January 2021 Issue
Cyber security is an existential threat to all organisations, regardless of size, industry or geographic footprint. Since the start of the coronavirus (COVID-19) pandemic, cyber attacks have grown in size, frequency and sophistication. The transition to remote working has left networks vulnerable to opportunistic attacks. With cyber threats unlikely to lessen in the foreseeable future, organisations must allocate sufficient resources to developing people and technology frameworks, swiftly enhancing their cyber security processes, policies and procedures.
FW: How would you characterise the extent of the cyber risks currently facing businesses, organisations and governments across the globe?
Ach: The magnitude of threats to our organisations’ cyber security, as we often hear, is “higher than ever”. Organisations’ attack surfaces continue to expand, and adversaries are often better than the defence at harnessing new technologies to conduct attacks covertly. The transition to a work-from-home setting prompted by the coronavirus (COVID-19) pandemic has proven revealing for all varieties of organisations for two reasons. The first is that it foregrounded the criticality of cyber security to all business operations all over the world. Companies have developed a new appreciation for how little it requires comparatively unsophisticated, opportunistic attackers to gain a foothold on their networks. The second reason is that organisations were forced to quickly grapple with insufficient disaster recovery and business continuity plans, perhaps because they were outdated, were never practicable, or never existed in the first place. By deciding the regularity and rigour with which they stress-test their own defences, update their crisis management playbooks and engage key decision makers in conversations about cyber risk, organisations have appreciable control over the likelihood of a breach and resilience in the face of one.
Marta: Cyber security should be viewed as a potentially existential risk to all organisations, regardless of size, industry or geographic footprint. If your organisation uses a computer, you are vulnerable to cyber threats. Indeed, cyber security is often the answer to the common question posed to C-suite executives, ‘What keeps you up at night?’ A successful cyber security incident that results in a data breach or causes the inaccessibility of data and servers can have a catastrophic impact on a victim organisation. And since the start of the COVID-19 pandemic, the magnitude of the threat has grown significantly. Over the past six months, cyber security attacks have grown in size, frequency and sophistication. The good news is that by 2020, most organisations rightly accept that cyber security is a board-level issue requiring the focus of senior management.
Melumad: Cyber security risk can be described as a ‘technology pandemic’ or ‘online cancer’ spreading throughout businesses, organisation, governments, and all entities that use or rely on cyber technology. Entities’ vulnerability is rising in step with their reliance on and usage of digital connectivity. As the cyber risks continuously expand, the challenges of eliminating or containing these, rise in tandem. A significant factor contributing to the vulnerability and exposure to cyber threats is the continuous, even exponential, expansion of online data and entities’ reliance on this data. In many cases, a company’s inability to create a security moat protecting its data and network is detrimental to the business. All consumers of cyber technology should consider the likelihood of an attack with a ‘when’, not ‘if’, attitude that a threat will materialise, and prepare accordingly.
Burke: The extent of the threat posed by cyber risks is existential. Cyber risks are more prevalent and more impactful for organisations across the globe now than ever before. Not only is the frequency of attacks higher, but the fallout is also worse. Why? It is easy to launch an attack with the advanced technical resources hackers have access to. In addition, remote working has led to a greater surface area for attacks. Every employee is now considered a target. The aftermath of a cyber attack is worse too. The reputational risk aspect of a cyber event can be far-reaching if clients lose trust in your company. When reputation drives the perception and success of the business, a cyber attack diminishing that trust can be extremely damaging.
Oikonomopoulos: Cyber security remains a key risk area for most firms and arguably has increased compared to last year. The advent of COVID-19 has accelerated the decline of physical commerce, a trend which had begun to gather momentum in recent years, while further increasing the importance of digital channels, a trend which until recently was true for the bigger firms and has rapidly extended to smaller businesses. In the COVID-19 era, not being online means you are more likely to be out of business and, as a result, the potential impact of business disruption due to a cyber attack is higher than ever. The mass move to remote working due to the pandemic increased cyber risk in the second half of 2020. Working from home does not always offer the same level of protection as the office. Also, employees who might be concerned about the impact of COVID-19 could be more susceptible to social engineering and phishing attacks, particularly if they are working remotely.
Gu: Due to the rapidly changing environment, cyber risks are increasing dramatically, which is impacting all businesses, organisations and governments. Cyber risks are becoming broader, more complicated and more diverse. Today, cyber attacks could befall any business, organisation or government. Cyber criminals are increasingly able to deploy more advanced technologies to launch these attacks, through the use of Big Data and the Internet of Things (IOT), for example. And these attacks are becoming more diverse in the sense that many of them are targeting people, particularly since the rapid growth of remote working since the outbreak of COVID-19 has increased the landing area for such attacks.
“Boards are finally coming to terms with the impact of cyber risk on their organisations and their responsibility for managing and addressing those risks.”
FW: How should companies go about identifying, analysing and evaluating cyber-related risks, so that appropriate security measures can be implemented?
Marta: Organisations should regularly review their cyber security incident response plans and procedures and assess their overall cyber security incident preparedness. In many cases, engaging external advisers to help with these initiatives is the prudent approach. Evaluating cyber risk exposure is a complex endeavour that involves an analysis of the current cyber threat environment and the organisation’s unique attack surface, as well as an assessment of the effectiveness of the organisation’s controls. A common method for such analysis is mapping the organisation’s cyber security programme with an accepted framework, such as the National Institute of Standards and Technology (NIST) Cyber Security Framework, conducting a gap analysis, and then pursuing upgrades or evaluating compensating controls.
Melumad: Identifying cyber-related risks should progress from the ‘least resistance’ or most vulnerable path of a company’s cyber structure toward the path or point of highest resistance. A commensurate analysis of the effects and magnitude of potential damage associated with each point of vulnerability should follow. The order of handling each threat should relate to the significance of the damage at each vulnerability point. With that analysis in place, each of the vulnerability points should be studied further to determine the necessary measures to eliminate this vulnerability, the resources needed to eliminate the vulnerability and the associated costs. At some point down the list of vulnerabilities, the company should assess whether the cost of eliminating a given vulnerability can be justified. The cycle of identify, analyse, determine resolutions, and resolutions themselves should be an ongoing process across all cyber-exposed departments of a business.
Burke: The first step is identifying your key assets, whether that is customer data, operational details or trade secrets specific to your company. Identifying what is important to your business is fundamental to creating a good security programme. Next, quantify your cyber risk and identify various scenarios where things could go wrong, for instance having your assets compromised or falling victim to ransomware. Determine which scenarios could impact your business the most and put a price on those outcomes, be it financial or otherwise. This is a difficult step and fortunately there are many tools that can help companies do this. Once you have been able to quantify your risk, you will be better able to determine how to manage them. Some risks are best mitigated with security measures and other risks companies will want to transfer to insurance.
Oikonomopoulos: The unprecedented implementation of remote-working models has come at the expense of reduced corporate visibility of employee behaviours. Organisations should take the necessary steps to extend their cyber security operations and monitoring capabilities beyond their premises and conventional boundaries. This applies to both devices connected to the corporate network and employee activities. A widened network has further exacerbated the need for strong and effective vulnerability management, which holistically addresses all network points while continuing to protect corporate critical assets. Extended monitoring should additionally apply to all vendors and third parties contributing to service delivery, both in terms of service level agreements (SLAs) but also security monitoring and risk assessments where feasible.
Gu: Companies need to build a solid information security framework to identify, analyse and evaluate cyber-related risks to protect their core business value. There are some good cyber security frameworks that can be used as appropriate solutions, such as Control Objectives for Information and Related Technology (COBIT), ISO 27001 and the NIST cyber security incident response guidance. Companies need to assess their cyber security incident response procedures which build the governance capabilities of identifying cyber risks and response through analysis, evaluation and management.
Ach: The severity of the attack is not determined primarily by the threat actor, but rather by the preparedness of the target. Vulnerability identification must be comprehensive, risk analysis must be manageable, and evaluation must consider both risk severity and remediation executability. If one or more of those three criteria are not satisfied within an organisation, it will remain at risk of a breach. Cyber risk mitigation is dynamic and continuous, requiring a financial investment in technical defences and personnel, as well as investment of time to develop process-driven cyber resilience. Though security tooling and staffing needs vary widely, it is within every organisation’s power to prepare for a crisis. The most successful crisis management exercises, either tabletop exercises or ‘war games’, bring the appropriate directors, officers, legal, communications and security personnel together to determine how damage can be minimised in the face of an attack and what the organisation can do to reduce the likelihood of such a scenario occurring.
“Identifying cyber-related risks should progress from the ‘least resistance’ or most vulnerable path of a company’s cyber structure toward the path or point of highest resistance.”
FW: In your experience, considering the extent of the cyber risks facing companies, are boards and senior management allocating sufficient resources to addressing the issue?
Melumad: Awareness of the rising threats of cyber security is widely and increasingly recognised throughout boards of cyber sensitive companies and organisations. This trend is more prevalent among companies that demand greater compliance and vigilance to mitigate the risks of cyber attacks. Greater focus and resources should be allocated to tackling cyber threats in tandem with the dynamically escalating nature of such threats. The scale of resources allocated toward containing or eliminating cyber threats should be a vital component of the vulnerability analysis used by companies and organisations and should directly relate to the criticality of exposure of the business. A bank or military operation should dedicate resources of a different nature and scope to that of a mailing list or an online learning company. Resource allocation of a company must relate proportionately to the severity of potential cyber breaches and the cost of recovering from these.
Burke: Boards are finally coming to terms with the impact of cyber risk on their organisations and their responsibility for managing and addressing those risks. Boards are driving a lot of proactive discussion regarding cyber risk in management teams. By placing a priority and interest on cyber risk, boards are pushing management teams to have a comprehensive plan for managing that risk. Is it sufficient? I think it is much improved and will continue to improve over the next few years. It is important, however, for boards to take a more comprehensive approach to cyber risk; it is not just improvements in security or investment in cyber insurance alone. Boards need a thorough approach that takes both of those things into account.
Oikonomopoulos: Undoubtedly, corporate attitudes toward cyber have radically changed in recent years. Today, there is wide recognition at the C-suite level that cyber security is a critical area for the stability and performance of organisations, particularly as they become more digitalised. Depending on the industry, regulators would also continue their efforts to oversee cyber risk and ensure regulated entities follow the right steps to protect their customers. These discussions are visible and often addressed to boards as part of ongoing supervision. Now more than ever, cyber professionals must have the full attention of executive teams. The burden is now on chief information security officers (CISOs) and their teams to deliver credible mitigations, while continuing their efforts to educate stakeholders and customers on cyber risk. The combination of COVID-19 and persistent cyber threats has created a dynamic mix. One challenge that most organisations are expected to face is delivering more with less given the economic climate in most countries and the financial impact of the pandemic. Such unprecedented times require CISOs to step up, enabling their boards to make informed risk decisions while protecting the digital estate with potentially fewer resources.
Ach: C-suites and boards are coming to better understand that cyber security cannot be accomplished solely by hiring security professionals and purchasing security products if cyber risks are not considered at the strategic level. In the context of acquisitions, for instance, conducting IT due diligence should be as reflexive a process as conducting financial due diligence. Strategic decisions made without regard for cyber security may assume risks that cannot be addressed in time regardless of resource allocation. CISOs’ stated needs should be verified but nonetheless trusted, and their ideas on cyber risk mitigation heard in the boardroom ahead of risk-inducing decisions. Before stating the need for additional resources, CISOs should be prepared to demonstrate that current product and service investments are providing maximum value, which is often not the case. Developing strategies to better tune existing investments before presenting plans to replace or add additional tools is both practical and a meaningful way to strengthen two-way trust necessary between CISOs and directors and officers (D&Os).
Gu: From our experience, many boards and senior management teams do not fully understand the extent of the cyber risks their companies face. There is still a lot of work to do to help them clearly understand these risks. If these risks and their potential impacts were better understood, companies could take quick and decisive steps to address the issues they face. Cyber risks will damage corporate reputation and revenue, so boards and senior management must take them into account.
Marta: The global cyber security regulatory environment has changed almost as rapidly as the evolution of cyber attack vectors and the emergence of new cyber threat actors. Today, achieving compliance with a panoply of new cyber-related regulations on a global scale is an increasingly difficult challenge. Unfortunately, there has been a lack of regulatory harmonisation over the past few years, resulting in inconsistent approaches and potentially conflicting obligations. This challenge can be even more difficult in the context of a cyber incident that triggers potential notification obligations to various regulators in numerous jurisdictions around the globe. Every organisation should have a formal, and regularly updated, plan for achieving compliance with cyber-related regulations.
“Screening third parties and outsourced services is not simply important, it is essential, and it should be performed on an ongoing basis, depending on the relative criticality of the vendor.”
FW: How important is it to screen and assess third parties to address cyber vulnerabilities in the supply chain? What steps should companies take on this front?
Burke: Many companies view third-party vendors as a holistic solution for them, as if outsourcing a service also outsources any cyber risk they might face. The reality is less favourable. You can outsource the service, but you cannot outsource the risk. It is important to understand a few things about your third-party vendor, including their cyber security posture and how much risk they are willing to take on in your contract. Fortunately, there are companies that perform vendor security assessments to give you a sense of their security posture. Building protections into contracts, such as gaining indemnification in your favour for data breaches or higher liability caps, can be more difficult. Insurance is a way to mitigate the additional risk you may assume in contracts and fill the gaps in protecting your company.
Gu: Third parties are often involved in all business processes within a corporate. Considering the risks posed by third parties, a holistic third-party risk management process is a must. Third parties can be hotspots for cyber vulnerabilities happening in commercial systems and supply chains. There is no safe place to avoid cyber attacks. What companies must do is build a risk-based third-party assessment framework which includes qualification verification, security capability assessment and reputation checking.
Marta: Many executives and board members today consider cyber security to be the single biggest risk facing their organisations. That has certainly been the case for large financial institutions over the past few years. Because cyber security is a relatively new risk that requires specific expertise, it is a uniquely challenging area for many board members to understand and provide effective oversight. Consequently, it is increasingly common for boards to include at least one individual with a technical background. It is also quite common for boards to directly retain external experts to assist their members with understanding the risks and evaluating the organisation’s cyber security programme, policies and procedures.
Ach: The line we have heard echoed most among security professionals recently has been: “You cannot defend what you do not know is connected.” Dependence on third parties, from utilising contractors on a project, to calling an external library in specific software applications, multiplies cyber risks and the challenge of achieving full visibility. Especially in a work-from-home context, security teams should develop as strong a sense as possible of what is connected to their networks and how. Adversaries can exploit third parties by identifying a third party as critical to a target organisation’s operations and not easily replaced, or by using a third-party network connection as a staging point for a cyber attack on the target organisation’s systems. The exercise of network mapping is more essential now than ever, and there exist truly next-generation technologies that can perform this in a way that empowers the defence to think like the offence.
Oikonomopoulos: Third parties have been frequently identified as key risks in recent years. The UK Select Committee report on “IT Failures in the Financial Services Sector”, published in late 2019, identified outsourcing and third-party failures as one of the common causes of IT incidents. This risk is recognised as having major implications, as highlighted in various regulatory publications, including the European Banking Authority’s (EBA’s) ‘Guidelines on ICT and security risk management’. Managing third-party cyber risk enables an organisation to protect sensitive organisational data which their vendors often hold, while reducing the likelihood of business disruption due to outsourced service unavailability. Gartner’s ‘2019 Cross-Functional Third-Party Risk Management Survey’ showed “that most organisations recertify third parties based on the initial risk levels assigned during due diligence rather than any new information obtained over the course of the relationship”. This finding suggests new remote challenges experienced in the COVID-19 era might have been undermanaged. Therefore, screening third parties and outsourced services is not simply important, it is essential, and it should be performed on an ongoing basis, depending on the relative criticality of the vendor. Working closely with third parties to understand their COVID-19 plans and how they are addressing the availability and security of your outsourced services is pivotal and can make the difference between business longevity and disaster, particularly in this economic environment.
Melumad: Companies should keep in mind that vulnerable vendors make them vulnerable in turn. Third parties should be considered as an extension of an organisation and their vulnerability and exposure increase that company’s vulnerability and exposure. As such, it is essential that the third party’s standards, procedures, compliance adherence, background checks, level of training and excellence, tools and technologies in use, and so on, are disclosed. For that reason alone, criteria for evaluating the cyber security of third-party vendors must be more comprehensive and rigorous than those employed by companies themselves. While it is unrealistic to expect full transparency of third-party vendors, the challenges of fostering an optimal relationship between the parties is setting the appropriate visibility or transparency boundaries between the parties.
“Today, achieving compliance with a panoply of new cyber-related regulations on a global scale is an increasingly difficult challenge.”
FW: Should an entity find itself the victim of a cyber attack, what general steps need to be taken at the outset and on an ongoing basis to manage the fallout?
Marta: D&Os of a corporation that experiences a major cyber security incident could face both potential personal liability and the loss of employment. Indeed, both chief executive officers and general counsel have been fired in the aftermath of successful cyber attacks over the past several years. Two recent Delaware cases suggest that so-called ‘Caremark claims’ – meaning, lawsuits claiming that a board of directors failed in its duty of oversight to the organisation – may become harder to dismiss in the context of cyber security. These lawsuits have been notoriously difficult for plaintiffs to bring over the years, and result in dismissal 90-95 percent of the time. That world may be gone. Those cases, and a few that have followed, suggest that courts will almost certainly conclude that cyber security is a ‘mission critical’ risk that must be carefully monitored at the board level. They also suggest that boards must be sufficiently sophisticated such that they are able to sceptically evaluate management reports on cyber issues.
Ach: Cyber attacks intend to sow confusion and buy time for attackers to achieve their objectives. Crisis preparation can catalyse organisational response, allowing incident responders and key decision makers to contain and remediate damage more rapidly than they would be able absent a playbook. Individuals involved in incident response, including executives, should move to a secure, emergency communications channel. IT should enact rules that restrict inbound and outbound data transfers, by both remote and physical means. The target organisation should consult forensics and incident response to help monitor and rehabilitate a breached network, and legal, communications and investor relations teams, if applicable, should be notified of the incident. Some markets are responding, slowly but surely, to organisations’ varied needs in the wake of incidents. Cyber insurance providers, for example, are coming to expand their role in policyholders’ breach resilience, often partnering with incident response and law firms to reduce fallout. Exercises in advance of a real incident, however, can help organisations determine what processes and services best fit their needs to remain resilient.
Oikonomopoulos: Today, most companies have a defined protocol for managing and responding to cyber incidents based on industry standards such as NIST. There are two areas which organisations should look out for. First, extended remote working arrangements could have altered day to day working patterns or reduced the productivity of employees. Therefore, it is critical that incident response procedures are tested and, if necessary, adjusted to ensure they are still fully effective during the pandemic. Second, as COVID-19 prolongs remote working, it is likely that employees will be more relaxed and distracted in the working environment and will be less likely to effectively identify early signs of cyber incidents. Ensuring that workforces remain diligent will require new management skills and fit for purpose training.
Melumad: Companies should try and get ahead of the problem, and understand its scope and the scope of the damage resulting from the attack before it leaks outside the company. However, such breaches should never be hidden, as sweeping such events under the rug will come back to haunt companies in the future. In fact, breaches should be communicated proactively through the proper channels, explaining the nature of the damage and indicating that all hands are on deck to ensure similar events will not recur. Addressing such incidents should include identifying factors that enabled the event, its location, extent and severity, the measures needed to contain the damage of each affected area and the personnel responsible for handling damaged areas. Deploying the identified personnel to address the attack should follow with tight monitoring of addressing the event while keeping management abreast of the incident and its resolution. Once the attack is contained, a thorough study of the incident should commence, resulting in enhancements to existing handling and testing procedures. Documentation of the event should then be incorporated into training and improved security standards to avoid future cyber attacks.
Gu: In the aftermath of a cyber attack, companies must be able to rely on an incident response (IR) procedure. The first step of any breach response is to report. Any employee and contracted third party must promptly report any suspected or confirmed information security incidents to the relevant IR team. The second step is carrying out an initial assessment. The IR team should log all incidents with a unique case number in the incident management tool, regardless of severity, and ensure that the appropriate remediation actions have been taken. The third step is escalation. If, for instance, a breach involves personal information, the IR should escalate the incident to the privacy team, within a defined period, in accordance with agreed standard operating procedures (SOPs). The fourth step is notification. Companies must notify the relevant authorities and affected individuals in compliance with applicable local laws. The fifth step is incident management. The incident lead and IR team members must investigate, contain, mitigate and remediate the incident. The sixth step is issue resolution and communication. The IR team will ensure outcomes and actions from meetings are communicated to appropriate stakeholders. The seventh step is incident closure. The IR team will determine the point at which the information security incident is contained, and all immediate risks mitigated. Once this process has been completed, the incident can be closed. The final step is after action review. After action review can gather all the lessons learned and coordinate incident response improvements in case of future incidents.
Burke: From a practical perspective, it is important to continue combating the attack and stopping an intrusion as much as possible through the IT resources you have available. Recognising this, there are many best practices to put in place, from engaging an attorney immediately to bringing in a cyber forensics firm, hired by your attorney on your behalf, early on. All this must be done in the context of including your insurance carrier in the early stages, however. Insurance policies sometimes require input into who handles your response. If you do not engage with your carrier in the proper way, it can preclude you from receiving insurance that contributes to any financial loss you experience.
“While technology helps to enhance companies’ operations and architectural designs, people are the most important aspect of ensuring that cyber security is successfully integrated throughout organisations.”
FW: What essential piece of advice would you offer to companies when it comes to enhancing their cyber security processes, policies and procedures in today’s business world?
Gu: Companies must allocate resources to help develop people and technology frameworks which can enhance their cyber security processes, policies and procedures. It is imperative that the right people are utilised to support these cyber security processes, policies and procedures if they are to be run well. From a technology perspective, there must be a solid foundation to support the deployment of cyber security processes, policies and procedures. While technology helps to enhance companies’ operations and architectural designs, people are the most important aspect of ensuring that cyber security is successfully integrated throughout organisations.
Oikonomopoulos: Organisations should continue applying a combination of ‘back-to-basics’ cyber hygiene, while taking specific measures to respond to the realities imposed by the pandemic. Procedures which might have worked pre COVID-19, such as incident management, might need to be reconfigured. Keeping employees alert and expanding the company’s monitoring capabilities, including of third parties, will be a challenge for most organisations. Most importantly, companies must ensure that their cyber functions can demonstrate the right leadership. CISOs will need to get their remote teams motivated while making tough decisions between balancing commercial survival and risk management.
Melumad: Our advice is to view and manage cyber security like a commander of a military force of a country surrounded by sophisticated enemies whose weaponry, innovations and manoeuvres constantly improve. Such an attitude implies the constant upgrading of your own forces, namely, your company’s cyber security strategies and tools applicable to both the defensive and offensive cyber forces. Enhancing an entity’s cyber security should be a continuous effort of addressing cyber threats, along with continuous and consistent analysis and evaluation of relevant operating procedures. A company that is vulnerable should recognise the dynamic nature of the security ‘battlefield’ and its effect on the company’s survival. To be on the safe side, a company should assume it is under continuous, known or yet to be discovered, attack. A ‘better-safe-than-sorry’ discipline should instil a ‘prepare and be prepared’ attitude across the cyber threat teams of a company to ensure its long-term survival.
Ach: Now more than ever, cyber security is described as a central business function. While a step in the right direction, this framing is still limiting. If cyber security is integral to all other business functions, and if every organisation aims to be more secure, then cyber security can be thought of as a competitive differentiator. An organisation may not be able to prevent a breach from ever happening, but it can certainly buy time to prepare for the possibility by not being the most vulnerable on an attackers’ list of target entities, which may also feature that company’s competitors. The most effective way for an organisation to strengthen its cyber posture is to embed an understanding of proper policies and procedures in its culture. A culture of cyber risk management should be enforced by security and compliance teams, but is one for which executives bear primary responsibility to signal.
Burke: There is no silver bullet which can protect every facet of a company’s cyber risk. Insurance and security need to go together. An investment in security can be viewed in the same way as an investment in insurance. Security can only take you so far and continued investments in security may have diminishing returns. Once you get yourself to a baseline in security, the next step is to add insurance to transfer risk and ensure all your bases are covered. But investing in only one aspect of the protection will leave you vulnerable. Security investments are never going to prevent 100 percent of attacks. Similarly, not investing in security at all may not qualify you for insurance.
Marta: Organisations should view cyber security as an investment, rather than an expense. Hiring the right people, building a strong and resilient cyber programme and retaining qualified external experts can mean the difference between successfully navigating a cyber attack and catastrophe for many organisations.
“Now more than ever, cyber security is described as a central business function. While a step in the right direction, this framing is still limiting.”
FW: Do you expect legal and regulatory requirements to continue forcing companies to improve their cyber security strategies? What is the likely outcome for those that fail to respond adequately?
Oikonomopoulos: Operational resilience is a term often used to describe activities designed to enable business processes to continue in the event of an adverse operational event. In 2019, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) published two consultation papers which extend their expectations of a firm’s operational resilience. Financial institutions must evidence for a ‘severe but plausible event’, such as a malicious cyber attack, as experienced by Garmin and Travelex, failed change, as experienced by RBS and TSB, or a public health crisis, such as a pandemic, that services assessed as important to customers and the market will not cause ‘intolerable’ consumer harm, market disruption or impact the safety and soundness of the firm. The updated policy is due to come into effect in 2021 and will include services outside the UK that meet the criteria of the PRA’s definition of important business services. Extended focus on UK operational resilience requirements, combined with continuous pressure from regulators around the globe, will force organisations to improve their security postures and strategies. Although these requirements are more commonly found in highly regulated industries, they are likely to form a cross-industry standard for all digitalised businesses in the future.
Melumad: We expect the increasing cyber security threats to be closely tied to, and yield tightening of, regulatory requirements. With that said, cyber compliance requirements are a moving target as they lag cyber security threats. Companies should employ expertise in regulatory requirements in order to assess their potential legal exposure. Addressing compliance with regulatory standards should be viewed by companies as a must-have ‘regulatory insurance policy’ and an additional element on the list of ‘cost of doing business’ items. The likely outcome for those companies that fail to respond adequately is loss of business, loss of reputation or severe fines. Furthermore, given the rapid expansion and sophistication of cyber threats, companies that fail to stay ahead of those threats may find they are locked out of expanding into new markets, services and technologies that require, and depend on, high levels of cyber security.
Ach: More stringent regulations have prompted the collapse of historically distinct concerns, data privacy and cyber security, into one problem set. While a challenge that organisations must meet, this intertwining stands to bolster both privacy and security. Organisations have relied on the deployment of zero-trust architecture (ZTA) and privileged access management (PAM) deployments to ensure compliance while strengthening their cyber security posture. As customers’ data privacy assumes a more significant role in their preferences, new geographies may push for more stringent regimes to remain competitive and sectors in which requirements have previously lagged may come to be more regulated. Today, cyber technologies are increasingly being designed around compliance requirements from the start, which should make us decreasingly tolerant of organisations that fail to defend themselves and our data. Regulators, however, must be conscious of risks they create for companies and consumers by making changes without allowing organisations to put necessary supports in place.
Burke: Companies will be continually improving their cyber security practices in response to new regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) or the recently passed California Privacy Rights Act. We are just at the beginning of this wave of legal and regulatory legislation and we do expect to see more regulation across the globe with regard to consumer privacy over the next few years. Companies must keep up as the punishments they face will become increasingly severe. This will come in the form of steep fines and penalties, and in some places actual damages awarded to consumers. To keep up with consumer privacy rights and mitigate the fallout from violations of these laws, companies will need to focus on cyber security investment and cyber liability insurance investment.
Marta: As former director of the FBI Robert Mueller famously noted in 2012, “there are only two types of companies: those that have been hacked, and those that will be”. Given what we have seen over the past few years – and especially during the pandemic – we would suggest that the threat facing organisations today is even scarier. It is increasingly likely that organisations will experience numerous cyber incidents over the coming decade. Just because you have been attacked once, and survived, does not mean you are not a potential victim for another, perhaps much larger incident. Cyber security is a business for innumerable criminals around the world, and business is very good. Given that reality, it is hard to imagine that these threats will lessen in the foreseeable future.
Gu: We expect to see a lot of legal and regulatory requirements being introduced across jurisdictions, as we have already across Europe with the GDPR and China with its new cyber security law. These laws require enterprises to improve their cyber security protection obligations and compliance requirements and are playing a critical role in the business operations of many companies, particularly those that operate across borders. Failure to comply with these laws and regulations will lead to stringent financial and administrative penalties. Companies must not adopt a siloed approach to cyber security as it is intrinsically linked to legal, compliance and many other aspects of departments which ultimately help businesses run smoothly.
Aaron Ach is an associate at Good Harbor Security Risk Management, LLC, a Washington, DC-based consultancy that helps executive teams and boards manage cyber risk. Mr Ach is most recently a contributing author to Cyber War & Cyber Peace in the Middle East (Middle East Institute, October 2020). He also holds a graduate fellowship with the Middle East Institute’s Cyber Program. He can be contacted on +1 (571) 274 5165 or by email: aaron.ach@goodharbor.net.
Wei Gu (Great Gu) currently works for GSK as Greater China tech security and risk director. He is responsible for China cyber security and tech risk management among all business units locally. He has more than 15 years’ experience in the field of information security and was nominated for the 2017 (ISC)2 Asia Pacific Information Security Leadership Award. He was also elected to the IAPP Asia Pacific Advisory Board in 2018. He can be contacted on +86 21 2301 9474 or by email: great.x.gu@gsk.com.
Peter Marta joined Hogan Lovells’ top-ranked cyber security practice in 2019 after serving as the global head of cyber security law at JPMorgan Chase, where he was head counsel to the firm’s chief information security officer and its chief security officer. Mr Marta uses his multidisciplinary background to advise companies and boards on cyber and data risk management and governance, cyber incident preparedness and response, regulatory strategy, and government and internal investigations. He can be contacted on +1 (212) 918 3528 or by email: peter.marta@hoganlovells.com.
Nassos Oikonomopoulos has over 19 years of experience in global financial services senior technology risk and cyber roles, including a partnership role for a Big 4 and an interim chief information security officer (CISO) for a global bank. Further to these roles, he has been actively involved in providing thought leadership on FinTech, open banking, cloud and privacy, participating in industry forums and publications. He can be contacted on +44 (0)20 3268 3179 or by email: nassos.oikonomopoulos@hsbc.com.
Benny Melumad is a technology adviser at Warburg Pincus Private Equity, where he is responsible for technology diligence with prospective investments, as well as ongoing work with Warburg’s existing portfolio companies. He has more than 25 years managing technology operations in global companies, leading their digital transformations and platform modernisation initiatives. He can be contacted on +1 (646) 831 6566 or by email: benny.melumad@warburgpincus.com.
Dan Burke is a recognised industry leader and expert in cyber liability insurance. As national cyber practice leader, Mr Burke drives the strategy to grow Woodruff Sawyer’s cyber business, including developing tools to help clients understand and quantify their cyber exposures. Under his leadership, Woodruff Sawyer has supported clients from start-ups to the Fortune 500 to mitigate their critical cyber risks through insurance. He can be contacted on +1 (415) 402 6514 or by email: dburke@woodruffsawyer.com.
© Financier Worldwide
THE PANELLISTS
Good Harbor Security Risk Management
GSK Consumer Healthcare
Hogan Lovells US LLP
HSBC
Warburg Pincus LLC
Woodruff Sawyer