Impact of cyber attacks on organisations
We live in an era of localisation and divergence of privacy laws evolving in response to rapidly developing technologies, including AI, quantum computing and the Internet of Things. Mr Friedberg observed that cybersecurity is clearly a key business concern which, if addressed incorrectly, can have significant financial and reputational repercussions.
This year in particular has seen an uptick in cyberattacks by foreign states and state-sponsored agents, in pursuit of their geopolitical and economic goals, as well as cyber extortion by criminal threat actors. Such incidents highlight the importance of strong cybersecurity controls.
Implementing robust cybersecurity, however, is a separate issue. Mr Friedberg highlighted the balancing necessary between implementing a zero trust policy for software updates and allocating appropriate resources to vet such updates. From a liability perspective, it seems somewhat absurd to require enterprises, particularly SMEs, to decompile all updates before deploying them. Mr Friedberg recalled an instance of decompiling one piece of software, suspected of being backdoored by a foreign agency, taking 12 weeks of reverse engineering.
Mr Friedberg noted that, in most cases, threat actors do not need to rely on zero-day exploits due to many companies lacking basic cybersecurity protection. He emphasised that to manage this cybersecurity risk organisations should:
- Keep software and systems up to date;
- Use appropriate multi-factor authentication;
- Apply robust password policies;
- Patch systems regularly – if there is known vulnerability with a patch available, this should be addressed as soon as possible;
- Have an anti-phishing programme and related training; and
- Have layered defences to detect lateral movement such as EDR, NDR, user-baselining solutions.
The Board and executive leadership
As organisations prioritise cybersecurity, efforts to ensure appropriate Board and executive leadership and cybersecurity governance are crucial. Mr Friedberg explained that there should be strong communication between the board and the CISO because there are no standardised methods for reporting on cybersecurity in the same way that companies report on profits. He also highlighted the dangers associated with isolating the CISO and recommended implementing measures to ensure that there is a collective responsibility for cybersecurity risk between the board and the CISO.
The panel also discussed the tightening insurance market following significant losses in the ransomware space. A full transfer of risk and liability via insurance products is becoming increasingly difficult to find, with some insurers in certain jurisdictions stopping payment for ransomware attacks entirely.
What could be done better?
Mr Friedberg emphasised a few key areas for potential improvement in responding to ransomware:
- In the ransomware area, there is a disconnect in the sense that organisations are being allowed to use untraceable funds to pay cyber extortionists, which is allowing ransomware payments to largely be exempt from AML efforts.
- Governments should articulate the moral difference between cyber extortion groups that are being banned on the OFAC list and those that are not. Many groups are not on the OFAC list and the proceeds from their extortion efforts are being reinvested by ransomware groups to attack infrastructure.
- There must be better bilateral and multi-lateral diplomatic resolution between countries that are harbouring ransomware groups.