This post first appeared on Risk Management Magazine. Read the original article.
In this year’s Allianz Risk Barometer, cyber incidents were named the top risk to businesses worldwide, cited by 39% of the 2,700 risk professionals surveyed, a dramatic rise from 6% (15th place) just seven years ago.
“Awareness of the
cyber threat has grown rapidly in recent years, driven by companies’ increasing
reliance on their data and IT systems and a number of high-profile incidents,”
Allianz said. “Businesses face a growing number of cyber challenges including
larger and more expensive data breaches, an increase in ransomware and business
email compromise (spoofing) incidents, as well as the prospect of litigation
after an event. Political differences between nation states being played out in
cyberspace brings added risk complexity, while even a successful merger or
acquisition (M&A) can result in systems problems.”
According to a
recent Cyber Trendscape Report by FireEye, more than 90% of
organizations believe the cyberrisk landscape will stay the same or worsen in
2020, yet half report they do not believe they are ready for—or would respond
well to—a breach or attack. What’s more, 29% of those with cyber incident
response plans in place have not tested or updated them in the past 12 months.
Pressure continues
to increase on all fronts: incidents continue to rise, threat surfaces and
attack vectors are proliferating, judges and juries are holding companies to
higher standards, regulators are growing more active, and companies are forced
to deal with the resulting reputation and financial damages. Heading into a new
year and a new decade, it is clear that cyberrisk will continue as one of the
defining issues for every enterprise. Threat intelligence, mature cyberrisk
management programs, and a strategic and holistic approach to managing
cyberrisk on an enterprise level will be critical in managing risk this year
and defining the role of risk professionals in the years to come.
2020 Election threats
In reviewing
cyberrisk outlook reports, interviews and commentary from experts spanning the
cybersecurity, risk and insurance industries, the most common topic by far was
the upcoming 2020 U.S. elections. Since 2016, much has been made of the
election system’s many vulnerabilities, including outdated and insecure voting
machines, the inauditability of paperless machines, the piecemeal oversight of
election infrastructure across states, cities and counties, the perils of
misinformation campaigns online, and the potential for fomenting distrust in
such a key institution. Security researchers at the DEF CON cybersecurity
conference have made great strides in finding and reporting vulnerabilities by
hacking all manner of election infrastructure and groups like Verified Voting
have released comprehensive materials for voters and election officials. Under
scrutiny for past failures and future vulnerabilities, many parts of the United
States have also invested in better security. The system remains far from fully
secure, however, and still lacks federal oversight.
“One of the things
to keep in mind is that, from a data management perspective, the U.S.
presidential election isn’t a single data collection and processing exercise—it
spans 50 different instances that are independently operated by different teams
using different tools and security processes,” noted Dr. Srinivas Mukkamala,
co-founder and CEO of RiskSense. “As it turns out, a bad actor does not have to
compromise all 50 election systems to influence or disrupt the election. The
outcome of the election will be determined by results in a dozen or fewer swing
states. I expect we’ll see significant phishing activity targeting the offices
of the Secretary of State and other election officials in these battleground
states starting in the spring. Their aim will be to establish undetected
beachheads that can be exploited next fall.”
According to
security instrumentation firm Verodin’s annual threat predictions, “While
security of the voter registration database and e-voting system are critical
areas of the election process that need to be addressed, the biggest threat to
the security and sanctity of the November 2020 election will be the growing
manipulation of influence taking place by way of social engineering, which
sways voters’ opinions before they head to the polls. This includes viral
sharing of deepfake videos, fictitious news stories and targeted, false content
on social media networks and elsewhere.”
This may extend from
content about candidates to content seemingly from them.
FireEye’s special report Cyber Security in 2020 and Beyond noted, “As we
go into a very important election year in the United States, we expect to see
an increase in not just cyber espionage and cyber influence operations targeted
at the electoral systems, but also candidates being impersonated on social
media and other types of information operations designed to target the voters
themselves.”
This threat is not
isolated to the United States—as FireEye noted, the risk may apply to a number
of elections abroad, including those in Taiwan, South Korea, France and Poland.
“Nation-state influence activities at the intersection of cyber threats and information
operations will continue developing,” the researchers wrote. “FireEye has
observed information operations linked to Russia, China, Iran, Venezuela, and
other countries developing and maturing as these have received public
exposure.”
Jim Wetekemp, CEO of
Riskonnect, pointed to the increased economic risk that could result from
uncertainty surrounding the 2020 elections more broadly. “With election year
jitters rising and outlooks of an economic slowdown swaying back and forth,
risk organizations need to consider both initial uncertainty and potential
longtail change when planning risk coverage for next year,” he said. “In the
short-term, understanding possible capital expenditure reductions, hiring
stalls, fluctuations in consumer confidence or credit markets will be
paramount. As we move beyond 2020, organizations will need to consider risks
related to economic and regulatory changes that could result as the election
unfolds. Everything from increased tariffs through changing international
trade, radical restructuring of the healthcare industry, new federal approaches
to corporate taxes, or operational and regulatory changes related to climate
change could be on the table.”
The Impact of 5G
No discussion about
top cyberrisk concerns of the year would be complete without mentioning 5G,
which remains a hot topic across industry verticals and around the world.
Particularly amid the raging trade war between the United States and China,
much has been made of the ties between China and the technology and
infrastructure underpinning the shift to 5G. Many western authorities have
cited supply chain risk concerns about potential backdoors in the technology
that could be exploited by the Chinese government, while others find these
claims either paranoid or protectionist.
The dramatic
enhancements in speed and bandwidth that 5G promises could also pose a risk by
facilitating more frequent and more powerful cyberattacks, experts believe.
This could cause issues due to the asymmetry of resources between those who
have 5G technology and those in areas that have not yet adopted it or do not
have the infrastructure to support it. The technology is also expected to
support a booming class of internet of things (IoT) devices, which could be
tremendously beneficial for companies and consumers alike. But as these devices
also introduce significant vulnerabilities into the environments in which they
are adopted, this could mean an exponential increase in the number of entry
points for malicious actors or points of failure in the event of disruption.
As Verodin noted
about the risks of increased IoT adoption, “The increasing number of devices
and applications connected to the distributed cloud gives adversaries a larger
playing field on which to target attacks. Additionally, with cloud-hosted
platforms and decentralized infrastructure, security professionals have far
less visibility into the security stack and how it’s managed, forcing companies
to rely on the promises made by cloud vendors that their environments are
secure, without a way to know if assets are fully protected.”
Vishing and Deepfakes
Email security firm
Mimecast predicted in a recent threat intelligence report that voicemail
phishing is poised to rise as an attack vector. “Vishing” can take a number of
forms: Voicemail spam and phishing uses MP3 and voice-to-email service to
disseminate voicemails to call bogus spam and phishing phone numbers. Other
phishing attacks lure email recipients into opening an attachment purporting to
be a voicemail message or to click buttons that appear to play the message but
are actually linked to shortened phishing URLs. At the nexus of phishing, CEO
fraud and artificial intelligence technology, voice impersonation schemes are
also expected to increase in the wild. These schemes may involve fake caller ID
information and are often even more effective than other social engineering
schemes because victims are more likely to give out information and think less
about suspicious situations when on the phone.
In another version
of vishing, criminals can also use commercially available AI software to create
realistic impersonations that can be used in social engineering schemes. In one
vishing case that made headlines last year, criminals used this tactic to
convince an executive at a U.K. energy firm to transfer over $200,000 by
imitating the accent and voice patterns of his German boss.
AI is also used to
generate similarly convincing videos, often referred to as “deepfakes.” Researchers
at McAfee Labs noted in the 2020 Threats Predictions Report, “Deepfake
video or text can be weaponized to enhance information warfare. Freely
available video of public comments can be used to train a machine-learning
model that can develop a deepfake video depicting one person’s words coming out
of another’s mouth. Attackers can now create automated, targeted content to
increase the probability that an individual or groups fall for a campaign. In
this way, AI and machine learning can be combined to create massive chaos.”
This has been widely
discussed with regard to the potential for such videos to spread misinformation
or discord around political races or even business developments. “In general,
adversaries are going to use the best technology to accomplish their goals, so
if we think about nation-state actors attempting to manipulate an election,
using deepfake video to manipulate an audience makes a lot of sense,” McAfee
Labs explained. “Adversaries will try to create wedges and divides in society,
or if a cybercriminal can have a CEO make what appears to be a compelling
statement that a company missed earnings or that there’s a fatal flaw in a
product that’s going to require a massive recall. Such a video can be
distributed to manipulate a stock price or enable other financial crimes.” As
the technology has advanced, these capabilities have extended to a larger range
of potential actors since they require less training.
Additionally,
businesses should be aware of the potential impact deepfakes could have on
security and authentication technology. As facial recognition becomes more
widely available and is used in more applications, from unlocking phones to
verifying identification for travel to locating criminals in public spaces,
enterprises across the public and private sectors should be monitoring these
developments and thinking critically about the security systems they are
implementing or will roll out in the coming years.
“We predict
adversaries will begin to generate deepfakes to bypass facial recognition,”
McAfee Labs wrote. “It will be critical for businesses to understand the
security risks presented by facial recognition and other biometric systems and
invest in educating themselves of the risks as well as hardening critical
systems.”
Geopolitical Tensions
In its recent 2019-2020
Global Application & Network Security Report, cybersecurity vendor
Radware found the number of companies that attributed attacks against their
organization to cyberwarfare or nation-state activity increased 42% last year.
Worldwide, 27% of organizations suffered nation-state attacks in 2019, a figure
that climbed to 36% among companies in North America.
“Nation-state
intrusions are among the most difficult attacks to thwart because the agencies
responsible often have significant resources, knowledge of potential zero-day
exploits, and the patience to plan and execute operations,” said Anna
Convery-Pelletier, the firm’s chief marketing officer. “These attacks can
result in the loss of sensitive trade, technological, or other data, and
security teams may be at a distinct disadvantage.”
As the United States
and Iran carried out strikes in January, experts predicted the conflict would
especially escalate in terms of cyber conflict. Cyberspace continues to be a
key battleground, most notably involving the United States, China, Russia, Iran
and North Korea. State-backed hackers in these countries are some of the best
resourced and activity can be expected both in lieu of and in retaliation for
kinetic attacks, trade disputes and other geopolitical tensions.
“Currently, we are
seeing Western tensions with Iran accelerate the tempo of Iranian cyber
operations, and we anticipate this issue to continue if tensions persist,”
FireEye predicted. “We have seen activity from several Iranian groups—including
APT33, APT34, and TEMP.Zagros—against financial services, media and
entertainment, retail and other sectors. In addition to exfiltrating sensitive
information, it is possible that Iranian groups could leverage compromised access
they establish for disruptive and destructive cyberattacks to retaliate or
impose costs against adversaries.”
Tim Bandos, vice
president of cybersecurity at Digital Guardian, predicts increased activity
from state-sponsored threat actors in 2020 may include escalating attacks on
critical infrastructure. While attempted intrusions and successful attacks have
been isolated incidents so far, some experts believe these could have been
preliminary efforts, setting up backdoors as a foothold for the future. “With
the considerable adoption of IoT devices connecting once-segregated Operations
Technology (OT) environments, the security in these environments need to be
fully assessed and controls need to be put in place as soon as possible to
mitigate against future attacks,” Bandos said. “It’s only a matter of time.”
New Ransomware Twists
Over the past year,
two main classes of ransomware attacks made headlines: attacks on state and
local public entities and increasingly targeted attacks that interrupt an enterprise’s
operations. State and local governments often have notably weaker security
provisions and fewer resources for either prevention or recovery measures, and
these attacks have often targeted not only internal operations but
public-facing services, forcing these entities to disclose the incident and
putting their response under the microscope. In some cases, this combination
has led to payouts, and the ease of striking these targets means the risk will
likely continue in the new year.
Criminals launching
ransomware attacks have become more sophisticated and, in some cases, are even
pooling resources to initiate more targeted campaigns. “What we’ve been seeing
in the underground is threat actors advertising their access to organizations,
no matter what industry, and trying to find partners who have ransomware that
they can deploy deep in those networks in a very customized fashion,” Sandra
Joyce, senior vice president of threat intelligence at FireEye, wrote in the
firm’s predictions report. “We’ve also seen some of the most sophisticated
criminal intrusion operations shift to this type of ransomware deployment, away
from other tactics. This very targeted ransomware technique is leading to
increased ransomware demands and putting organizations at a high risk of losing
intellectual property.”
Indeed, some predict
the desire to access intellectual property or other sensitive information will
increasingly lead more sophisticated ransomware attackers to launch two-stage
schemes. “For 2020, we predict the targeted penetration of corporate networks
will continue to grow and ultimately give way to two-stage extortion attacks,”
researchers at McAfee Labs forecasted. “In the first stage, cybercriminals will
deliver a crippling ransomware attack, extorting victims to get their files
back. In the second stage, criminals will target the recovering ransomware
victims again with an extortion attack, but this time they will threaten to
disclose the sensitive data stolen before the ransomware attack.”
The firm believes
criminals will exfiltrate sensitive information before a targeted ransomware
attack to either sell online or use to extort the victim for more money. Others
have noted that attackers could also point to the hefty regulatory fines that
could be triggered if they go through with the threat of publishing the stolen
data.
Cyber Insurance Uncertainty
With more frequent
breaches, more rigorous enforcement by regulators, and the surge of ransomware
attacks with widespread ramifications for third parties, the costs of cyberrisk
failures have never been higher. Insurers that have scrambled for market share
in this booming line may have to give closer scrutiny to what they underwrite.
The aggregated losses from cyber incidents are substantial, but industry
experts largely agree that there is still ample capacity in the market. That
being said, forms continue to get more complex and exclusions more common, and
in some cases, insurers have been increasingly litigious when pressed to pay
out. Additionally, while capacity may be available, enterprises should be
prepared for at least the possibility of rising rates. As losses continue,
policyholders should be paying close attention to cyberthreats to learn about
new threats that fall into the realm of “silent cyberrisk,” trends that could
impact their supply chain, large-scale losses that could see prices harden, and
attack methods that insurers move to exclude.
Shifting Regulatory Focus
On a global level,
Laura Koetzle, vice president and group director at Forrester Research and
cybersecurity conference RSAC advisory board member, predicted that the EU will
“lay claim to the title of ‘regulatory superpower’” this year, noting she
expects to see aggressive antitrust enforcement, a steady stream of GDPR
enforcement actions and “an avalanche of consumer privacy class actions.”
In the United
States, all 50 states have their own data security laws, paired with the
patchwork of industry-specific regulations and regulatory bodies. At the
massive CES tech tradeshow in January, Federal Trade Commission Chairman Joe
Simons declared the time had come for a federal privacy statute, though he
stopped short of calling for a new privacy regulatory agency. With
implementation of the California Consumer Privacy Act (CCPA), the nation’s most
stringent privacy rights and data protection law to date, disparities in the
requirements for businesses and the uncertainties of falling under so many
unique jurisdictions have begun to push more enterprises to agree, seeking clarity
from a nationwide standard.
“As one can imagine,
having 50 state consumer privacy laws on the books will create a compliance
nightmare for organizations of all sizes,” said Michael Magrath, director of
global regulations and standards at antifraud technology firm OneSpan. “There
needs to be a comprehensive federal consumer privacy and data protection law to
address the compliance issue and the legislation should also incorporate
minimum security requirements for organizations to deploy to protect consumer
data. It would be surprising if the [recently proposed] ‘Consumer Online
Privacy Rights Act’ becomes federal law in 2020, but it should generate some
interesting debates and lawmakers can expect pressure from the business
community especially after the CCPA’s enforcement begins in July.”
Regulators and
investors will continue to look more to top executives and boards of directors
to recognize, assess and plan for the risks cyber presents to the bottom line
in more concrete ways. “Regulation, or simply standards of practice, will
elevate the requirements for Boards of Directors when exercising duty of care
with respect to cybersecurity losses,” predicted Jack Freund, director of risk
science at RiskLens. “Disclosures around exposure to cyber losses will require
more detail, including potential losses and how those losses are covered either
through cash reserve, bond or insurance.”
Further, top
executives, directors and officers have recently faced increasing scrutiny for
their actions with regard to cybersecurity and increasing personal
accountability for cyber-related governance failures or negligence and this
shows no sign of waning. Indeed, a number of jurisdictions around the world
have recently gone so far as to include criminal liability and potential prison
time for directors and officers in proposed legislation. Such provisions are
included in the data protection bill officials in India are expected to bring
to a vote this year, the Cayman Islands Data Protection Law that went into
force in September 2019, and drafts of suggested national privacy laws in the
United States. While the year may not necessarily see any go to jail, the
rising stakes may increase scrutiny and urgency around cyberrisk management
provisions from the top down.
Exercising Data Privacy Rights
Of course, such new
regulations also mean businesses will need to allocate time and resources to
compliance efforts. One particular component of an increasing number of data
privacy regulations may demand more attention this year. As regulations like
CCPA and GDPR establish individuals’ rights to transparency and choice in the
collection and use of their personal data, one can expect to see more people
exercise these rights.
“Similar to how
Europe has a ‘right to be forgotten,’ companies will begin offering the ability
to destroy or shred their own personal data,” predicted Ameesh Divatia,
co-founder and CEO of data protection company Baffle. “Facebook, for example,
already offers a ‘kill switch’ data revocation method. I expect this will become
ubiquitous among companies that collect and store consumer data.”
In turn, businesses
need to ensure they have formal and efficient processes in place to comply with
such requests in the clear terms and prompt manner these regulations require,
or risk fines and reputation fallout. These processes will also need to provide
sufficient documentation to attest to compliance, so if businesses have not yet
already, they should be building auditable and iterative procedures for “data
revocation.” Depending on the role personal data plays in a company’s business
model, it may also need to consider the business impact a high volume of such
requests could have going forward.
“The 2010s were
marred with massive, high-profile data breaches and abuses of consumer trust
(Facebook/Cambridge Analytica, Yahoo, Marriott, Equifax, Target),” Divatia
said. “The 2020s will see a bifurcation between companies that protect user
data and share it responsibly, and those that do not. Those that play ‘fast and
loose’ will see an immediate hit to their brand impact, mounting legal and
regulatory costs and their long-term health of their business come into
question. In contrast, those that design their systems to share data
responsibly will thrive and soar in value.”