, AI offers the potential to boost resilience and amplify the skill, speed and knowledge of defenders. AI can enhance security by automating and augmenting cyber security tasks, enabling defenders to detect hidden patterns and behaviours. AI and large language models (LLMs) can contribute to threat intelligence, incident response and recovery, monitoring and detection, testing and validation, education, and security governance, risk and compliance. To stay ahead of the evolving cyber security landscape, businesses should take a proactive, forward-looking stance and embrace the opportunities that responsible AI can bring. Businesses can utilise ML and AI tools to ease pressure on IT and security teams, with real-time threat detection and automation.
Navetta: In the US, with the SEC cyber incident reporting rule, and the upcoming reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, we expect that there will be more transparency concerning security incidents that typically were not publicly reported or known. The SEC rule and increased personal liability risk for cyber security professionals will likely cause ripple effects for cyber security governance. Cyber security has now been elevated, becoming a board level and senior management issue – it cannot be avoided or pushed off as an ignored cost centre. Parties are already seeking advice concerning not only compliance with new cyber security rules, but also methods for tying cyber security risk to overall business objectives and involving management and the board more closely. Simultaneously, the SEC cyber rule and enforcement activity are incentivising a ‘bottom-up’ resurgence of the security function – a function which many security professionals feel has received short shrift over time. Security teams are feeling emboldened and justified in raising their concerns and are highlighting their needs much more directly. This is likely to cause certain tensions within companies, not the least of which is the increase of potential compliance and litigation risk.
Gottehrer: Cyber security threats, laws and regulations will continue to increase in the years ahead, ensuring the issue remains at the top of the list of risks and priorities for companies. Social engineering attacks, which use psychological manipulation and exploit human weaknesses, will become more prevalent, and companies will need to revise their cyber security policies, procedures and educational programmes to address them. The SEC’s new rules requiring disclosure of material cyber security incidents on Form 8-K and other periodic disclosures will have a dramatic effect on how public companies address, and devote resources to, cyber security. While the trend of prosecutors and regulators seeking to hold CISOs personally liable for the performance of their job duties is likely to continue, it remains to be seen how this will affect the ways in which CISOs do their jobs or the willingness of cyber security professionals to become CISOs.
Paraskeva: Considering the ever-increasing reliance on technology, as well as the pervasive nature of cyber threats to national economies, we are seeing more governmental movement toward cyber security mandates. Many governments are seeing the most efficient way to approach both the public and private sectors is by creating minimum security thresholds that companies need to meet, while also ensuring a reasonable period between release of a mandate and requirement to comply in order to avoid rushed uplift that carries its own risk. It is likely that these mandates will also become more tailored in the form of industry-specific requirements, for example a focus on operational security which will apply to industries such as food production and pharmaceutical manufacturing, but less relevant for financial institutions (FIs). Conversely, FIs are likely to be party to even more stringent data collection, storage and purging requirements which would not necessarily apply to business-to-business manufacturers. The impact of these governmental or regulatory mandates will be enforced uplift for some, reaffirmation of maturity for others, but in either case, it may have the biproduct of better insulating companies and D&Os from punitive regulatory action, provided they adhere to the recommendations and requirements.
Moore: Without question, AI is going to change the threat landscape forever. It is already impacting every single industry, not just those in technology. More sophisticated and efficient cyber attacks are targeting more firms with added weight behind them. Countermeasures are in place in many software-based securities, but more is needed to make people aware of these increasingly impressive attacks. From voice cloning to deepfake creations, AI can now simulate things that were once thought impossible. When AI is used nefariously, people struggle to even switch to the mindset that seeing may not be believing anymore.
Papadopoulos: Companies are going to be squeezed between cyber attackers enabled by AI and regulators demanding more investment in compliance and more insight into risks and incidents. The biggest and most resourced companies – the security one percent, as the author Richard Bejtlich calls them, will generally be able to detect and respond quickly to threats and absorb any regulatory penalties or fines. The other 99 percent, especially small businesses, will suffer. They will find it increasingly burdensome and difficult to both satisfy regulators and fend off hackers, and when they do get hacked the primary costs of the hack and responding to it, as well as the secondary costs of responding to lawsuits and regulator inquiries and demands, will put many of them out of business. Optimistically, cyber defenders will harness AI and the cloud, and other third-party service providers will create secure environments in which small business can operate. But these silver linings are for the most part at least a few years away.
David Navetta is a partner in Cooley’s cyber data privacy group. He has focused on technology, privacy and information security law since 2002, and has advised hundreds of companies concerning cyber security and data breach response. His work ranges from privacy compliance and product development, and transactional work, to breach notification, regulatory response and litigation. He is a certified information privacy professional through the International Association of Privacy Professionals. He can be contacted on +1 (720) 566 4153 or by email: dnavetta@cooley.com.
Gail Gottehrer is vice president in Del Monte Fresh Produce Company’s legal department, where she is responsible for global litigation, labour & employment, IT and government relations. An internationally recognised thought leader, she is an expert on cyber security, privacy and legal issues associated with AI and other emerging technologies. She can be contacted on +1 (860) 416 4520 or by email: ggottehrer@outlook.com.
George Paraskeva is global head of cyber at EmergIn Risk. He has seen cyber from both sides, first as a cyber security consultant and latterly as an underwriter. Before joining EmergIn in 2021, he led Occam underwriting’s cyber practice, and prior to that, he was information security officer at MS Amlin, which he joined from BAE Systems’ cyber security consulting team. He can be contacted on +44 (0)20 3889 4322 or by email: george.paraskeva@emerginrisk.com.
Jake Moore is the global cybersecurity advisor for ESET. As well as conducting his own research, he helps businesses and employees understand cyber security and the risks involved to remain better protected. Mr Moore previously worked for a UK police force for 14 years investigating computer crime in the digital forensics unit and cybercrime unit. He can be contacted on +44 (0)7917 106 165 or by email: jake.moore@eset.com.
Emilian Papadopoulos has over a decade of experience advising boards, chief executives, investment professionals and public officials on cyber security and risk management, with experience in North America, South America, Asia and the Middle East across sectors including energy, insurance, law, technology, defence, financial services, government and manufacturing. He is an adviser to the nonprofit National Technology Security Coalition and to the Global Cyber Research Institute, and a board member at cyber security company RedSeal Networks. He can be contacted on +1 (703) 812 9199 or by email: emilian@goodharbor.net.
Sarah Armstrong-Smith is chief security advisor in Microsoft’s Cybersecurity Solutions Area. She principally works with strategic and major customers across Europe, to help them evolve their security strategy and capabilities to support digital transformation and cloud adoption. Ms Armstrong-Smith has a background in business continuity, disaster recovery, data protection and privacy, as well as crisis management. Combining these elements means she operates holistically to understand the cyber security and compliance landscape and deliver effective resilience.
© Financier Worldwide
THE PANELLISTS
Cooley LLP
Del Monte Fresh Produce Company
EmergIn Risk
ESET
Good Harbor Security Risk Management LLC
Microsoft EMEA