Cyber Security Regulatory Developments and Organisational impacts

 

TL;DR

 
  1. The SEC has introduced new, onerous cybersecurity Risk Management, Strategy, Governance and Incident Disclosure obligations for listed US organisations.
  2. This is a position taken in principle by Australian regulators for some time, and for shadows the ongoing strengthening of regulation in this area locally.
  3. The impact of a cyber event can be catastrophic to business, irrespective of size, sector, and private or public status. Enhanced regulations only increase the impact.
  4. Data and the holding of (or lack of) should not be the only driver when considering cyber security risks, with operational disruptions having the potential to be more damaging.
  5. The requirement for an understand and focus on cyber, technology and data risk is an ever increasing non-negotiable, and specifically, the role of the CISO needs to adapt to one that is more holistic.
  6. Ignorance of this risk is no excuse, from a regulatory and impact perspective.

A specific item of interest within the regulation is the elevated role of corporate cyber “chiefs” (I.e., CISO’s), especially in discussions with senior management and the board about assessing an attack or event for materiality. It puts an onus to compel companies to quantify cyber risk in the mix of other business risks.

RedBelts observation
Arguably, this is a literal call for organisations, and specifically their CISO’s to broaden their understanding, mandate and focus away from a technically dictated one, and to one of broader organisational resilience focus. Alignment of an effective cyber security strategy will need to be communicated clearly, to set expectations for how a proposed strategy will mitigate and build resilience to appropriately respond to an event.
Organisations need to clearly understand - specific to cyber, technology and data risk - how much risk they’re willing to accept, by prioritising which actions to take, with the impact of the strategy put in the context of the financial and operational impact to the business. Proper risk quantification is required to not only ensure that an organisation is meeting their regulatory obligations, but can be concurrently used to enable a clear understanding of ROI in financial terms.
 

Recent events in the US

In recent weeks, two well-known brands in MGM Resorts and Caesars Entertainment suffered from cyber incidents, with the timing of the events leading to both organisations having to be some of the first to have to comply with the aforementioned regulatory changes.

MGM and Caesars lost market value as stock prices fell due to the operation and fiscal impacts of their respective cyber events, with MGM yet to fully recover from various operations disrupted at the hotels and gaming venues it owns from Las Vegas to Macau.

Just two weeks after the new SEC cybersecurity disclosure rules went into effect, the two major casino and hotel operators, MGM and Caesars filed “Form 8-K “reports with the SEC, disclosing the cyber events against their respective organisations, given the obvious material impact.

In MGM’s report (filed on September 13, 2023), the company briefly stated, “On September 12, 2023, MGM Resorts International issued a press release regarding a cybersecurity issue involving the Company.”

In the Caesars filing, they reported the company “recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor.”

Whilst it will be interesting to see how this regulatory impact and the broader events impact both organisations, the SEC regulatory changes have much broader implications beyond public companies in the US, and beyond the U.S. jurisdiction.

Further, and in a well-timed example in “not just high profile, or data rich organisations being targeted”, on August 14 Clorox said it took some systems offline after unauthorised activity disrupted operations.

With much going on following the announcement, on September 18 Clorox said first-quarter results (as announced to market) could see a "material impact."

On September 29 it announced that all manufacturing facilities resumed operations and that it was ramping up production to restock inventories after the event.

It has further come to light that – so far – Clorox has spent $25 million (USD) to respond to the suspected ransomware attack disclosed in August. This includes hiring forensic investigators and legal and technology help. More expenses related to the incident are expected in 2024, the organisation has directly stated.

More tangibly, they recently announced, a quarterly revenue hit of up to 28 percent (anticipated). At time of writing, shares in Clorox were down 8.1 percent, hitting their lowest level since May 2018, after the cleaning supplies company's warned that an August cyber event would have the above impact. Clorox forecast a loss per share between US$0.35 and US$0.75 for its fiscal first quarter ended September 30, versus a year-ago profit of US$0.68. Finally, Clorox said net sales would fall year-over-year by 23 percent to 28 percent.

 

Applicability of the regulatory reform locally

RedBelts observation
Cyber, technology and data risk is unique as it arguably makes up two components. Whilst the technical component (first for the sake of the following) i.e., the vulnerability exploitation, is jurisdiction agnostic, the legislative/regulatory component (second) arguably requires a more jurisdiction and geography specific focus.

 

Commonly known as the “second most litigious” environment in the world, Australia often follows the US’ lead when it comes to regulatory developments. In this instance however - while the US has taken the first step in mandating such changes - the Australian regulatory environment has been filled with less formal but an ongoing focus when it comes to cyber, technology and data risk and responsibility of organisations and the executive.

ASIC

The Australian Securities and Investment Commission (ASIC) chairman Joe Longo recently reinforced the longstanding position of ASIC at the Australian Financial Review's Cyber Summit noting the corporate regulator will seek to make an example of board directors and executives who are "recklessly ill-prepared" for cyber events, by taking legal action against compromised organisations that do not take sufficient steps to protect their customers and infrastructure from threat actors.

This is a position long stated by the regulator and others with a Federal Court decision in July 2022 (ASIC vs RI Advice Group) at the time serving as a reminder for company directors about cybersecurity risk oversight and disclosure obligations. In what was an Australian first then, a financial services licensee was found to have breached its licence obligations by failing to adequately manage cyber risk, with ASIC noting they “...expect directors to educate and equip themselves to drive their organisation’s cyber risk culture”. They further reinforced directors to consider their risk management framework, enquire about incident response plans, and ensure access to appropriate risk management resources. All of this was accompanied with an ominous warning that a failure to address cyber risks or comply with disclosure obligations may be a breach of directors’ duties.

APRA

Further, the Australian Prudential Regulation Authority (APRA) recently finalised a new prudential standard aimed at ensuring banks, insurers and superannuation trustees can better manage operational risks and respond to business disruptions.

Prudential Standard CPS 230 Operational Risk Management (CPS 230) provides a foundation for APRA-regulated entities to (amongst other things) enhance third-party risk management by ensuring risks from material service providers are appropriately managed.

APRA Chair John Lonsdale recently noted “The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur. We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements”

Fundamentally, APRA is seeking boards to sharpen oversight of accountability for cyber breaches, with APRA noting boards were ultimately accountable for operational risk. It wants companies to get on the front foot to reduce disruption for customers should systems go down.

A Third Party/Vendor focus

Furthermore, another parallel to draw between the SEC changes and the Australian regulatory environment is the suggestion that smaller private companies in the “supply chain” should be taking note, as they could come under scrutiny even if the new rules do not directly apply to them. Public companies, after all, will be monitoring their supply chains and are now obligated to report any significant findings. The same suggestion can be made with respect to CPS 230.

Third party/vendor risk is now in focus for those utilising them for critical functions, and those providing the service and/or solution.

Non-listed organisations be just as aware

There can be an over focus, or an unrealistic and unfounded position taken by organisations that if they are not listed, their cause for concern is significantly less or even completely mitigated.

RedBelts observation
By way of summary counter argument to this fact:
  1. Directors duties apply irrespective of whether an organisation is public (listed) or private (pty ltd).
  2. Fiscal, operational and reputation impacts follow a significant cyber event irrespective of size, industry or legal status of an organisation, both obvious and non-obvious.
  3. Whilst non-listed organisations are not required to meet the same market disclosure obligations, the foundational impact remains. The requirement to allocate funds to remedy an issue (in this case a significant cyber breach or disruption), or “buy back” customer trust, whilst not generating revenue due to disruption, is a reality any organisation irrespective of size, industry or legal status might face.

Quite simply, such events can significantly eat into, or completely diminish profit pools, and one might go as far to suggest that a non-listed organisation may have more difficulty in being able to access capital required to face fiscal impacts (i.e., without the available option to raise funds though the market).

An additional important point to note with respect to the aforementioned regulation and broader regulatory focus on organisations resilience with respect to cyber events, is that they are not applicable to PII holding or “data rich” only organisations. In fact - at least in the short term - the impact to MGM (by way of example) has been fundamentally operational, not data loss driven.

Beyond any share price impact to an organisation (if applicable) the fiscal, operational and reputational toll – in the case of catastrophic events can be long lasting. These events – in our experience – are “all consuming” of resources, both from a fiscal and human capital standpoint.

Obvious costs are rightfully easy to predict, forensic costs, legal advice, business interruption (loss of revenue and therefore profit), and sometimes even a payment of a ransom, or exploitation related cost.

There is however a growing category of otherwise termed “non-obvious” but potentially just as impactful cumulative costs including:

  1. Increases in audit fees due to the cyber events requiring additional focus from the engaged external auditor to ensure disclosure obligations are met.
  2. Credit issues, arising from a drop in revenue, leading to stricter lending criteria and high interest rates.
  3. Insurance cost increases, associated with costs covered under and appropriately placed cyber insurance policy (well worth the costs); and
  4. “Penance projects”, a well-crafted term from the authors of How to Measure Anything in Cyber Security, which is designed to assist in quantifying the cost of reputational damage, and speaks to extra funds spent to maintain client contracts, market share or close new opportunities, but extra investments in cyber security and so on.

Perhaps however, a recent example that will resonate with some more than others is the example in Medibank, and the announcement accompanying their annual report which revealed “…key management personnel had their short-term incentive payments reduced to zero over the incident."

Further, the group's 2022 data breach has cost the health insurer $46.4 million in the 2022-2023 financial year, and the total cost by next year could pass $80 million. Excluding any potential regulatory action, lawsuits and associated costs…

Noting once again an example arising from the involvement of a Publicly Listed organisation, one might suggest it would be easier for the Board of a private organisation to do the same thing to the Exec’s associated with a cyber event given the arguably lower standard of governance/justification required.

RedBelts observation

Perhaps these are the kind of consequences needed that will finally kick the remaining Boards/Exec's into action to understand, mitigate and monitor the cyber and technology risks relevant to their organisation? Is it personal, fiscal impact what's needed in some cases...? (For clarity, this is not being directly critical of anyone at Medibank).

Finishing tangibly, the recent example with KNP Logistics demonstrates the real life impact a devastating ransomware attack can have with the “veteran firm” entering into administration with 730 jobs lost, following the event. Kettering-based KNP Logistics group was the parent company of the 158-year-old haulage firm Knights of Old (which was founded in 1865).

The BBC reported it has entered administration, after it was targeted in June by a major ransomware attack that impacted key systems, processes and financial information. The administrators also reportedly said June’s cyber attack had damaged KNP Logistic Group’s financial position and its ability to secure additional investment and funding.

“Despite being one of the UK’s largest privately owned logistics group, KNP fell victim of a ransomware attack earlier this year that caused significant disruption,” joint administrator, Mittal, was quoted by the BBC as saying.

“Against a backdrop of challenging market conditions and without being able to secure urgent investment due to the attack, the business was unable to continue,” Mittal added. “We will support all affected staff through this difficult time.”

The above example - as do many others - speaks to an important piece in that a cyber event may not be the direct and sole cause for an organisations ultimate demise but may - and often is - the final straw.

Organisational change and resilience, the role of the CISO and the risk to the Exec.

The above regulatory change and focus, and the broader associated impact of a catastrophic cyber event speaks to the importance of all organisations implementing a holistic cyber, technology and data risk strategy.

Such a strategy needs to move from the previously silo’d and now antiquated technical only focus, and into one that truly identified, quantifies, mitigates and monitors risks across the broader organisational relevant, risk landscape.

Those committing to Risk Management through a silo’d technically focused approach generally leads to a risk posture that is generally poorly handled, leading to an organisational position – at every phase of the risk lifecycle – with gaps.

Common examples include:

Identification

CISO’s without a comprehensive view of the overall organisation, risk profile, appetite, and concerns of other departments of the organisation. Furthermore, this can begin even in their own areas of responsibility with having only a narrow vision of specific assets due to a lack of visibility, and permeate from there.
Ensure the CISO is seeking to proactively gain a better holistic understanding of the business, especially with other executives (i.e., CFO, COO, CLO, CMO etc.). Also ensure communication of risk is clear and tangible.
Assessment: This is often the most mature area, however, there are always areas for improvement. The broader cyber security industry has a rich history when assessing risks in only considering Likelihood and Impact. "Financial impact" or "exploitability factor" are often not considered.
Move to a more quantitative modelling or risk analysis and communication. Quantifying the fiscal impact of a catastrophic event to the CFO, the potential operational disruption to the COO and the Penance Project work required to the CMO won't only help them understand the risk better, but assist in justifying required cyber security investment.

Mitigation

Arguably, this is the most challenging programme in security, due to various factors including the involvement of different stakeholders (and associated understanding of the risk, different business drivers, and a broader lack of support from the business.

 

Monitoring/review

A common area where risk management gaps can be found with no formal process for monitoring/reviewing risks relevant to the organisation implemented effectively (by way of example). Arguably those with solutions/process implemented ineffectively soon find themselves battling with event/alert fatigue.

"In practice, most firms... use heuristic strategies to prioritise their remediation efforts; for example, a common approach is to remediate all vulnerabilities above a certain severity score. However, many of the common heuristics used by firms have been found to be sub-optimal...and in some cases, no better than randomly choosing vulnerabilities to remediate."

Beginning with an understanding of holistic organisational risk concerns, the right solutions and/or processes can be implemented to provide relevant risk management insights, and mitigate the likelihood of missing mitigating a critical vulnerability.

Risk Transfer

Many organisations continue to have a misplaced understanding or perception of insurance and the intended role it plays in a catastrophic cyber event. Cyber policies typically cover the reasonable and necessary expenses to investigate and remediate an event and associated liabilities. However, the differentiator is the incident response capabilities of the policy, affording organisations access to 24/7 365 assistance from an incident response team and associated vendor panel. Incident response capabilities afforded under the policy are engaged by the insured for the insured. Cyber insurance does not undermine the effectiveness of IT security teams – it supplements their skills and protects a business from the unknown. They are not a party that takes over a claim, but rather compliments inhouse knowledge providing:

  1. Expertise in cybersecurity and privacy liability.
  2. Knowledge of an insurer’s guidelines, reporting requirements, and approval/consent procedures.
  3. Pre-negotiated rates not available if engaged outside the insurance relationship

Insurance also arguably can assist organisation improve their cyber security risk posture, in being used as a driver for internal investment, when an organisation is required to meet a particular minimum security posture standard to obtain cover.

Technical focus and expertise, and its importance should not, nor ever be dismissed, it is a foundational component to cyber, technology and data risk management. As business adapts and evolves however, so do roles, especially those with such foundational importance to all organisations.

Ultimately, all of the above calls for a need to:

  1. Identify and understand risk, understand your business operations and aspirations and reliance on third parties/vendors. i.e., what’s the broader business impact? What is the CFO, COO, CMO and CEO thinking? And a need to obtain a relevant regulatory understanding and being conscious of ongoing developments. It is then complemented with the design of complete enterprise risk strategies to fit cyber-security risk management goals.

  2. Mitigate, which involves tailored, data-driven and effectively, and relevantly translated recommendations to improve risk posture and build resilience.
  3. Monitor, fundamentally, cyber, technology and data risk management is a program, not a project. It is an ongoing and constantly evolving area of risk that must be addressed that way. Put another way, comprehensive risk management can’t be comprehensive enough. Organisations must implement solutions to identify, mitigate and monitor their exposure from a technology and contractual standpoint.
Finally, and only then, can ‘Insure’ involve developing an insurance solution that fits your individualised risk, potential exposures, and targeted goals. This needs to focus on implementing a plan that protects your balance sheet, preserves your reputation, and enables growth.
 
Inform yourself, mitigate risk as best as possible, and for that you cannot mitigate, don’t know, or reach an uncommercial return on mitigation investment, transfer the remaining, catastrophic risk off your balance sheet.
 
Ignorance is no excuse and context on this point should be taken from the well-known ASIC v Centro decision and the principles that directors are to possess sufficient skill and understanding of the fundamentals in which the business is engaged, which includes associated fundamental business risks (of which cyber, and technology is one for all organisations). Take self-responsibility for continuous education of this business-critical risk. themselves. In the context of the above, any organisation that faces a significant cyber event, and subsequent regulatory action will face additional challenges. Speaking specific to D&O Liability, simply noting increased costs to improve an organisation's cyber security posture as a reason for not investing would be a tenuous and likely unsuccessful use of the Business Judgement Rule.
 
Finally, there is a genuine opportunity for the right approach to cyber, technology and data risk and strategy to truly add value within an organisation. Whilst arguably overused in the cyber security sector, the right cyber security strategy can be a true business outcomes enabler by
 
  1. Helping organisations measure and monetise risk and risk reduction effectively allocate capital.
  2. Mitigate the impact of cyber events, and using this as an opportunity to build trust with clients/consumers.
  3. Drawing a direct line between cyber strategy, and the associated impact it has in mitigating risk and enabling the business to service clients, seize opportunities, and in some cases even leverage off their cyber security posture as a business enabler. I.e., Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave?
 
If a sales cycle can be shortened, and associated with proof that security gained more sales, it can be highly persuasive executive and Board. “Today, three customers walked away, but tomorrow none will."
 

RedBelts

It is arguably the role of the CISO and the exponentially increasing need by organisations for one, that is being most impacted by the current cyber security “talent” shortage.
The role of CISO is in flux, maturing from one focused on technology to one managing a key business risk. Though a foundation in tech still matters, regulators and the impact of catastrophic cyber events are pushing organsations to elevate cyber, technology and data security in strategy and find executives seasoned in risk management
A modern CISO must be able to assess security hazards in a wider business context and work with board members on appropriate oversight. 

Intended to be an inbuilt, long term partnership with our client’s RedBelts welcome the opportunity to engage further with organisations seeking market leading Cyber Security Advisory services.

The proposed evolution of the role - from primarily tech-focused, to a broader risk management one - has further narrowed the scope of suitable candidates available. Equally increasing however is the opportunity for organisations to leverage off a strong cyber security posture as a business enabler.

With those “unicorns” (executive level technical and risk management expertise) in high demand, looking alternatively to embed a partner organisation - who brings the best of technical knowledge and risk management experience - is now a consideration organisations must pursue.

Cyber security advice and strategy integrated into business to extract value from cyber investments, and drive outcomes. Aligning with organisations goals and risk tolerance, RedBelts communicates cyber-risk into financial and liability risk, clearly communicating organisation's ROI, information tangibly used to focus resourcing, mitigate risks and exposures, and accelerate business decision-making.

References

Image
  • Author
  • Mark L

Leave a Comment