In their January/February 2020 issue, Risk Management Magazine published a fascinating article written by Senior Editor, Hilary Tuttle, on the 2020 Cyber Risk landscape. Tuttle provides a detailed discussion of the emerging threats, sourced by interviews, commentary and industry reports such as 1) Risk Barometer, 2) Cyber Trendscape Report, and 3) 2019-2020 Global Application and Network Security Report. To help you stay informed, we have summarized the main topics in this article.
2020 Election Threats
Since 2016, cyber professionals have highlighted the US election system’s many vulnerabilities, such as outdated voting machines and perils of misinformation campaigns online. Many parts of the United States have invested in better security, however, there is a long way to go and federal oversight is still lacking. A bad actor does not have to compromise all 50 election systems to influence or disrupt the election.
Experts predict that that biggest threat to the sanctity of the November 2020 election will be the growing manipulation of influence taking place by way of social engineering, which sways voters’ opinions before they head to the polls. This manipulation includes not just cyber espionage and cyber influence operations targeted at electoral systems, but also impersonation of candidates on social media and other types of information designed to target voters themselves.
Jim Wetekemp, CEO of Riskonnect advises that “As we move beyond 2020, organizations will need to consider risks related to economic and regulatory changes that could result as the election unfolds. Everything from increased tariffs through international trade, radical restructuring of the healthcare industry, new federal approaches to corporate taxes, or operational and regulatory changes related to climate change could be on the table.”
The Impact of 5G
Amid the raging trade war between the United States and China, many western authorities have raised supply chain risk concerns about potential backdoors in the technology that could be exploited by the Chinese government, while others find these claims either paranoid or protectionist.
The 5G technology is expected to support a booming class of internet of things (IoT) devices, which could be tremendously beneficial for companies and consumers alike. However, these devices will likely introduce significant vulnerabilities into the environments in which they are adopted, which could lead to an exponential increase in the number of entry points for malicious actors or points of failure in the event of disruption.
With cloud-hosted platforms and decentralized infrastructure, security professionals have far less visibility into the security stack and how it’s managed, forcing companies to rely on the promises made by cloud vendors that their environments are secure, without a way to know if assets are fully protected.
Vishing and Deepfakes
Vishing (voicemail phishing) is expected to rise in frequency and can take the form of voice-to-email dissemination, phishing emails with attachments purporting to be voicemail messages, artificial intelligence technology, and voice impersonation schemes. In another version of vishing, criminals can use commercially available AI software to create realistic impersonations for social engineering schemes. One such case made headlines last year when criminals used this tactic to convince an executive at a UK energy firm to transfer over $200,000 by imitating the accent and voice patterns of his German boss.
AI is also used to generate similarly convincing videos, often referred to as “deepfakes.” Freely available video of public comments can be used to produce a video depicting one person’s words coming out of another’s mouth. The ability for such videos to spread misinformation or discord around political races or even business developments is concerning because as the technology has advanced, these capabilities require less training and are therefore more frequent.
Businesses should be aware of the potential impact deepfakes could have on security and authentication technology. Experts predict that adversaries will begin to generate deepfakes to bypass facial recognition and other biometric systems. It will be critical for businesses to understand the security risks and invest in educating themselves as well as hardening critical systems.
Nation-state intrusions are among the most difficult attacks to thwart and can result in the loss of sensitive trade, technological, or other data. Cyberspace continues to be a key battleground particularly amongst the United States, China, Russia, Iran, and North Korea. State-backed hackers in these countries are some of the best resourced and their activity is expected to increase and escalate.
While attempted intrusions and successful attacks have been isolated incidents so far, some experts believe these could have been preliminary efforts, setting up backdoors as a foothold for the future.
New Ransomware Twists
Ransomware attacks have also making headlines this past year. Attacks focused on enterprise operations interruption have become more sophisticated and, in some cases, criminals are pooling their resources to execute more targeted campaigns. Sandra Joyce, Sr VP of Threat Intelligence at FireEye states that “What we’ve been seeing in the underground is threat actors advertising their access to organizations, no matter what industry, and trying to find partners who have ransomware that they can deploy deep in those networks in a very customized fashion…This very targeted ransomware technique is leading to increased ransomware demands and putting organizations at a high risk of losing intellectual property.”
Experts predict the targeted penetration of corporate networks will continue to grow and ultimately give way to what is being called two-stage extortion attacks. The first stage is the delivery of a ransomware attack and extorting the victim to get their files back. In the second stage, the criminals target the recovering victim again by threatening to disclose the sensitive data that was stolen before the attack to extort even more money.
Cyber Insurance Uncertainty
The costs of cyber failures have never been higher. Insurers that have scrambled for market share in the booming line of insurance are now giving closer scrutiny to what they underwrite. While the aggregated losses from cyber incidents are substantial, experts agree that there is still capacity in the market. However, policy forms are increasing in complexity, exclusions are more common, and insurers are becoming more litigious when pressed to pay out.
Policyholders should be paying close attention to new cyber threat trends that could impact their supply chain, large losses that could drive up the cost and availability of insurance, and attack methods that insurers may move to exclude.
Shifting Regulatory Focus
This year, experts expect to see aggressive antitrust enforcement, a steady stream of GDPR enforcement actions, and an “avalanche” of consumer privacy class actions. In the United States, all 50 states have their own data security laws as well as a patchwork of industry-specific regulations and regulatory bodies. Disparities in the requirements for businesses and the uncertainties of falling under so many unique jurisdictions has opened the door for those seeking clarity from a nationwide standard. The recently proposed federal “Consumer Online Privacy Rights Act” should generate some interesting debates and lawmakers can expect pressure from the business community especially after the CCPA’s enforcement begins in July 2020.
Finally, top executives and officers are facing increased personal accountability for cyber-related governance failures or negligence. Several jurisdictions around the world have recently gone so far as to include criminal liability and potential prison time for executives in proposed legislation. While it is unlikely that we will see prison sentences imposed in the near term, the rising stakes will certainly increase scrutiny and urgency around cyber risk management at the top levels of business leadership across the globe.
Exercising Data Privacy Rights
Regulatory volatility will also require businesses to allocate more resources to compliance efforts. It is expected that more people will begin exercising their rights under regulations like GDPR and CCPA which provide for individuals’ rights to transparency and choice in the collection and use of their personal data. We will begin seeing companies that collect and store consumer data offer the ability to destroy or shred it. For example, Europe already has a “right to be forgotten” and Facebook already offers a “kill switch” data revocation method.
Businesses will need to ensure that they have formal and efficient processes in place to comply with such requests in the manner required by the regulations or risk fines and reputation fallout. In addition, sufficient documentation will be needed to attest to compliance including auditable and iterative procedures for “data revocation.”
Over the past ten years, there have been massive, high-profile data breaches and abuses of consumer trust (Facebook/Cambridge Analytica, Yahoo, Marriott, Equifax, Target). Ameesh Divatia, co-founder and CEO of data protection company Baffle advises “Those that play ‘fast and loose’ will see an immediate hit to their brand impact, mounting legal and regulatory costs and their long-term health of their business come into question. In contrast, those that design their systems to share data responsibly will thrive and soar in value.”
Disclaimer: This content is intended for informational purposes only and should not be construed as legal, medical or tax advice. It provides general information and is not intended to encompass all compliance and legal obligations that may be applicable. This information and any questions as to your specific circumstances should be reviewed with your respective legal counsel and/or tax advisor as we do not provide legal or tax advice. Please note that this information may be subject to change based on legislative changes. © 2020 Sequoia Benefits & Insurance Services, LLC. All Rights Reserved