Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
13 12月 2024
Insight
UK
What do you consider to be the main sources of cyber security risk for companies today?
In today's environment, the challenges facing organisations are multifaceted and constantly changing as the external risk evolves and internal challenges multiply.
Ransomware and business email compromise (BEC) fraud attacks continue to offer criminals significant financial rewards. Ransomware attacks have become increasingly sophisticated and frequent. Criminals now routinely employ data theft and aggressive extortion tactics such as threats, public shaming, and threats of legal and business consequences alongside traditional encryption attempts. Meanwhile, a sophisticated criminal ecosystem has grown up around the industry, distributing the skillsets needed to engineer such attacks and lowering the bar to entry. Generative AI enhances such trends.
In addition, a more confrontational geopolitical situation means that hostile nation state cyber activity is a prevalent risk, in particular for organisations operating critical national infrastructure. Such attacks are difficult to identify due to the sophistication of the attacker and the resources which can be brought to bear where there is nation state involvement.
We are also seeing a worrying trend of targeted supply chain attacks, in which criminal groups exploit the interconnected nature of modern business ecosystems by targeting third party vendors or suppliers which may allow them to exponentially increase the potential returns by leveraging a successful attack against a multitude of impacted customers of the supplier in question. This is also placing increased pressure on outsourcers such as managed service providers, who are both targets for threat actors and increasingly a focus of regulatory attention, with both the UK and EU enhancing regulations in respect of MSPs and critical ICT suppliers.
In addition, a more confrontational geopolitical situation means that hostile nation state cyber activity is a prevalent risk, in particular for organisations operating critical national infrastructure.
Peter Dalton
Partner, Herbert Smith Freehills
Internal risk factors are also key sources of risk. The majority of attacks still have as their root cause 'basic' security failings. Staff training to spot phishing attacks and other forms of unauthorised access attempts, and long-established security practices such as fully implemented MFA, device management, privileged access controls and critical security patch management, remain fundamental defences. The lack of one or more of these defences are factors in the majority of successful attacks. These trends are exacerbated by remote working trends (and associated risks of 'shadow IT') and new services such as AI large language models.
These risk factors are set within a complex and increasingly demanding regulatory and legal landscape; cyber regulation, with associated requirements and enforcement powers including fines is increasing worldwide, with more developed regimes increasingly developing specific sector-specific cyber regimes along with proactive auditing and enforcement powers, such as the NIS 2 and DORA regimes in the EU. Globally, jurisdictions which previously lacked specific regulation are moving to adopt privacy regimes and cyber regulation, making for a complex and developing global regulatory framework.
How are these attack vectors changing?
We are seeing a lowering of the bar in terms of the skillsets needed to launch attacks, increasing the range of potential attack sources and adding to an increasing unpredictability. We are also seeing an increase in aggression born of a changing success-to-payment ratio and increasing payment values.
It previously required a significant degree of skill to successfully carry out ransomware or other sophisticated forms of criminally motivated cyber attack. In the context of ransomware, criminal groups needed to have the requisite level of skill and resources to penetrate systems, deploy ransomware, and extort their victims. However, a more complex underground cyber crime ecosystem has developed in recent years, and ransomware in particular has developed into a service model in which different parts of the attack chain are executed by different groups. For example, ready-to-deploy malware kits, IT infrastructure, and even breached access points in victim networks are now available on the dark web under a variety of payment models including one-time fees, subscriptions, affiliate programmes and profit-sharing models.
The consequences of this are varied: there is the aforementioned lowering of the bar in the sense that threat actors no longer need to possess all the skills needed to pull off an attack.
This in turn leads to increased specialisation, within threat actors in each part of the attack chain 'honing their craft' and developing more effective approaches. The varied roles make attributing attacks more difficult and also means that it can be hard to know if the attacker which contacts the victim is 'good for their word' as they may not be in full control of all elements of the attack and data theft. Victims of an incident may not be dealing with professionals all the time, and multiple parts of the chain can be managed by various, disconnected assailants. An assurance from one threat actor may not be consistent with what another attacker in the chain is offering. For example, a promise to delete stolen data may not be reliable as the person you are talking to does not control all the copies. The division of labour increases the volume of attacks that the criminal ecosystem can launch, enables the development of more specialised skillsets, and incentivises more aggressive extortion demands due to the need to share the spoils.
In response, we are seeing an increasing aggressiveness and demands for higher payments. This is also driven by the wider landscape. In general, it is organisations have become better prepared for cyber attacks in recent years, improving their defences, spreading their risk by reducing single point dependencies, and using backups to recover from incidents more quickly. The result has been that the percentage of successful attacks, in which a victim is forced into paying the ransom, has been going. However, the overall amount paid in ransoms has dramatically increased, believed to have almost doubled in 2023 compared to the previous year. This is driven by two factors: a significant volume in the number of attacks (partly enabled by the aforementioned developing criminal ecosystem), and an increase in the aggressive tactics deployed by threat actors. More aggressive and tailored extortion tactics are common, including contacting journalists, seeking to turn employees against management, triaging stolen data and leveraging the most significant/embarrassing data sets, and even threats of violence. The volume of attacks, the amount demanded, and the pressure exerted, is going up because threat actors need to make money and do not do so on as high a percentage of attacks as they previously did. So they need to do more, and need to make as many of those attacks count as possible.
Generative AI has also prompted the simplification of attacks. As a result of the easy availability and increasing accuracy of large language models, it is now easier than ever to create credible phishing emails that do not show typos or tip off the recipient. While emails are still the primary mode of phishing attack, reports of deepfake videos and audio attacks becoming more commonplace even if they are currently the exception. These tools exist and will only improve.
What are the main follow-on risks you'd identify?
Organizations that suffer a cyber-attack face several significant follow-on risks, in addition to the short term costs of incident response, remediation, regulatory notifications, legal costs and business interruption.
Regulatory risk is significant and increasing. More and more jurisdictions are adopting and strengthening their data privacy and sector-specific cyber regulation, with tightening notification requirements and penalties. Global incidents will now routinely trigger the regulatory regimes of multiple jurisdictions. Moreover, organisations in more tightly regulated sectors will often see multiple overlapping notification and penalty regimes. For example, an entity in a NIS 2 regulated sector in the EU may have to notify both privacy regulators under the GDPR and NIS 2 regulators, with the latter subject to an initial 24-hour deadline.
Litigation risk also remains a key concern. Data class actions following an incident are common in the US. The EU's Representative Actions Directive opened the door to the development of similar regimes in the EU although uptake has been slow to date. Meanwhile in the UK, while case law has limited the potential for mass 'opt-out' class actions relating to data privacy breaches in the short term, 'opt-in' private actions remain common in the aftermath of cyber incidents involving data breaches, and these can remain live issues years after the incident took place. In addition, the focus on the supply chain and the increasing regulatory burden has also increased the volume of supply chain disputes as different parts of the chain seek to offset and recover their losses where possible.
Reputational risk poses a significant issue where a company has performed badly in an incident response situation. This goes hand-in-hand with potential fines and the significant business costs of dealing with a flood of complaints. Market reviews have indicated that organisations generally see a decrease in share price valuation after a significant incident; however, those that are seen to respond well will recover quickly and potentially see a positive end impact as a result of their well-received approach. Those considered to have responded badly do not see the same recovery.
How has the regulatory burden on companies in regards to cyber changed over the last two years and how might it change further?
In the last two years, the cyber regulatory burden for companies has increased significantly, driven by new laws and enhanced compliance requirements across various regions.
For example, the EU has enacted regulations such as NIS 2 and DORA, two directives aimed at strengthening cyber security resilience and harmonise regulations across the EU. DORA focuses on the financial services sector, while NIS 2 is focused on industries deemed to be of national importance. Both are wide-ranging and impose strict cyber controls, contracting obligations with key suppliers, and in the case of NIS 2, a much-strengthened incident notification and penalty structure. It is expected that these will herald a significant increase in regulatory activity and pro-active inspection and enforcement activity in the EU. NIS 2 was supposed to be transposed into national laws by 17 October 2024 (a date that not all Member States have met), while DORA comes into effect in January 2025. It does not stop there, as the EU also implemented the Cyber Resilience Act in December 2024 which imposes security standards on Internet of Things (IoT) or 'connected' devices.
In the last two years, the cyber regulatory burden for companies has increased significantly, driven by new laws and enhanced compliance requirements across various regions.
Peter Dalton
Partner, Herbert Smith Freehills
Divergence from the EU is becoming a theme for the UK, which no longer follows EU law post Brexit. The UK implemented the original NIS regulations while still in the EU, and while EU Member States work to replace the existing legislation with NIS 2, changes to NIS 1 in the UK are currently much more limited, extending to a proposal to extend coverage to include Managed Service Providers. However, the new Labour Government has announced a Cyber Security and Resilience Bill which will be published in 2025 and is expected to expand the scope of existing regulations to cover more digital services and supply chains, enhance the powers of regulators, and mandate increased incident reporting. However, plans to overhaul the UK GDPR, which caused concerns about potential divergence with the EU, have been shelved.
Globally, these trends are repeating. While the US is no closer to a federal data privacy law, individual states continue to expand the scope of the regulatory burden at the state level, and in July 2023 the SEC adopted new rules requiring public companies to disclose cyber security risks and incidents in their annual reports and report material cyber security incidents within four days.
The emphasis on supply chains has also had significant impacts on contractual requirements, as suppliers face often stringent demands from customers in order to meet security standards drawn from regulation. This causes problems for some suppliers, especially smaller entities, and may tilt the balance in favour of larger suppliers which are more easily able to swallow increasing contractual security requirements, and/or increase costs for regulated entities seeking to outsource services.
Increasing personal liability has also been a theme, especially for CISOs. In the US, we saw lawsuits such as the SEC's lawsuit against SolarWinds and its CISO over misleading cyber security disclosures. NIS 2 provides for Member States to impose personal liability on 'management bodies' which is likely to include boards, while GDPR already contains certain personal liability provisions.
These changes reflect a global trend towards more stringent cyber security regulations, emphasizing the need for organisations to enhance their cyber security measures and ensure compliance with evolving standards. Many organisations with a global footprint have looked to establish 'baseline' standards which meet the high watermark of regulation impacting their business. This leads to possible harmonisation in which the most stringent regulation from one jurisdiction may become the de facto global standard for organisations which do not wish to segregate their compliance regimes by location, something we have already seen with GDPR to a certain extent.
How can in-house teams ensure cyber awareness is spread at the board level?
Board engagement is often seen as critical to regulators and regulation typically focuses on ensuring that boards are actively aware of and taking responsibility for key decisions in respect of an organisation's security posture and strategy. When regulators carry out spot inspections, one of the items they seek to evaluate is if the board understands cyber risk, is engaged by it, and is involved in making the appropriate decisions.
One recommendation under cyber frameworks (eg, the NCSC's Cyber Assessment Framework) is to ensure that boards have one member with responsibility for ensuring visibility of cyber matters at the board level. This does not mean delegating cyber functions to that member but is a means of ensuring that someone is keeping the topic at the top of the agenda, ideally as a standing item.
In-house legal should seek to ensure that the board is engaging in regular discussions on the security of networks, especially if the organisation is in regulated sectors such as under NIS/NIS 2. It also needs to assist in ensuring that directions set at board level are translated into effective organisational practices downstream.
Legal teams may also assist by providing training to the board on legal obligations connected with cyber, assist with risk reporting to the board and in the development of policies and procedures which align with regulation and best practice, especially on governance and risk management which is where the board is likely to be most involved. It may also assist in the organisation of incident response planning and simulations, in which the board will have a role in overseeing key strategic decisions.
Has it become any easier to get insurance coverage in the last year?
Yes, the market is becoming softer after a period of hardening. This is largely the result of increasing capitalisation after a period in which high payouts had reduced the liquidity in the market. However, insurers still often require significant demonstration that adequate cyber defences are in place, for example MFA. This may be a prerequisite to obtaining insurance but also has a positive effect on increasing standards, especially in the SME space. Further, policies tend to include more exclusions, and lower individual limits on coverage than might have been the case previously.
It is important to note that insurance coverage, while in some circumstances part of a wider solution, is simply a risk transfer mechanism. It does not actually reduce the possibility of an attack nor will even the best (and most expensive) policies fully remove the exposure of an organisation.
Regulators do not take insurance into account as a risk mitigation measure, and while some fines can be insured against, this is not always the case and in any event policies will contain requirements for coverage which do not allow an organisation to simply pass the risk to the insurer without taking adequate mitigation measures of their own.
One area that clients often ask about is their ability to have their own advisors act in the event of an incident, rather than be forced to use the insurer's own panel providers (who will be engaged directly by the insurer). This may be because they have existing retainers in place, they want to leverage the experience and expertise of their long-term advisors, or because they want to ensure independence of their advisors in the event, for example, of a coverage dispute with the insurer (which insurer panel firms will typically not be able to assist with, and indeed will have disclosure obligations to the insurer and its coverage counsel). This is usually possible, but best advanced at the outset when taking a policy, rather than waiting for an incident to hit and then broaching it with the insurer.
Are geopolitical concerns feeding the wider cyber security risk landscape?
The political situation undoubtedly impacts cyber risk.
State-sponsored cyber-attacks are an obvious example, with geopolitical tensions often leading to an increase in state-sponsored cyber espionage and sabotage. The conflict between Russia and Ukraine has seen numerous cyber-attacks targeting critical infrastructure, power generation, government systems, and private enterprises. Modern conflicts increasingly involve hybrid warfare, combining traditional military operations with cyber-attacks to disrupt communications, sabotage infrastructure, and spread disinformation. Corporates, especially those involved in critical national infrastructure areas such as energy, food, health, public utilities, defence, financial institutions or defence need to be especially alerted to the threat and this is part of the impetus for the increasing regulatory efforts in critical national infrastructure sectors. The incident response strategy for a state-sponsored attack is significantly different to that involving criminal 'for-profit' actors and typically requires much greater involvement with law enforcement and security agencies.
Geopolitics also significantly influences the criminal cyber landscape. Cyber criminals often exploit geopolitical tensions to further their own objectives. For example, state proxies and criminal groups may target victims in politically opposed jurisdictions and in doing so gain access to resources and protection from the host country, which hinders international efforts to apprehend cyber criminals.
What do you anticipate being the main themes in the cyber security landscape over the next three years?
Regulation will play a pivotal role in shaping the cyber security landscape over the next three years and we expect the regulatory burden to continue to grow. Governments and regulatory bodies worldwide are increasingly recognising the need for robust cyber security frameworks to protect against evolving threats. This recognition is driving the introduction of new laws and the enhancement of existing regulations, as we are seeing in the EU, US and UK amongst others. Over the next three years we will see how EU Member States implement and enforce NIS 2 and DORA and expect to see an increase in inspections and enforcement and fines. The success of these regulations may drive similar efforts in other jurisdictions. Overall we expect an increasing complexity in regulation which organisations will need to comply with.
The supply chain in particular will continue to be a key focus, and we expect to see increasing contractual complexity and security requirements in supply chains in response to renewed regulatory focus and criminal targeting.
Some jurisdictions have discussed the possibility of outlawing the payment of ransoms as a means of trying to cut off the profitability of criminal attacks. However, there is no consensus on this and while we expect it to continue to be a topic of conversation, there is little in the way of substance to suggest that such initiatives are likely in the short term. The fear remains that outlawing ransom payments may not solve the problem and may have unforeseen consequences.
We expect to see the complexity of criminal attacks continue to increase as criminal groups gain access to better tools and specialisation. Ransomware attacks are expected to evolve, becoming faster, more targeted, and increasingly focused on supply chains. Cyber-criminals will likely integrate AI and automation into their ransomware operations, making early detection and response even more critical, and the themes identified above arising from the increasing complexity of the criminal cyber ecosystem are likely to become more entrenched. Unfortunately, while organisations are responding better and building up their defences, the profitability of the cyber criminal ecosystem means that most observers do not expect to see any significant reduction in the curve of increasing attack volume and financial losses.
Geopolitical tensions show no sign of abating and as such are likely to continue to influence the cyber security environment, with state-sponsored cyber-attacks and hybrid warfare becoming more prevalent.
Footnote
1. For example, NIS, NIS 2 and DORA.
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024