Never make predictions – especially about the future”
Unquestionably wise words and particularly applicable to the chaotic world of cyber threats. Nonetheless, in an effort to extract some order from the chaos, this is our view on some of the key cybersecurity “known unknowns” facing professional service firms in 2023.
1. Managing Ransomware / Cyber Extortion
Ransomware and cyber extortion are well understood and while the threat has not gone away (far from it) the environment has become more challenging for the threat actors. Firms have invested heavily and have benefited from, among other things, the empirical experience of insurers to leverage the highest value defenses.
At the same time, the crypto environment has become more challenging with the collapse in values and bankruptcies among exchanges, the attention of law enforcement in tracking activity on the blockchain, ever-widening sanctions enforcement and direct action against hacking groups. These same factors are causing challenges for victims who feel they have no choice but to pay a ransom; while the OFAC Advisory Letter of September 2021 set out the conditions under which a victim can mitigate their risk of being penalized for paying ransoms to a sanctioned entity, the same advisory made it clear that parties who facilitate such a payment have no recourse to any such mitigation (highlighting insurers and financial institutions in particular). This can make sourcing the cryptocurrency and finding an exchange to handle the payment challenging and means that insurers cannot reimburse any extortion payment made.
2. Preparing for the Next Threat
Ransomware has been such a dominant factor in the threat environment for the last three to four years it is easy to forget that it rose to prominence as the business models behind other threats (e.g., DDoS and theft of PII) became less profitable and the enormous profits available from ransomware and cyber extortion became evident. With the threat environment in flux, it is difficult to predict from where the next big threat will come and to determine what defense investments and strategies are appropriate. The combination of global recessionary forces, sanctions and the impact of the Russian aggression against Ukraine may drive increased state-sponsored activity as pariah states seek access to funds.
3. Social Engineering Fraud
Social engineering fraud has been a problem for many years. In 2013, for example, a criminal was indicted for stealing $70 million from law firms using the notorious “debt collection” scam. The disruption of the cryptocurrency environment appears to be renewing focus on more direct models of stealing money from professional service firms.
The tools available to the social engineering criminals, ranging from the availability of substantial amounts of information on potential targets (from social networking sites to the dark web) to Artificial Intelligence “deepfake” impersonations, present ever-increasing challenges. The biggest of these is that the targets of these scams are human beings, not systems or networks, so the best defensive tools are training and processes (at least, until neural implants allow us to upgrade our brain’s security firmware).
Social engineering fraud is not truly a “cyber insurance” risk. It rarely involves a hack or compromise of a computer system or network and money is an asset that is usually excluded from cyber policies, although some cyber policies can be extended to cover social engineering fraud. It is therefore important to understand what is covered by the firm’s cyber policy and what coverage is available from the firm’s Commercial Crime policy (and these policies are complex with, for instance, strict definitions on where funds must be “held” to qualify for coverage).
4. Bad Leavers and Insider Threat
It is never a comfortable thought that one of the most damaging threats can be from employees and partners and that there is often little or no indication of a threat until it is too late. The practical issues of defending against an insider threat are at best problematic and can be harmful to productivity and morale. Unfortunate experience shows that the most damaging insider incidents often involve senior, and therefore the most trusted, members of the firm – partners, rainmakers and administrative officers.
In addition to threats posed by bad leavers and embezzlers, “hacktivists”, suspected to be behind several major breaches, such as the Panama Papers, Luanda Leaks and others, have been facilitated by a world where social justice causes are gaining more support and headlines. One side effect of a cyber incident further complicates the picture – the potential increase in turnover and the additional challenge of ensuring that departing employees are not leaving with more than they should.
The prospect of an economic downturn together with the downsizing happening at many professional service firms in anticipation of this speaks to a higher risk environment. As with Social Engineering Fraud this is a risk that spans both Cyber and Crime (particularly regarding embezzlement).
5. Supply Chain
Ever since June 2017 when NotPetya demonstrated the devastating wide-scale impact that can be achieved by exploitation of a software supply chain vulnerability, hackers have been working on tactics to exploit the supply chain; from SolarWinds to Microsoft Exchange to Log4j, the attacks have caused disruption and damage affecting thousands of companies worldwide.
These hacks demonstrate the levels of interdependency that exist and how an attack can exploit a bottleneck to raise the stakes for the primary victim. The speed with which these attacks are launched and propagate puts the focus on keeping software up to date and ensuring that there is a comprehensive strategy for identifying vulnerabilities, triaging them, patching critical vulnerabilities and auditing the patching process to ensure that patches are installed and working. It also reduces the tolerance window for end-of-life and unsupported software, increasing the challenge for firms that must, for example, retain legacy systems required for compliance / reporting purposes.
The cloud has long been promoted as a way to reduce costs while increasing security. There is no question that the cloud can provide benefits in both areas and many professional services firms have overcome their initial reservations and embraced the cloud for everything from email to document management systems. However, criminals have also embraced the cloud, both in terms of using it as infrastructure to launch attacks as well as targeting it for attacks. According to the Netwrix 2022 Cloud Security Report “targeted attacks on cloud infrastructure increased significantly ... in 2022” and the top 3 security challenges for cloud users are “lack of IT staff, lack of expertise in cloud environments and lack of budget.”
The regulatory and legislative environment around data privacy is continuing to evolve and seems to become more onerous at every turn. It is evident that almost everyone’s personal information is widely available (the recent news of the release of information of 400 million Twitter users being just the latest of a long line of breaches impacting hundreds of millions of people) whether on the dark web, or legally traded between online advertising corporations.
In this environment, it seems unlikely that any one breach is materially, or even marginally, increasing the risk of data abuse for any one individual. Nonetheless, data privacy statutes are becoming increasingly onerous and a recent decision out of the 3rd Circuit gave standing to a plaintiff based on the possibility of future harm, opening the door to class action litigation. As much as the regulatory environment may appear to resemble fining a company for littering in the middle of a landfill, the reality is that with the fines and penalties being so severe and regulators writing more onerous and restrictive legislation, the only option available at this moment in time is to prioritize data privacy protections.
The Cyber Solutions team at Aon can help you understand and quantify your cyber risks. Please contact Bryan Hurd.
Other Aon Cyber Resources
Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or tax advisors on any commentary or suggested approaches to Cyber posture provided by Aon. The information contained in this article and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. This article has been compiled using information available to us as of 01/30/2023.