Jason Elmer is President, Drawbridge.
What were the key theme(s) for your business in 2022?
This year saw an immense uptick in investor pressure that drove cybersecurity software and solutions. The upcoming SEC mandate has forced funds to stop kicking the can down the road and begin to make decisions around what they will put in place for cybersecurity governance.
The SEC prioritized vendor oversight; phishing controls and training, operational resilience, ransomware prevention, work from home cyber policies and more in 2022. Next year, this is going to be expanded further to include risk assessments and vulnerability management as well as new topics such as board oversight, incident response within 48 hours and annual reviews that require enhanced reporting. As SEC’s Chair, Gary Gensler said in February: “The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.” This impacts funds of all sizes.
While companies will be able to outsource some of the technical controls and cybersecurity training; much will remain their responsibility. Preparation and planning are going to be key – these should be the key themes for 2023. Companies should already be looking at everything from their incident response planning and recordkeeping processes to risk assessments and vulnerability management. Putting the right policies and processes in place now to address gaps will set companies on the right track to be compliant and not fall foul of the new SEC rules.
What surprised you in 2022?
Even as firms elevate cybersecurity to a board priority, it’s still surprising how many simply elect to hand over their cyber program to their Managed Service Providers (MSPs), and how many MSPs in turn are now positioning themselves to offer cybersecurity services.
It is an obvious conflict for your IT provider to try and act as a self-auditor. It is comparative to a student being asked to mark their own homework. An independent, and therefore, objective analysis will deliver better results.
MSPs have also been the target of some very profile cyberattacks themselves in the past, such as the prolonged spear-phishing campaign of Operation Cloud Hopper in 2017. The attack on British MSP, Advanced, in August this year could have resulted in the details of 25,000 customers being exposed. It did cause a vital healthcare line to be disrupted.
Both regulators and investors frown upon MSPs offering these services – and the many that have tried in the past have seen a marked lack of success.
What are your expectations for 2023?
The past year was game-changing regarding evolving cybersecurity threats, regulation and mitigation measures.
The cyber landscape is changing fast and so the year ahead will see new threats and tactics from threat actors who want to capitalize on the security shortcomings of financial institutions. Phishing and ransomware will remain prevalent as will the use of the Dark Web.
Phishing attacks are lucrative. Indeed, they are predicted to grow to more than $25 billion this year. IBM wrote in its Cost of a Data Breach Report: “In 2022, the most common initial attack vectors were compromised credentials at 19 percent of breaches and phishing at 16 percent of breaches.” It adds that, on average, the costliest initial attack vector was phishing at USD 4.91 million, followed by business email compromise at USD 4.89 million. Verizon’s 2022 Data Breach Investigations Report adds that it is the “…human element [that] continues to drive breaches,“ citing that “82 percent of breaches involved the human element.” Among the big names who fell victim to phishing breaches this year were Acorn Financial Services; Mailchimp and Twilio.
Nvidia and Costa Rican Government were two high profile organizations that were hit by ransomware attacks – the latter brought the country’s ministry of finance to its knees. The group responsible – Conti – initially demanded a ransom of $10 million, which it later increased to $20 million.
These were the attacks that the press reported. There were thousands and thousands more. The need for continuous oversight of cyber programs will be of the utmost importance to both regulators and investors alike. The common point in time solutions such as “pen testing” or once a year vendor reviews will simply not suffice.
Incident response will become even more key in 2023 for those unfortunate enough to be attacked. This must be included in companies’ planning and be tested continually.
What trends are getting underway that people may not know about but will be important?
Compliance is evolving as the threats do. According to Compliance Week, the SEC collected more than $6.4 billion in enforcement penalties; fees and interest in the 2022 fiscal year. This, it states, is “…the largest amount in the agency’s history and a massive increase over a transition year in 2021.”
In 2023, we can expect new cybersecurity regulations and the increasingly strict enforcing of existing rules. Companies need to understand there are likely to be higher fines for non-compliance as regulators use them as strong encouragement for other companies to strengthen their defenses. As law firm Skadden stated unequivocally in a blog post: “Officials have said in recent public remarks that they believe penalties should be calibrated to convey to market participants that complying with the securities laws is less costly than violating them.” The simple message is that companies need to be on top of this.
This means understanding the standards being set by the SEC or whichever governing body companies are working under. It also means embedding an awareness of the risks of non-compliance and the importance of these rules. Remember too that there is a collective responsibility to be compliant; and this collaboration is a key part of the relationship between government and industry.
These rules also help create standards by which companies can operate and help with the sharing of information about threats. This can only be a good thing if it frustrates and stops those cybercriminals searching for vulnerabilities.
What are your clients’ pain points and how have they changed from 1 year ago?
Vendor cyber risk is an issue that our clients are worried about as cyberattacks in the software supply chain are increasing. IBM and the Ponemon Institute reported in 2020 that, on average, a company takes 280 days to detect a third-party data breach. The Ponemon Institute states in a report published in May 2021 that 44 percent of organizations experienced a breach within the last 12 months. Of these, 74 percent said the breach resulted from giving “too much-privileged access to third-parties”.
In July 2021, the Saudi Arabian Oil Company, known as Saudi Aramco, had one terabyte of data stolen. The cyberattackers demanded $50 million in cryptocurrency. Aramco firmly placed the blame with a third-party vendor.
Staggeringly, more than half of the Ponemon respondents admitted that their companies did not assess the security and privacy practices of all of their third-party vendors before giving them access to data.
Compliance is imperative not just for one or two of a company’s third-party vendors but for all of them. This means that education should be extended beyond companies’ employees to third party vendors. Communication, risk assessments and risk management analysis must be carried out with the same diligence as companies approach their own business. Ask about their compliance; require proof of their cybersecurity robustness; monitor them and adopt a policy of zero trust when it comes to data.
In 2023, organizations will need to take a more prescriptive approach to assess the risk from all of their vendors. A company is only as strong as its weakest link.