1. The SEC has introduced new, onerous cybersecurity Risk Management, Strategy, Governance and Incident Disclosure obligations for listed US organisations.
2. This is a position taken in principle by Australian regulators for some time, and for shadows the ongoing strengthening of regulation in this area locally.
3. The impact of a cyber event can be catastrophic to business, irrespective of size, sector, and private or public status. Enhanced regulations only increase the impact.
4. Data and the holding of (or lack of) should not be the only driver when considering cyber security risks, with operational disruptions having the potential to be more damaging.
5. The requirement for an understand and focus on cyber, technology and data risk is an ever increasing non-negotiable, and specifically, the role of the CISO needs to adapt to one that is more holistic.
6. Ignorance of this risk is no excuse, from a regulatory and impact perspective.

A specific item of interest within the regulation is the elevated role of corporate cyber “chiefs” (I.e., CISO’s), especially in discussions with senior management and the board about assessing an attack or event for materiality. It puts an onus to compel companies to quantify cyber risk in the mix of other business risks.

RedBelts observation

Arguably, this is a literal call for organisations, and specifically their CISO’s to broaden their understanding, mandate and focus away from a technically dictated one, and to one of broader organisational resilience focus. Alignment of an effective cyber security strategy will need to be communicated clearly, to set expectations for how a proposed strategy will mitigate and build resilience to appropriately respond to an event.

Organisations need to clearly understand - specific to cyber, technology and data risk - how much risk they’re willing to accept, by prioritising which actions to take, with the impact of the strategy put in the context of the financial and operational impact to the business. Proper risk quantification is required to not only ensure that an organisation is meeting their regulatory obligations, but can be concurrently used to enable a clear understanding of ROI in financial terms.

Recent events in the US

In recent weeks, two well-known brands in MGM Resorts and Caesars Entertainment suffered from cyber incidents, with the timing of the events leading to both organisations having to be some of the first to have to comply with the aforementioned regulatory changes.

MGM and Caesars lost market value as stock prices fell due to the operation and fiscal impacts of their respective cyber events, with MGM yet to fully recover from various operations disrupted at the hotels and gaming venues it owns from Las Vegas to Macau.

Just two weeks after the new SEC cybersecurity disclosure rules went into effect, the two major casino and hotel operators, MGM and Caesars filed “Form 8-K “reports with the SEC, disclosing the cyber events against their respective organisations, given the obvious material impact.

In MGM’s report (filed on September 13, 2023), the company briefly stated, “On September 12, 2023, MGM Resorts International issued a press release regarding a cybersecurity issue involving the Company.”

In the Caesars filing, they reported the company “recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor.”

Whilst it will be interesting to see how this regulatory impact and the broader events impact both organisations, the SEC regulatory changes have much broader implications beyond public companies in the US, and beyond the U.S. jurisdiction.

Further, and in a well-timed example in “not just high profile, or data rich organisations being targeted”, on August 14 Clorox said it took some systems offline after unauthorised activity disrupted operations.

With much going on following the announcement, on September 18 Clorox said first-quarter results (as announced to market) could see a "material impact."

On September 29 it announced that all manufacturing facilities resumed operations and that it was ramping up production to restock inventories after the event.

It has further come to light that – so far – Clorox has spent $25 million (USD) to respond to the suspected ransomware attack disclosed in August. This includes hiring forensic investigators and legal and technology help. More expenses related to the incident are expected in 2024, the organisation has directly stated.

1. Directors duties apply irrespective of whether an organisation is public (listed) or private (pty ltd).
2. Fiscal, operational and reputation impacts follow a significant cyber event irrespective of size, industry or legal status of an organisation, both obvious and non-obvious.
3. Whilst non-listed organisations are not required to meet the same market disclosure obligations, the foundational impact remains. The requirement to allocate funds to remedy an issue (in this case a significant cyber breach or disruption), or “buy back” customer trust, whilst not generating revenue due to disruption, is a reality any organisation irrespective of size, industry or legal status might face.
   

Quite simply, such events can significantly eat into, or completely diminish profit pools, and one might go as far to suggest that a non-listed organisation may have more difficulty in being able to access capital required to face fiscal impacts (i.e., without the available option to raise funds though the market).

An additional important point to note with respect to the aforementioned regulation and broader regulatory focus on organisations resilience with respect to cyber events, is that they are not applicable to PII holding or “data rich” only organisations. In fact - at least in the short term - the impact to MGM (by way of example) has been fundamentally operational, not data loss driven.

Beyond any share price impact to an organisation (if applicable) the fiscal, operational and reputational toll – in the case of catastrophic events can be long lasting. These events – in our experience – are “all consuming” of resources, both from a fiscal and human capital standpoint.

Obvious costs are rightfully easy to predict, forensic costs, legal advice, business interruption (loss of revenue and therefore profit), and sometimes even a payment of a ransom, or exploitation related cost.

There is however a growing category of otherwise termed “non-obvious” but potentially just as impactful cumulative costs including:

1. Increases in audit fees due to the cyber events requiring additional focus from the engaged external auditor to ensure disclosure obligations are met.
2. Credit issues, arising from a drop in revenue, leading to stricter lending criteria and high interest rates.
3. Insurance cost increases, associated with costs covered under and appropriately placed cyber insurance policy (well worth the costs); and
4. “Penance projects”, a well-crafted term from the authors of How to Measure Anything in Cyber Security, which is designed to assist in quantifying the cost of reputational damage, and speaks to extra funds spent to maintain client contracts, market share or close new opportunities, but extra investments in cyber security and so on.

Perhaps however, a recent example that will resonate with some more than others is the example in Medibank, and the announcement accompanying their annual report which revealed “…key management personnel had their short-term incentive payments reduced to zero over the incident."

Further, the group's 2022 data breach has cost the health insurer $46.4 million in the 2022-2023 financial year, and the total cost by next year could pass $80 million. Excluding any potential regulatory action, lawsuits and associated costs…

Noting once again an example arising from the involvement of a Publicly Listed organisation, one might suggest it would be easier for the Board of a private organisation to do the same thing to the Exec’s associated with a cyber event given the arguably lower standard of governance/justification required.

RedBelts observation

Perhaps these are the kind of consequences needed that will finally kick the remaining Boards/Exec's into action to understand, mitigate and monitor the cyber and technology risks relevant to their organisation? Is it personal, fiscal impact what's needed in some cases...? (For clarity, this is not being directly critical of anyone at Medibank).

Finishing tangibly, the recent example with KNP Logistics demonstrates the real life impact a devastating ransomware attack can have with the “veteran firm” entering into administration with 730 jobs lost, following the event. Kettering-based KNP Logistics group was the parent company of the 158-year-old haulage firm Knights of Old (which was founded in 1865).

The BBC reported it has entered administration, after it was targeted in June by a major ransomware attack that impacted key systems, processes and financial information. The administrators also reportedly said June’s cyber attack had damaged KNP Logistic Group’s financial position and its ability to secure additional investment and funding.

“Despite being one of the UK’s largest privately owned logistics group, KNP fell victim of a ransomware attack earlier this year that caused significant disruption,” joint administrator, Mittal, was quoted by the BBC as saying.

“Against a backdrop of challenging market conditions and without being able to secure urgent investment due to the attack, the business was unable to continue,” Mittal added. “We will support all affected staff through this difficult time.”

The above example - as do many others - speaks to an important piece in that a cyber event may not be the direct and sole cause for an organisations ultimate demise but may - and often is - the final straw.

Organisational change and resilience, the role of the CISO and the risk to the Exec.

The above regulatory change and focus, and the broader associated impact of a catastrophic cyber event speaks to the importance of all organisations implementing a holistic cyber, technology and data risk strategy.

Such a strategy needs to move from the previously silo’d and now antiquated technical only focus, and into one that truly identified, quantifies, mitigates and monitors risks across the broader organisational relevant, risk landscape.

Those committing to Risk Management through a silo’d technically focused approach generally leads to a risk posture that is generally poorly handled, leading to an organisational position – at every phase of the risk lifecycle – with gaps.

Common examples include:

Identification

CISO’s without a comprehensive view of the overall organisation, risk profile, appetite, and concerns of other departments of the organisation. Furthermore, this can begin even in their own areas of responsibility with having only a narrow vision of specific assets due to a lack of visibility, and permeate from there.
Ensure the CISO is seeking to proactively gain a better holistic understanding of the business, especially with other executives (i.e., CFO, COO, CLO, CMO etc.). Also ensure communication of risk is clear and tangible.
Assessment: This is often the most mature area, however, there are always areas for improvement. The broader cyber security industry has a rich history when assessing risks in only considering Likelihood and Impact. "Financial impact" or "exploitability factor" are often not considered.
Move to a more quantitative modelling or risk analysis and communication. Quantifying the fiscal impact of a catastrophic event to the CFO, the potential operational disruption to the COO and the Penance Project work required to the CMO won't only help them understand the risk better, but assist in justifying required cyber security investment.

Mitigation

Arguably, this is the most challenging programme in security, due to various factors including the involvement of different stakeholders (and associated understanding of the risk, different business drivers, and a broader lack of support from the business.

Monitoring/review

A common area where risk management gaps can be found with no formal process for monitoring/reviewing risks relevant to the organisation implemented effectively (by way of example). Arguably those with solutions/process implemented ineffectively soon find themselves battling with event/alert fatigue.

"In practice, most firms... use heuristic strategies to prioritise their remediation efforts; for example, a common approach is to remediate all vulnerabilities above a certain severity score. However, many of the common heuristics used by firms have been found to be sub-optimal...and in some cases, no better than randomly choosing vulnerabilities to remediate."

Beginning with an understanding of holistic organisational risk concerns, the right solutions and/or processes can be implemented to provide relevant risk management insights, and mitigate the likelihood of missing mitigating a critical vulnerability.

Risk Transfer

Many organisations continue to have a misplaced understanding or perception of insurance and the intended role it plays in a catastrophic cyber event. Cyber policies typically cover the reasonable and necessary expenses to investigate and remediate an event and associated liabilities. However, the differentiator is the incident response capabilities of the policy, affording organisations access to 24/7 365 assistance from an incident response team and associated vendor panel. Incident response capabilities afforded under the policy are engaged by the insured for the insured. Cyber insurance does not undermine the effectiveness of IT security teams – it supplements their skills and protects a business from the unknown. They are not a party that takes over a claim, but rather compliments inhouse knowledge providing:

1. Expertise in cybersecurity and privacy liability.
2. Knowledge of an insurer’s guidelines, reporting requirements, and approval/consent procedures.
3. Pre-negotiated rates not available if engaged outside the insurance relationship

Insurance also arguably can assist organisation improve their cyber security risk posture, in being used as a driver for internal investment, when an organisation is required to meet a particular minimum security posture standard to obtain cover.

Technical focus and expertise, and its importance should not, nor ever be dismissed, it is a foundational component to cyber, technology and data risk management. As business adapts and evolves however, so do roles, especially those with such foundational importance to all organisations.

Ultimately, all of the above calls for a need to:

1. Identify and understand risk, understand your business operations and aspirations and reliance on third parties/vendors. i.e., what’s the broader business impact? What is the CFO, COO, CMO and CEO thinking? And a need to obtain a relevant regulatory understanding and being conscious of ongoing developments. It is then complemented with the design of complete enterprise risk strategies to fit cyber-security risk management goals.
   
   
2. Mitigate, which involves tailored, data-driven and effectively, and relevantly translated recommendations to improve risk posture and build resilience.
   
3. Monitor, fundamentally, cyber, technology and data risk management is a program, not a project. It is an ongoing and constantly evolving area of risk that must be addressed that way. Put another way, comprehensive risk management can’t be comprehensive enough. Organisations must implement solutions to identify, mitigate and monitor their exposure from a technology and contractual standpoint.
   

1. Helping organisations measure and monetise risk and risk reduction effectively allocate capital.
2. Mitigate the impact of cyber events, and using this as an opportunity to build trust with clients/consumers.
3. Drawing a direct line between cyber strategy, and the associated impact it has in mitigating risk and enabling the business to service clients, seize opportunities, and in some cases even leverage off their cyber security posture as a business enabler. I.e., Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave?

RedBelts