Cyber Risk Governance Insights | October 14, 2024

WEEK IN HEADLINES

NATION STATES - Cyberattacks Disrupt Nuclear and Government Ops

On October 12, simultaneous cyberattacks targeted Iran’s nuclear facilities and government agencies, significantly disrupting operations. Almost all branches of the Iranian government, the judiciary, the legislative, and the executive, were affected by these attacks, and are suspected to be a retaliatory move by Israel following recent missile attacks from Iran.

INSIGHT: This particular round of cyberattacks against Iran serves as a reminder of the evolving nature of warfare. Because of the interconnectedness of our industries, all organizations should adopt an adaptive cyber risk strategy, invest in advanced cybersecurity measures, and engage in collaborative dialogue within their industries to establish norms.? When cyber-attacks are "messaging", governments and agencies should consider the ethical ramifications of cyber operations on civilian organizations upon which civilians rely.

UTILITIES - Largest Water Utility Hit and Disrupts Billing Systems

American Water, the largest water utility in the U.S., experienced a cyberattack that led to the shutdown of several systems, including billing. The attack highlights the vulnerability of critical infrastructure to cyber threats. The company is working with law enforcement and cybersecurity experts to investigate the incident and restore services.

INSIGHT: Your mantra for cyber should be “never trust, always verify.” Zero Trust requires continuous verification of user and device identities, regardless of location within or outside the network, ZTA minimizes the risk of unauthorized access. In this case, ZTA would have restricted the attacker’s lateral movement within the network, limiting their ability to access and disrupt critical systems.

HEALTHCARE - HHS New Threat Warning to Sector

?The U.S. Department of Health and Human Services has issued a warning about Trinity ransomware, a new threat targeting healthcare providers. Detected in May 2024, Trinity ransomware employs double extortion tactics, encrypting files and exfiltrating sensitive data. Multiple healthcare providers in the U.S. and U.K. have been affected, with significant data theft reported.

INSIGHT: An advanced Endpoint Detection and Response (EDR) solution could provide faster containment and mitigation capabilities in a ransomware attack and prevent data loss and/or system interruptions.

GOVERNMENT - Cyberespionage Effort Breaches Air-Gapped System

Researchers have uncovered a series of cyberattacks by the GoldenJackal group targeting air-gapped systems in European government organizations. The attacks, spanning from May 2022 to March 2024, utilized custom toolsets to exfiltrate sensitive data from isolated networks. GoldenJackal’s operations highlight the persistent threat to high-security environments.

INSIGHT: Because air gapping as a security practice has now been proven as breachable, consider Data Diode Technology which may be a new cyber term for you, but it prevents data from traveling from a secure network to a less secure one, but not vice versa.? For High-Value Targets (ie Diplomatic Offices) it may be worth the investment for this type of technology.

CONSUMER SERVICES - Breach Exposes Employee Data via Third-Party Compromise

ADT, [NYSE: ADT] a leading security services provider, disclosed a cybersecurity incident where an unauthorized party accessed its network using compromised credentials obtained from a third-party business partner. The breach resulted in the exfiltration of encrypted internal data related to employee user accounts. ADT has taken steps to contain the incident and is working with cybersecurity experts to investigate and mitigate the impact.

INSIGHT: Prevention of this type of incident is twofold… MFA (we've talked about this enough previously) and Third Party Risk Management (TPRM).? A basic Business Impact Analysis (BIA) would also help you understand the risks of your 3rd parties if you lack the resources to audit your vendors, at least consider the risk and take steps to mitigate as much as possible.? If you want to DIY, ask us for a BIA Template and Scorecard.

INSIGHTS & EXPERT PERSPECTIVES

Opinion: Recent FTC Settlements – A Misguided Signal to CISOs and CFOs

The recent settlements between the Federal Trade Commission (FTC) and Marriott and T-Mobile, have sparked significant debate within the cyber risk community. As professionals invested in helping SMBs understand and establish risk management and compliance, we find the leniency of this settlement troubling and insufficient for driving meaningful corrective steps within large organizations and a poor example for SMBs.?

Marriott [NASDAQ: MAR], a global hospitality company, faced serious cybersecurity vulnerabilities that led to a massive data breach, compromising the personal information of millions of customers.? T-Mobile [NASDAQ: TMUS],? a global telecommunications company, experienced several significant cyber incidents that led to its settlement with the FTC.?

The settlements, however, appear to be nothing more than a slap on the wrist. For companies of Marriott & T-Mobile’s size, the financial penalties imposed are akin to a rounding error—an amount either can easily absorb within a cyber incident reserve.?

This leniency sends a dangerous message to other enterprises (small to large) that minimal compliance efforts are enough to avoid severe (read: meaningful) repercussions. It undermines the efforts of Chief Information Security Officers (CISOs) and Chief Financial Officers (CFOs) who, in their organizations strive to prioritize robust cybersecurity measures. Instead of incentivizing comprehensive security practices, the settlement may inadvertently encourage a cost-saving approach that leaves critical cyber risks unaddressed.?

The FTC and other regulatory bodies (and Congress?) should recognize the importance of imposing penalties that reflect the gravity of these breaches and the potential harm to consumers. When the importance of consumer cyber privacy and protection is recognized, we might then see a wider-ranging shift towards more proactive and effective cyber and information security strategies across all industry segments.?

These settlements represent a missed opportunity to set a strong precedent for cyber risk accountability that the SEC has hoped to establish. It is imperative that future regulatory actions prioritize the protection of consumers and their data and the implementation of regulated security measures, ensuring that companies of all sizes take their cybersecurity responsibilities seriously.

Question: If I'm a vendor to a large enterprise, do the SEC’s new cyber rules apply to my company??

The SEC’s new cyber rules - Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure - have implications not just for the SEC-covered entities, but for vendors serving large enterprises. The SEC Cyber Rules mandate periodic disclosures, timely incident reporting, and comprehensive compliance reviews for SEC-covered entities.? As a vendor to these entities, aligning your cybersecurity practices with these regulations is not just a compliance measure but a strategic imperative.

?Here’s how these rules may apply to your company:

• ?Regulatory Alignment: As a vendor, you should align your cyber risk practices with those of your customers. This includes adopting similar measures for risk management, incident reporting, and periodic reviews.
• Incident Reporting: Vendors are expected to report material cyber incidents promptly. This ensures that any potential risks are communicated to your enterprise customer promptly, allowing for a coordinated? (maybe supported) response.
• Periodic Disclosures: You should conduct regular security and risk assessments and provide updates on your cyber resilience posture. This transparency is important to maintain customer trust, ensuring that your customer can meet its own disclosure requirements.
• Compliance Audits: Your customer(s) may conduct audits of your organization to verify that you adhere to what you say is your cybersecurity governance. You should be prepared to demonstrate compliance through documented governance and IR/DR/BC plans.
• Risk Management: You should implement adaptive cyber risk management practice, and validate the adaptivity through regular security and risk assessments and mitigation strategies - giving you legally defensible evidence that you're actively trying to protect both yourself and your customer from cyber threats.?

If you do these things, you can demonstrate that you're a valuable asset to your customers and ensure that they meet the expectations of and comply with the SEC’s cybersecurity rules.

To learn more, watch/listen to our Cyber Risk Governance Live Event Know Your Cyber Risk Now: SEC Eyes Enforcement of New Cyber Rule with Alex Sharpe.?

Netswitch Sharpen Your Cyber Edge with Netswitch

Master Compliance & Minimize Risks:

1. Independent Security Audit: Identify network risks with our automated Security And Risk Assessment (SARA). Get a clear picture, prioritize improvements, and optimize resource allocation. Contact Netswitch.
2. Free "Quick Start" Program: Gain a free cyber risk and governance health check. Enroll now and start building resilience.

Deepen Your Knowledge:

• Join Our LinkedIn Group: Collaborate with industry leaders in the CyberRisk Governance Community on LinkedIn. Share insights and stay ahead of the curve.
• Live Events: Participate in interactive LinkedIn Live sessions. Explore cyber risk topics with executives, technologists, and governance professionals.

Don't wait.

Contact Netswitch Technology Management today to take control of your cyber risk.

Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.