Responding effectively to the evolution of the cyber threat environment

Eric Friedberg, co-founder and Co-President of Stroz Friedberg, joined Ropes & Gray’s “The Future of Global Data Protection” digital conference earlier this month for an engaging discussion on “The Evolution of the Cyber Threat Environment and Effective Responses to It” with Edward McNicholas, co-leader of the Ropes & Gray Data, Privacy & Cybersecurity practice. The pair explored:

• The impact of cyber attacks on organisations;
• Cybersecurity governance by the Board and executive leadership; and
• The insurance market.

Please see below for an overview of some of these topics, or to access a recording of the session, please visit our blog: RopesDataPhiles.

Impact of cyber attacks on organisations

We live in an era of localisation and divergence of privacy laws evolving in response to rapidly developing technologies, including AI, quantum computing and the Internet of Things. Mr Friedberg observed that cybersecurity is clearly a key business concern which, if addressed incorrectly, can have significant financial and reputational repercussions.

This year in particular has seen an uptick in cyberattacks by foreign states and state-sponsored agents, in pursuit of their geopolitical and economic goals, as well as cyber extortion by criminal threat actors. Such incidents highlight the importance of strong cybersecurity controls.

Implementing robust cybersecurity, however, is a separate issue. Mr Friedberg highlighted the balancing necessary between implementing a zero trust policy for software updates and allocating appropriate resources to vet such updates. From a liability perspective, it seems somewhat absurd to require enterprises, particularly SMEs, to decompile all updates before deploying them. Mr Friedberg recalled an instance of decompiling one piece of software, suspected of being backdoored by a foreign agency, taking 12 weeks of reverse engineering.

Mr Friedberg noted that, in most cases, threat actors do not need to rely on zero-day exploits due to many companies lacking basic cybersecurity protection. He emphasised that to manage this cybersecurity risk organisations should:

• Keep software and systems up to date;
• Use appropriate multi-factor authentication;
• Apply robust password policies;
• Patch systems regularly – if there is known vulnerability with a patch available, this should be addressed as soon as possible;
• Have an anti-phishing programme and related training; and
• Have layered defences to detect lateral movement such as EDR, NDR, user-baselining solutions.

The Board and executive leadership

As organisations prioritise cybersecurity, efforts to ensure appropriate Board and executive leadership and cybersecurity governance are crucial.  Mr Friedberg explained that there should be strong communication between the board and the CISO because there are no standardised methods for reporting on cybersecurity in the same way that companies report on profits. He also highlighted the dangers associated with isolating the CISO and recommended implementing measures to ensure that there is a collective responsibility for cybersecurity risk between the board and the CISO.

Insurance

The panel also discussed the tightening insurance market following significant losses in the ransomware space. A full transfer of risk and liability via insurance products is becoming increasingly difficult to find, with some insurers in certain jurisdictions stopping payment for ransomware attacks entirely.

What could be done better?

Mr Friedberg emphasised a few key areas for potential improvement in responding to ransomware:

• In the ransomware area, there is a disconnect in the sense that organisations are being allowed to use untraceable funds to pay cyber extortionists, which is allowing ransomware payments to largely be exempt from AML efforts.
• Governments should articulate the moral difference between cyber extortion groups that are being banned on the OFAC list and those that are not. Many groups are not on the OFAC list and the proceeds from their extortion efforts are being reinvested by ransomware groups to attack infrastructure.
• There must be better bilateral and multi-lateral diplomatic resolution between countries that are harbouring ransomware groups.