A specific item of interest within the regulation is the elevated role of corporate cyber “chiefs” (I.e., CISO’s), especially in discussions with senior management and the board about assessing an attack or event for materiality. It puts an onus to compel companies to quantify cyber risk in the mix of other business risks.
In recent weeks, two well-known brands in MGM Resorts and Caesars Entertainment suffered from cyber incidents, with the timing of the events leading to both organisations having to be some of the first to have to comply with the aforementioned regulatory changes.
MGM and Caesars lost market value as stock prices fell due to the operation and fiscal impacts of their respective cyber events, with MGM yet to fully recover from various operations disrupted at the hotels and gaming venues it owns from Las Vegas to Macau.
Just two weeks after the new SEC cybersecurity disclosure rules went into effect, the two major casino and hotel operators, MGM and Caesars filed “Form 8-K “reports with the SEC, disclosing the cyber events against their respective organisations, given the obvious material impact.
In MGM’s report (filed on September 13, 2023), the company briefly stated, “On September 12, 2023, MGM Resorts International issued a press release regarding a cybersecurity issue involving the Company.”
In the Caesars filing, they reported the company “recently identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor.”
Whilst it will be interesting to see how this regulatory impact and the broader events impact both organisations, the SEC regulatory changes have much broader implications beyond public companies in the US, and beyond the U.S. jurisdiction.
Further, and in a well-timed example in “not just high profile, or data rich organisations being targeted”, on August 14 Clorox said it took some systems offline after unauthorised activity disrupted operations.
With much going on following the announcement, on September 18 Clorox said first-quarter results (as announced to market) could see a "material impact."
On September 29 it announced that all manufacturing facilities resumed operations and that it was ramping up production to restock inventories after the event.
It has further come to light that – so far – Clorox has spent $25 million (USD) to respond to the suspected ransomware attack disclosed in August. This includes hiring forensic investigators and legal and technology help. More expenses related to the incident are expected in 2024, the organisation has directly stated.
More tangibly, they recently announced, a quarterly revenue hit of up to 28 percent (anticipated). At time of writing, shares in Clorox were down 8.1 percent, hitting their lowest level since May 2018, after the cleaning supplies company's warned that an August cyber event would have the above impact. Clorox forecast a loss per share between US$0.35 and US$0.75 for its fiscal first quarter ended September 30, versus a year-ago profit of US$0.68. Finally, Clorox said net sales would fall year-over-year by 23 percent to 28 percent.
Commonly known as the “second most litigious” environment in the world, Australia often follows the US’ lead when it comes to regulatory developments. In this instance however - while the US has taken the first step in mandating such changes - the Australian regulatory environment has been filled with less formal but an ongoing focus when it comes to cyber, technology and data risk and responsibility of organisations and the executive.
The Australian Securities and Investment Commission (ASIC) chairman Joe Longo recently reinforced the longstanding position of ASIC at the Australian Financial Review's Cyber Summit noting the corporate regulator will seek to make an example of board directors and executives who are "recklessly ill-prepared" for cyber events, by taking legal action against compromised organisations that do not take sufficient steps to protect their customers and infrastructure from threat actors.
This is a position long stated by the regulator and others with a Federal Court decision in July 2022 (ASIC vs RI Advice Group) at the time serving as a reminder for company directors about cybersecurity risk oversight and disclosure obligations. In what was an Australian first then, a financial services licensee was found to have breached its licence obligations by failing to adequately manage cyber risk, with ASIC noting they “...expect directors to educate and equip themselves to drive their organisation’s cyber risk culture”. They further reinforced directors to consider their risk management framework, enquire about incident response plans, and ensure access to appropriate risk management resources. All of this was accompanied with an ominous warning that a failure to address cyber risks or comply with disclosure obligations may be a breach of directors’ duties.
Further, the Australian Prudential Regulation Authority (APRA) recently finalised a new prudential standard aimed at ensuring banks, insurers and superannuation trustees can better manage operational risks and respond to business disruptions.
Prudential Standard CPS 230 Operational Risk Management (CPS 230) provides a foundation for APRA-regulated entities to (amongst other things) enhance third-party risk management by ensuring risks from material service providers are appropriately managed.
APRA Chair John Lonsdale recently noted “The need for APRA’s new standard has been demonstrated by a number of recent operational risk control failures and disruptions, including material cyber breaches. This new standard will ensure that regulated entities set and test controls and maintain robust business continuity plans to respond if disruptions do occur. We expect regulated entities to be proactive in preparing for implementation, rather than waiting until the last minute to get ready to meet the new requirements”
Fundamentally, APRA is seeking boards to sharpen oversight of accountability for cyber breaches, with APRA noting boards were ultimately accountable for operational risk. It wants companies to get on the front foot to reduce disruption for customers should systems go down.
Furthermore, another parallel to draw between the SEC changes and the Australian regulatory environment is the suggestion that smaller private companies in the “supply chain” should be taking note, as they could come under scrutiny even if the new rules do not directly apply to them. Public companies, after all, will be monitoring their supply chains and are now obligated to report any significant findings. The same suggestion can be made with respect to CPS 230.
Third party/vendor risk is now in focus for those utilising them for critical functions, and those providing the service and/or solution.
There can be an over focus, or an unrealistic and unfounded position taken by organisations that if they are not listed, their cause for concern is significantly less or even completely mitigated.
Quite simply, such events can significantly eat into, or completely diminish profit pools, and one might go as far to suggest that a non-listed organisation may have more difficulty in being able to access capital required to face fiscal impacts (i.e., without the available option to raise funds though the market).
An additional important point to note with respect to the aforementioned regulation and broader regulatory focus on organisations resilience with respect to cyber events, is that they are not applicable to PII holding or “data rich” only organisations. In fact - at least in the short term - the impact to MGM (by way of example) has been fundamentally operational, not data loss driven.
Beyond any share price impact to an organisation (if applicable) the fiscal, operational and reputational toll – in the case of catastrophic events can be long lasting. These events – in our experience – are “all consuming” of resources, both from a fiscal and human capital standpoint.
Obvious costs are rightfully easy to predict, forensic costs, legal advice, business interruption (loss of revenue and therefore profit), and sometimes even a payment of a ransom, or exploitation related cost.
There is however a growing category of otherwise termed “non-obvious” but potentially just as impactful cumulative costs including:
Perhaps however, a recent example that will resonate with some more than others is the example in Medibank, and the announcement accompanying their annual report which revealed “…key management personnel had their short-term incentive payments reduced to zero over the incident."
Further, the group's 2022 data breach has cost the health insurer $46.4 million in the 2022-2023 financial year, and the total cost by next year could pass $80 million. Excluding any potential regulatory action, lawsuits and associated costs…
Noting once again an example arising from the involvement of a Publicly Listed organisation, one might suggest it would be easier for the Board of a private organisation to do the same thing to the Exec’s associated with a cyber event given the arguably lower standard of governance/justification required.
RedBelts observation
Perhaps these are the kind of consequences needed that will finally kick the remaining Boards/Exec's into action to understand, mitigate and monitor the cyber and technology risks relevant to their organisation? Is it personal, fiscal impact what's needed in some cases...? (For clarity, this is not being directly critical of anyone at Medibank).
Finishing tangibly, the recent example with KNP Logistics demonstrates the real life impact a devastating ransomware attack can have with the “veteran firm” entering into administration with 730 jobs lost, following the event. Kettering-based KNP Logistics group was the parent company of the 158-year-old haulage firm Knights of Old (which was founded in 1865).
The BBC reported it has entered administration, after it was targeted in June by a major ransomware attack that impacted key systems, processes and financial information. The administrators also reportedly said June’s cyber attack had damaged KNP Logistic Group’s financial position and its ability to secure additional investment and funding.
“Despite being one of the UK’s largest privately owned logistics group, KNP fell victim of a ransomware attack earlier this year that caused significant disruption,” joint administrator, Mittal, was quoted by the BBC as saying.
“Against a backdrop of challenging market conditions and without being able to secure urgent investment due to the attack, the business was unable to continue,” Mittal added. “We will support all affected staff through this difficult time.”
The above example - as do many others - speaks to an important piece in that a cyber event may not be the direct and sole cause for an organisations ultimate demise but may - and often is - the final straw.
The above regulatory change and focus, and the broader associated impact of a catastrophic cyber event speaks to the importance of all organisations implementing a holistic cyber, technology and data risk strategy.
Such a strategy needs to move from the previously silo’d and now antiquated technical only focus, and into one that truly identified, quantifies, mitigates and monitors risks across the broader organisational relevant, risk landscape.
Those committing to Risk Management through a silo’d technically focused approach generally leads to a risk posture that is generally poorly handled, leading to an organisational position – at every phase of the risk lifecycle – with gaps.
Common examples include:
CISO’s without a comprehensive view of the overall organisation, risk profile, appetite, and concerns of other departments of the organisation. Furthermore, this can begin even in their own areas of responsibility with having only a narrow vision of specific assets due to a lack of visibility, and permeate from there.
Ensure the CISO is seeking to proactively gain a better holistic understanding of the business, especially with other executives (i.e., CFO, COO, CLO, CMO etc.). Also ensure communication of risk is clear and tangible.
Assessment: This is often the most mature area, however, there are always areas for improvement. The broader cyber security industry has a rich history when assessing risks in only considering Likelihood and Impact. "Financial impact" or "exploitability factor" are often not considered.
Move to a more quantitative modelling or risk analysis and communication. Quantifying the fiscal impact of a catastrophic event to the CFO, the potential operational disruption to the COO and the Penance Project work required to the CMO won't only help them understand the risk better, but assist in justifying required cyber security investment.
Arguably, this is the most challenging programme in security, due to various factors including the involvement of different stakeholders (and associated understanding of the risk, different business drivers, and a broader lack of support from the business.
A common area where risk management gaps can be found with no formal process for monitoring/reviewing risks relevant to the organisation implemented effectively (by way of example). Arguably those with solutions/process implemented ineffectively soon find themselves battling with event/alert fatigue.
"In practice, most firms... use heuristic strategies to prioritise their remediation efforts; for example, a common approach is to remediate all vulnerabilities above a certain severity score. However, many of the common heuristics used by firms have been found to be sub-optimal...and in some cases, no better than randomly choosing vulnerabilities to remediate."
Beginning with an understanding of holistic organisational risk concerns, the right solutions and/or processes can be implemented to provide relevant risk management insights, and mitigate the likelihood of missing mitigating a critical vulnerability.
Many organisations continue to have a misplaced understanding or perception of insurance and the intended role it plays in a catastrophic cyber event. Cyber policies typically cover the reasonable and necessary expenses to investigate and remediate an event and associated liabilities. However, the differentiator is the incident response capabilities of the policy, affording organisations access to 24/7 365 assistance from an incident response team and associated vendor panel. Incident response capabilities afforded under the policy are engaged by the insured for the insured. Cyber insurance does not undermine the effectiveness of IT security teams – it supplements their skills and protects a business from the unknown. They are not a party that takes over a claim, but rather compliments inhouse knowledge providing:
Insurance also arguably can assist organisation improve their cyber security risk posture, in being used as a driver for internal investment, when an organisation is required to meet a particular minimum security posture standard to obtain cover.
Technical focus and expertise, and its importance should not, nor ever be dismissed, it is a foundational component to cyber, technology and data risk management. As business adapts and evolves however, so do roles, especially those with such foundational importance to all organisations.
Ultimately, all of the above calls for a need to:
Intended to be an inbuilt, long term partnership with our client’s RedBelts welcome the opportunity to engage further with organisations seeking market leading Cyber Security Advisory services.
The proposed evolution of the role - from primarily tech-focused, to a broader risk management one - has further narrowed the scope of suitable candidates available. Equally increasing however is the opportunity for organisations to leverage off a strong cyber security posture as a business enabler.
With those “unicorns” (executive level technical and risk management expertise) in high demand, looking alternatively to embed a partner organisation - who brings the best of technical knowledge and risk management experience - is now a consideration organisations must pursue.
Cyber security advice and strategy integrated into business to extract value from cyber investments, and drive outcomes. Aligning with organisations goals and risk tolerance, RedBelts communicates cyber-risk into financial and liability risk, clearly communicating organisation's ROI, information tangibly used to focus resourcing, mitigate risks and exposures, and accelerate business decision-making.
References