Increased cyber risk drives disclosure
Mar 30, 2022
When I served as a global CIO, I relished my meetings with regulators. They would ask questions and learn from real-life practitioners about the challenges of providing adequate cybersecurity in a fluid industry where threat actors innovate daily. I now see auditors, industry groups, and even the U.S. Securities and Exchange Commission (SEC) recognizing those benefits and demanding increased cyber incident disclosure across industries and geographic territories.
Better communication is better for businesses. When the breach of identity management service provider Okta came to light on March 22nd, it was only because the Lapsus$ data extortion group forced the company’s hand. Okta, aware of an issue since January, apologized for disclosing news of the breach only once it was public and reaffirmed the industry’s readiness to see some type of mandated, timely breach disclosure.
Compare this with FireEye’s swift reveal of its 2020 security incident and how positively customers responded to their transparency and guidance. It becomes clear that organizations could benefit from disclosure requirements.
If and when new regulations come to pass, CIOs will need to improve their measurements, monitoring, reporting, and disclosure processes to meet these demands accurately and timely. CIOs and security professionals will also need to improve their communications skills. They’ll need to tailor the content and style to effectively address board members and senior executives, something they’ll do more of in the face of any newly introduced regulations.
They’ll also need to communicate risk identification and mitigation to these groups, whose members are increasingly aware of emerging operational, reputational, and often existential risks posed by cybersecurity threats but lack technical backgrounds. They will be mindful of the steady stream of class-action lawsuits citing negligence over the mishandling of customer personal information compromised in hacks.
Frameworks like NIST, ISO 27001, IEC, and MITRE can help measure risk mitigation and gauge company progress against an established standard. Moreover, boards and management teams often try to augment their risk coverage with cybersecurity insurance. But that’s becoming increasingly difficult to do.
Our defenses must adapt to soaring cyber risks
In January 2022, Merck won a $1.4 billion decision against Ace Insurance related to the 2017 NotPetya malware attack. The attack caused Merck significant damage, but the dispute and subsequent ruling have impacted the industry. Ace initially rejected Merck’s claim because a ransomware attack by a state-sponsored actor was excluded under the policy’s “act-of-war” exemptions clauses.
Merck ultimately won the suit, but insurers stiffened pre-contract due diligence and qualification questions – for both new and renewal policies – and tightened up their policy language.
With the dominance of cloud, 5G, mobile, IoT, OT, and distributed computing models, some traditionally proven cyber defense technologies like firewalls and VPNs are becoming vulnerable, outdated, and expensive.
These technologies only provide partial coverage for modern businesses. Today’s CIOs require a cybersecurity reset – one where their architectures, tools, and processes are re-engineered to meet evolving threats and provide comprehensive cybersecurity coverage in an economically sustainable way.
Zero trust architecture is gaining momentum in this context as organizations see this as a multi-faceted solution to a complex problem. The creativity of cybercriminals, widespread access to more powerful breach tools, the anonymity provided by the dark web, and limited coverage of cyber insurance elevate risk. This trend has not gone unnoticed by boards, senior management, regulators, and exchanges. The result, not surprisingly, is an increased demand for transparency and disclosure.
Pressure is mounting on modern CIOs to deliver cost-effective solutions and improve communication surrounding coverage. There’s an increasing need for cyber-literate technology experts on public boards. Many countries are even considering amending their governance and best practice frameworks in light of today’s threat landscape.
Russia’s invasion of Ukraine has increased concerns about cyber warfare and sparked fears that disruptive actions may target corporations. But malware often hits unintended targets, and we’re all at risk of becoming collateral damage.
As the cybersecurity industry faces widespread risk, distributed threats, and increasing sophistication of threat actors, it must consider commensurately sweeping architectural and procedural adaptation. Fundamental changes are required, and progressive companies recognize this as the moment to move toward a zero trust architecture.
Unfortunately, hope is not an adequate strategy for adapting to the world around us.
What to read next