Cyberthreats are still on the rise, while our cloud-based digital economy is gearing up for the metaverse and quantum computing. How do we prepare our organizations for this onslaught?
Companies in Asia Pacific are increasingly under more pressure to mount a robust response to cyber events, and the recent attacks on telcos and insurers in the region have also proven instructive in terms of the scale of the reputational and financial consequences potentially facing businesses.
The financial costs go beyond the ransoms demanded by hackers – businesses have to consider post-breach compensations and remediation work, and legal implications that could be especially wide-ranging if a company operates in multiple jurisdictions with different regulatory standards.
Alon Cliff-Tavor, Partner, Digital and Financial Services, Oliver Wyman, shares some regional trends and best practices for how organizations are approaching cyber preparedness and response, from a legal, financial and organizational perspective:
Where ransomware is concerned, what are the costs to a victim organization other than the ransom?
Alon Cliff-Taylor (ACT): First of all, it does not always end up with the victim paying the ransom. In some cases, even if they desire to end the event with ransom payment, they might not be allowed to because of legal limitations. Furthermore, in a large portion of cases, even if the victim pays the ransom, the attacker does not live to its part of the bargain, and the victim’s plight including all direct and indirect damages remains exactly what it was prior to paying the ransom.
Regardless of whether the victim chooses to pay the ransom, the event hardly ever gets settled with “just” paying the cybercriminals. Other damages and cost items include:
- Legal costs, including external legal counsel
- IT remediation, as frequently such an attack renders hardware and software useless and they need to be replaced in order to resume services
- Client engagement and remediation operations, including the set-up of call centers for client outreach, both for incoming queries and complaints, as well as for outgoing calls to inform and engage affected clients and other stakeholders
- Fines and regulatory sanctions, which in some jurisdictions can be very severe
- Direct financial costs for client and other stakeholder compensation
- Loss of business, during the period the victim couldn’t engage in normal operations, and also following service resumption, as a result of client desertion and injured client and other stakeholder relationships
- Cyber and IT consultants and experts, including negotiations experts, for dealing with the crisis and its consequences
- Public relations, media, and image consultants, to repair the brand damage
Who should be in the ‘war room’ to mitigate further damages?
ACT: A cybersecurity crisis may affect many aspects of business operations, and will certainly require the active involvement of many enterprise stakeholders in order to effectively manage the situation and recover from it in the most effective and rapid manner.
In terms of ‘war room’ attendance, I would mention the following:
- Senior Management, which depending on the incident severity, might include the CEO / President, and in some cases, some key executive or non-executive Board of Directors members, especially those that have a specific role, e.g. members of the Cyber, IT and/or Risk Board Committee
- Chief Information Security Officer (CISO) and key members of the CISO team, including representatives from Security Operations, Cyber Threat Intelligence
- Compliance and Regulatory Affairs, to advise on informing and engaging regulators and law enforcement, and to opine on decisions and situations that may have regulatory consequences
- Human Resources – to advise on and represent employee and staff aspects of the crisis, including staff communications and insider risk, if any insider foul play is suspected
- CIO / CTO and key members of the CIO / CTO teams, including Network Operations, Infrastructure, and if a specific portion of IT was affected (e.g. a specific systems) then the technical owners of the affected assets
- Business Unit Heads or their representatives, to be advised and consulted on matters affecting clients, business flows and processes, economic impact on the respective businesses, etc.
- Public Relations, Investor Relations, and Marketing – to manage the repercussions of the events in real-time and advise senior management on stakeholders impacting decisions.
When planning for cyber events, how can organizations minimize the impact?
ACT: The leading frameworks typically divide cybersecurity risk-handling into different phases or stages of activities. The most well-known of such frameworks is NIST’s ‘Prepare-Protect-Detect-Respond-Recover’.
There are activities that are essential to engage in during each one of those stages, if an organization is to reduce the likelihood of being successfully attacked and/or the magnitude of the impact in the event of a successful attack.
A few high-level examples:
- Under ‘Prepare’ there are quite a few organizational and technical capabilities that will have to be procured and built, including risk management processes aimed at identifying risks, analyzing them, and effectively mitigating them. Another important element of due preparation would be to identify and analyze all relevant information and technology assets, which is not always a trivial undertaking
- It might sound trivial that organizations need to ‘Detect’ that they are being targeted or attacked, or that they will discover that. In reality, majority of attackers stay undetected for a very long time, as long as a year or more inside a victim’s networks, before they finally strike
- In the ‘Respond’ phase, detailed and utmost practical preparation is required. Nothing should be left to chance and stakeholders involved in managing a cyber crisis must be extremely well familiar, exercised, and rehearsed, in fulfilling their roles. Exercises need to be frequent enough, involve all the relevant management reps and stakeholder teams, and run on scripts that are comprehensively mimicking real-life likely scenarios. Detailed and prescriptive cyber incident response plans need to be drafted, stress-tested and drilled. Tools, technological and otherwise, need to be available and in good state of usability, at the crisis center. Drafts and templates of memos and reports must be prepared. These are just a sample of the long list of things required to respond to a cyber attack.
- Oliver Wyman helps clients across industries to prepare, drill, and be ready for such crises on a regular basis, and we engage all levels of enterprise stakeholders in ensuring full preparedness, in full alignment with the nature of the client’s business, its industry, and its risk profile.
How should companies communicate with their stakeholders and what sort of documentation is needed as evidence of an organization’s adequate response?
ACT: When it comes to stakeholder communications during a crisis, one needs to pay attention to a number of attributes:
- Timeliness and immediacy – information needs to flow seamlessly, quickly, and be available for stakeholders when they need the information
- Clarity and unambiguity – having the right information to base decisions on could be critical at times. Recipients need to immediately understand the content of every communication to be able to prioritize actions on the basis of information provided, in an information-overload situation
- Trust – information and its sources need to be trusted rather than be challenged or suspected by its recipients
- Role-contextualized – every recipient needs to understand why they are targeted with any communications content, in the context of the role they play in managing the cyber crisis. Therefore, absolute clarity on roles and responsibilities of each stakeholder is paramount.
- To facilitate and achieve all of the above parameters, organizations need a high level of preparedness for cyber events, including:
- Very detailed and future-proof playbooks, describing scenarios and responses, roles and responsibilities, communication channels and means, tools, templates, and standards for responses, as well as internal and external communications
- Decision-making powers need to be made clear, so that stakeholders look to the right role-holder to get guidance. For example, who decides on the content of external communication? Who decides whether to pay ransom to the criminals? Who has freedom to engage external support, and at what cost thresholds? These and many other decisions will have to be taken quickly and in full coordination during a crisis, hence clarity is essential
- Physical infrastructure at the crisis center will go a long way: phones, contact lists, computers, etc. need to be at full preparedness at all times
- Drills, exercises, and simulations need to take place regularly. If stakeholders meet for the first time during a crisis, they will not know each other’s communication style, expertise, strengths, and weaknesses. To foster confidence, trust, and performance level necessary for successful crisis management, practice makes perfect.
- It is also essential to remember the external stakeholders that may need to be contacted. This includes external legal counsel, technical advisors and contractors, law enforcement agencies, industry bodies for peer-to-peer coordination and information sharing, regulators, and others.
- Last but not least, external stakeholders who may have been affected, including clients, suppliers, ecosystem partners, and others.
What further impact would the metaverse of ‘mixed realities’ add to existing cybersecurity challenges organizations already face?
ACT: We are witnessing an explosive growth of new ways of marketing, trading, and engaging with clients, which will surely expand in the coming years to also include other stakeholders, such as investors, suppliers, etc.
As beneficial as this new reality may be, it also creates huge uncertainties, as the legal, operational, and technological aspects are still unclear.
We expect that fraud techniques and operations, focusing on the metaverse, will emerge and pose meaningful financial damage to both consumers and firms, as both the metaverse itself and the augmented and virtual realities created simply increase the individual and organizational ‘attack surface’.
How can advances in tokenization, digital identity products, and quantum cryptography add another layer of security?
ACT: Advances in cryptographic technologies and solutions like tokenization will continue to help keep sensitive information protected. The more sophisticated the cryptographic solution is, the more difficult it is for a criminal to make use of the underlying, protected information. For tokenized information, for as long as operational standards are maintained and followed well, there is hardly any use in trying to steal it, as it holds no value to the cybercriminal.
Quantum computing is a different story, because before quantum computing will be used to create new and more advanced cryptographic solutions, it is likely to be leveraged by attackers to break codes and cryptographic protections that today’s computers cannot do. According to the Centre for Strategic and International Studies, a powerful quantum computer, for example a 4,099-qubit one, would only need 10 seconds to break the same RSA encryption that would require 300 trillion years from traditional computers.
This has extremely meaningful implications on the perception of security – everything we thought to be safe and secure because it is encrypted or protected by cryptographic technologies, will essentially be very vulnerable.
We have been working with our clients on preparedness plans whereby we explore their exposure, the suitability of emerging quantum computing related frameworks, and come up with some solutions and planning, in anticipation of this massively disruptive technology.