In this year’s Allianz Risk Barometer, cyber incidents were named the top risk to businesses worldwide, cited by 39% of the 2,700 risk professionals surveyed, a dramatic rise from 6% (15th place) just seven years ago.
“Awareness of the cyber threat has grown rapidly in recent years, driven by companies’ increasing reliance on their data and IT systems and a number of high-profile incidents,” Allianz said. “Businesses face a growing number of cyber challenges including larger and more expensive data breaches, an increase in ransomware and business email compromise (spoofing) incidents, as well as the prospect of litigation after an event. Political differences between nation states being played out in cyberspace brings added risk complexity, while even a successful merger or acquisition (M&A) can result in systems problems.”
According to a recent Cyber Trendscape Report by FireEye, more than 90% of organizations believe the cyberrisk landscape will stay the same or worsen in 2020, yet half report they do not believe they are ready for—or would respond well to—a breach or attack. What’s more, 29% of those with cyber incident response plans in place have not tested or updated them in the past 12 months.
Pressure continues to increase on all fronts: incidents continue to rise, threat surfaces and attack vectors are proliferating, judges and juries are holding companies to higher standards, regulators are growing more active, and companies are forced to deal with the resulting reputation and financial damages. Heading into a new year and a new decade, it is clear that cyberrisk will continue as one of the defining issues for every enterprise. Threat intelligence, mature cyberrisk management programs, and a strategic and holistic approach to managing cyberrisk on an enterprise level will be critical in managing risk this year and defining the role of risk professionals in the years to come.
2020 Election threats
In reviewing cyberrisk outlook reports, interviews and commentary from experts spanning the cybersecurity, risk and insurance industries, the most common topic by far was the upcoming 2020 U.S. elections. Since 2016, much has been made of the election system’s many vulnerabilities, including outdated and insecure voting machines, the inauditability of paperless machines, the piecemeal oversight of election infrastructure across states, cities and counties, the perils of misinformation campaigns online, and the potential for fomenting distrust in such a key institution. Security researchers at the DEF CON cybersecurity conference have made great strides in finding and reporting vulnerabilities by hacking all manner of election infrastructure and groups like Verified Voting have released comprehensive materials for voters and election officials. Under scrutiny for past failures and future vulnerabilities, many parts of the United States have also invested in better security. The system remains far from fully secure, however, and still lacks federal oversight.
“One of the things to keep in mind is that, from a data management perspective, the U.S. presidential election isn’t a single data collection and processing exercise—it spans 50 different instances that are independently operated by different teams using different tools and security processes,” noted Dr. Srinivas Mukkamala, co-founder and CEO of RiskSense. “As it turns out, a bad actor does not have to compromise all 50 election systems to influence or disrupt the election. The outcome of the election will be determined by results in a dozen or fewer swing states. I expect we’ll see significant phishing activity targeting the offices of the Secretary of State and other election officials in these battleground states starting in the spring. Their aim will be to establish undetected beachheads that can be exploited next fall.”
According to security instrumentation firm Verodin’s annual threat predictions, “While security of the voter registration database and e-voting system are critical areas of the election process that need to be addressed, the biggest threat to the security and sanctity of the November 2020 election will be the growing manipulation of influence taking place by way of social engineering, which sways voters’ opinions before they head to the polls. This includes viral sharing of deepfake videos, fictitious news stories and targeted, false content on social media networks and elsewhere.”
This may extend from content about candidates to content seemingly from them. FireEye’s special report Cyber Security in 2020 and Beyond noted, “As we go into a very important election year in the United States, we expect to see an increase in not just cyber espionage and cyber influence operations targeted at the electoral systems, but also candidates being impersonated on social media and other types of information operations designed to target the voters themselves.”
This threat is not isolated to the United States—as FireEye noted, the risk may apply to a number of elections abroad, including those in Taiwan, South Korea, France and Poland. “Nation-state influence activities at the intersection of cyber threats and information operations will continue developing,” the researchers wrote. “FireEye has observed information operations linked to Russia, China, Iran, Venezuela, and other countries developing and maturing as these have received public exposure.”
Jim Wetekemp, CEO of Riskonnect, pointed to the increased economic risk that could result from uncertainty surrounding the 2020 elections more broadly. “With election year jitters rising and outlooks of an economic slowdown swaying back and forth, risk organizations need to consider both initial uncertainty and potential longtail change when planning risk coverage for next year,” he said. “In the short-term, understanding possible capital expenditure reductions, hiring stalls, fluctuations in consumer confidence or credit markets will be paramount. As we move beyond 2020, organizations will need to consider risks related to economic and regulatory changes that could result as the election unfolds. Everything from increased tariffs through changing international trade, radical restructuring of the healthcare industry, new federal approaches to corporate taxes, or operational and regulatory changes related to climate change could be on the table.”
The Impact of 5G
No discussion about top cyberrisk concerns of the year would be complete without mentioning 5G, which remains a hot topic across industry verticals and around the world. Particularly amid the raging trade war between the United States and China, much has been made of the ties between China and the technology and infrastructure underpinning the shift to 5G. Many western authorities have cited supply chain risk concerns about potential backdoors in the technology that could be exploited by the Chinese government, while others find these claims either paranoid or protectionist.
The dramatic enhancements in speed and bandwidth that 5G promises could also pose a risk by facilitating more frequent and more powerful cyberattacks, experts believe. This could cause issues due to the asymmetry of resources between those who have 5G technology and those in areas that have not yet adopted it or do not have the infrastructure to support it. The technology is also expected to support a booming class of internet of things (IoT) devices, which could be tremendously beneficial for companies and consumers alike. But as these devices also introduce significant vulnerabilities into the environments in which they are adopted, this could mean an exponential increase in the number of entry points for malicious actors or points of failure in the event of disruption.
As Verodin noted about the risks of increased IoT adoption, “The increasing number of devices and applications connected to the distributed cloud gives adversaries a larger playing field on which to target attacks. Additionally, with cloud-hosted platforms and decentralized infrastructure, security professionals have far less visibility into the security stack and how it’s managed, forcing companies to rely on the promises made by cloud vendors that their environments are secure, without a way to know if assets are fully protected.”
Vishing and Deepfakes
Email security firm Mimecast predicted in a recent threat intelligence report that voicemail phishing is poised to rise as an attack vector. “Vishing” can take a number of forms: Voicemail spam and phishing uses MP3 and voice-to-email service to disseminate voicemails to call bogus spam and phishing phone numbers. Other phishing attacks lure email recipients into opening an attachment purporting to be a voicemail message or to click buttons that appear to play the message but are actually linked to shortened phishing URLs. At the nexus of phishing, CEO fraud and artificial intelligence technology, voice impersonation schemes are also expected to increase in the wild. These schemes may involve fake caller ID information and are often even more effective than other social engineering schemes because victims are more likely to give out information and think less about suspicious situations when on the phone.
In another version of vishing, criminals can also use commercially available AI software to create realistic impersonations that can be used in social engineering schemes. In one vishing case that made headlines last year, criminals used this tactic to convince an executive at a U.K. energy firm to transfer over $200,000 by imitating the accent and voice patterns of his German boss.
AI is also used to generate similarly convincing videos, often referred to as “deepfakes.” Researchers at McAfee Labs noted in the 2020 Threats Predictions Report, “Deepfake video or text can be weaponized to enhance information warfare. Freely available video of public comments can be used to train a machine-learning model that can develop a deepfake video depicting one person’s words coming out of another’s mouth. Attackers can now create automated, targeted content to increase the probability that an individual or groups fall for a campaign. In this way, AI and machine learning can be combined to create massive chaos.”
This has been widely discussed with regard to the potential for such videos to spread misinformation or discord around political races or even business developments. “In general, adversaries are going to use the best technology to accomplish their goals, so if we think about nation-state actors attempting to manipulate an election, using deepfake video to manipulate an audience makes a lot of sense,” McAfee Labs explained. “Adversaries will try to create wedges and divides in society, or if a cybercriminal can have a CEO make what appears to be a compelling statement that a company missed earnings or that there’s a fatal flaw in a product that’s going to require a massive recall. Such a video can be distributed to manipulate a stock price or enable other financial crimes.” As the technology has advanced, these capabilities have extended to a larger range of potential actors since they require less training.
Additionally, businesses should be aware of the potential impact deepfakes could have on security and authentication technology. As facial recognition becomes more widely available and is used in more applications, from unlocking phones to verifying identification for travel to locating criminals in public spaces, enterprises across the public and private sectors should be monitoring these developments and thinking critically about the security systems they are implementing or will roll out in the coming years.
“We predict adversaries will begin to generate deepfakes to bypass facial recognition,” McAfee Labs wrote. “It will be critical for businesses to understand the security risks presented by facial recognition and other biometric systems and invest in educating themselves of the risks as well as hardening critical systems.”
Geopolitical Tensions
In its recent 2019-2020 Global Application & Network Security Report, cybersecurity vendor Radware found the number of companies that attributed attacks against their organization to cyberwarfare or nation-state activity increased 42% last year. Worldwide, 27% of organizations suffered nation-state attacks in 2019, a figure that climbed to 36% among companies in North America.
“Nation-state intrusions are among the most difficult attacks to thwart because the agencies responsible often have significant resources, knowledge of potential zero-day exploits, and the patience to plan and execute operations,” said Anna Convery-Pelletier, the firm’s chief marketing officer. “These attacks can result in the loss of sensitive trade, technological, or other data, and security teams may be at a distinct disadvantage.”
As the United States and Iran carried out strikes in January, experts predicted the conflict would especially escalate in terms of cyber conflict. Cyberspace continues to be a key battleground, most notably involving the United States, China, Russia, Iran and North Korea. State-backed hackers in these countries are some of the best resourced and activity can be expected both in lieu of and in retaliation for kinetic attacks, trade disputes and other geopolitical tensions.
“Currently, we are seeing Western tensions with Iran accelerate the tempo of Iranian cyber operations, and we anticipate this issue to continue if tensions persist,” FireEye predicted. “We have seen activity from several Iranian groups—including APT33, APT34, and TEMP.Zagros—against financial services, media and entertainment, retail and other sectors. In addition to exfiltrating sensitive information, it is possible that Iranian groups could leverage compromised access they establish for disruptive and destructive cyberattacks to retaliate or impose costs against adversaries.”
Tim Bandos, vice president of cybersecurity at Digital Guardian, predicts increased activity from state-sponsored threat actors in 2020 may include escalating attacks on critical infrastructure. While attempted intrusions and successful attacks have been isolated incidents so far, some experts believe these could have been preliminary efforts, setting up backdoors as a foothold for the future. “With the considerable adoption of IoT devices connecting once-segregated Operations Technology (OT) environments, the security in these environments need to be fully assessed and controls need to be put in place as soon as possible to mitigate against future attacks,” Bandos said. “It’s only a matter of time.”
New Ransomware Twists
Over the past year, two main classes of ransomware attacks made headlines: attacks on state and local public entities and increasingly targeted attacks that interrupt an enterprise’s operations. State and local governments often have notably weaker security provisions and fewer resources for either prevention or recovery measures, and these attacks have often targeted not only internal operations but public-facing services, forcing these entities to disclose the incident and putting their response under the microscope. In some cases, this combination has led to payouts, and the ease of striking these targets means the risk will likely continue in the new year.
Criminals launching ransomware attacks have become more sophisticated and, in some cases, are even pooling resources to initiate more targeted campaigns. “What we’ve been seeing in the underground is threat actors advertising their access to organizations, no matter what industry, and trying to find partners who have ransomware that they can deploy deep in those networks in a very customized fashion,” Sandra Joyce, senior vice president of threat intelligence at FireEye, wrote in the firm’s predictions report. “We’ve also seen some of the most sophisticated criminal intrusion operations shift to this type of ransomware deployment, away from other tactics. This very targeted ransomware technique is leading to increased ransomware demands and putting organizations at a high risk of losing intellectual property.”
Indeed, some predict the desire to access intellectual property or other sensitive information will increasingly lead more sophisticated ransomware attackers to launch two-stage schemes. “For 2020, we predict the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks,” researchers at McAfee Labs forecasted. “In the first stage, cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage, criminals will target the recovering ransomware victims again with an extortion attack, but this time they will threaten to disclose the sensitive data stolen before the ransomware attack.”
The firm believes criminals will exfiltrate sensitive information before a targeted ransomware attack to either sell online or use to extort the victim for more money. Others have noted that attackers could also point to the hefty regulatory fines that could be triggered if they go through with the threat of publishing the stolen data.
Cyber Insurance Uncertainty
With more frequent breaches, more rigorous enforcement by regulators, and the surge of ransomware attacks with widespread ramifications for third parties, the costs of cyberrisk failures have never been higher. Insurers that have scrambled for market share in this booming line may have to give closer scrutiny to what they underwrite. The aggregated losses from cyber incidents are substantial, but industry experts largely agree that there is still ample capacity in the market. That being said, forms continue to get more complex and exclusions more common, and in some cases, insurers have been increasingly litigious when pressed to pay out. Additionally, while capacity may be available, enterprises should be prepared for at least the possibility of rising rates. As losses continue, policyholders should be paying close attention to cyberthreats to learn about new threats that fall into the realm of “silent cyberrisk,” trends that could impact their supply chain, large-scale losses that could see prices harden, and attack methods that insurers move to exclude.
Shifting Regulatory Focus
On a global level, Laura Koetzle, vice president and group director at Forrester Research and cybersecurity conference RSAC advisory board member, predicted that the EU will “lay claim to the title of ‘regulatory superpower’” this year, noting she expects to see aggressive antitrust enforcement, a steady stream of GDPR enforcement actions and “an avalanche of consumer privacy class actions.”
In the United States, all 50 states have their own data security laws, paired with the patchwork of industry-specific regulations and regulatory bodies. At the massive CES tech tradeshow in January, Federal Trade Commission Chairman Joe Simons declared the time had come for a federal privacy statute, though he stopped short of calling for a new privacy regulatory agency. With implementation of the California Consumer Privacy Act (CCPA), the nation’s most stringent privacy rights and data protection law to date, disparities in the requirements for businesses and the uncertainties of falling under so many unique jurisdictions have begun to push more enterprises to agree, seeking clarity from a nationwide standard.
“As one can imagine, having 50 state consumer privacy laws on the books will create a compliance nightmare for organizations of all sizes,” said Michael Magrath, director of global regulations and standards at antifraud technology firm OneSpan. “There needs to be a comprehensive federal consumer privacy and data protection law to address the compliance issue and the legislation should also incorporate minimum security requirements for organizations to deploy to protect consumer data. It would be surprising if the [recently proposed] ‘Consumer Online Privacy Rights Act’ becomes federal law in 2020, but it should generate some interesting debates and lawmakers can expect pressure from the business community especially after the CCPA’s enforcement begins in July.”
Regulators and investors will continue to look more to top executives and boards of directors to recognize, assess and plan for the risks cyber presents to the bottom line in more concrete ways. “Regulation, or simply standards of practice, will elevate the requirements for Boards of Directors when exercising duty of care with respect to cybersecurity losses,” predicted Jack Freund, director of risk science at RiskLens. “Disclosures around exposure to cyber losses will require more detail, including potential losses and how those losses are covered either through cash reserve, bond or insurance.”
Further, top executives, directors and officers have recently faced increasing scrutiny for their actions with regard to cybersecurity and increasing personal accountability for cyber-related governance failures or negligence and this shows no sign of waning. Indeed, a number of jurisdictions around the world have recently gone so far as to include criminal liability and potential prison time for directors and officers in proposed legislation. Such provisions are included in the data protection bill officials in India are expected to bring to a vote this year, the Cayman Islands Data Protection Law that went into force in September 2019, and drafts of suggested national privacy laws in the United States. While the year may not necessarily see any go to jail, the rising stakes may increase scrutiny and urgency around cyberrisk management provisions from the top down.
Exercising Data Privacy Rights
Of course, such new regulations also mean businesses will need to allocate time and resources to compliance efforts. One particular component of an increasing number of data privacy regulations may demand more attention this year. As regulations like CCPA and GDPR establish individuals’ rights to transparency and choice in the collection and use of their personal data, one can expect to see more people exercise these rights.
“Similar to how Europe has a ‘right to be forgotten,’ companies will begin offering the ability to destroy or shred their own personal data,” predicted Ameesh Divatia, co-founder and CEO of data protection company Baffle. “Facebook, for example, already offers a ‘kill switch’ data revocation method. I expect this will become ubiquitous among companies that collect and store consumer data.”
In turn, businesses need to ensure they have formal and efficient processes in place to comply with such requests in the clear terms and prompt manner these regulations require, or risk fines and reputation fallout. These processes will also need to provide sufficient documentation to attest to compliance, so if businesses have not yet already, they should be building auditable and iterative procedures for “data revocation.” Depending on the role personal data plays in a company’s business model, it may also need to consider the business impact a high volume of such requests could have going forward.
“The 2010s were marred with massive, high-profile data breaches and abuses of consumer trust (Facebook/Cambridge Analytica, Yahoo, Marriott, Equifax, Target),” Divatia said. “The 2020s will see a bifurcation between companies that protect user data and share it responsibly, and those that do not. Those that play ‘fast and loose’ will see an immediate hit to their brand impact, mounting legal and regulatory costs and their long-term health of their business come into question. In contrast, those that design their systems to share data responsibly will thrive and soar in value.”
Hilary Tuttle is senior editor of Risk Management.