Avoiding The Long Tail of a Cyberattack

The following is a guest article by Mike Hamilton, CISO at Lumifi Cyber

Cybercrime was reported to cause $8T in global losses in 2022, and that is expected to rise to $12T by 2027. That is an astonishing amount of money, on par with the GDP of many developed nations. With that kind of resourcing – which is not spent on roads, pensions, or education – the reality is that there is essentially a nation-state budget focused on stealing from you. And what that means is that a cyber incident resulting in financial loss is just about certain, or in the parlance of the legal industry, foreseeable. In tort negligence lawsuits, foreseeability asks “whether a person could or should reasonably have foreseen the harms that resulted from their actions”. Further, failure to act to mitigate a foreseeable threat can be considered negligence. Hence, we are awash in class action lawsuits arising from the unauthorized disclosure of protected privacy, health, financial, and other information, and claims of executive negligence.

And cybercriminals know our laws, they know the SEC wants transparency in 8K filings if a cyber incident will have a material impact on shareholder value. They know that there are attorneys watching for breach disclosures to file a class action suit and start rounding up plaintiffs. Setting aside the fact that it’s our own laws that enable these outcomes, criminal extortionists now routinely threaten their victims with notifying the SEC that a filing was inaccurate or making purloined records public specifically to create an additional “incentive” to pay up or face civil and/or regulatory action. This extends the time and resources necessary to fully recover from one of these events – the long tail of the cyberattack that can also include customer flight, damage to brand reputation, and irreparable financial damage.

The expectation of those that review internal controls after an event – incident responders, regulators, insurance companies, etc. is that your organization “takes security seriously”. This is evidenced by the wording that routinely appears in class action suits: “implementing inadequate data security measures and protocols that failed to properly safeguard and protect Plaintiffs’ and Class Members’ Private Information from a foreseeable cyberattack on its systems.”

How does one insulate the organization (and importantly, the executives) from these outcomes? You show your papers and prove you’ve been meeting cybersecurity control expectations, whether from a regulatory or standard-of-practice perspective. “Doing it right” means that you’re doing an annual or bi-annual risk assessment, creating a corrective action plan, and moving that through internal risk governance that includes executive representation. You’re conducting an annual penetration test, policy review, tabletop exercise, regular access authorization reviews, providing awareness training for your users, etc. You have an inventory of what’s on your network and conduct vulnerability scanning and remediation and this is all documented.

Risk governance is a weak spot for many organizations. The SEC requires risk governance with executive attendance, as well as cybersecurity advisory to boards of directors. The Health Industry Cybersecurity Practices (HICP) also calls out this governance as required, as have other sector risk management agencies. The NIST Cybersecurity Framework (NIST CSF) has also expanded in version 2.0 with the addition of the Governance focus area. Failure to conduct executive-attended risk governance meetings is a sure way to be viewed as unserious about protecting regulated information, as well as raise the ire of regulators.

Some states have laws that create a safe harbor if you can demonstrate that you’ve implemented controls that meet a standard of practice. For example, the Ohio Data Protection Act protects companies from claims they did not implement adequate controls, as demonstrated by providing documentation for the security program. The California Consumer Privacy Act also provides such a safe harbor, noting that the intent here is to incentivize organizations to invest in appropriate practices.

Documentation is the key. If you are using a GRC (governance, risk, compliance) tool, recordkeeping is simplified. If you’re using a spreadsheet to self-assess, remember that you need to have designated storage for your artifacts and the claims made in the assessment must be reflected in the artifacts (self-assessment is many times aspirational – don’t fall into that trap). Contracting a third party to conduct your risk assessment and produce a report is only a first step – collecting those artifacts while you work through the corrective action plan is what will save your company from the worst effects of an event.

About Michael Hamilton

Michael Hamilton is a Lumifi Cyber Field CISO. His previous roles have included Managing Consultant for VeriSign Global Security, CISO for the City of Seattle, Policy Adviser for Washington State, and Vice Chair of the State, Local, Tribal, and Territorial Government Coordinating Council for critical infrastructure protection.