The Changing Cybersecurity Landscape: From Sanctions Compliance to Double Extortion
In this webinar hosted by Law.com, Control Risks’ Partners James Owen and Nicholas Reys and Linklaters Partner Doug Davison discuss the evolution of the global cyber threat landscape. Exploring what they’re seeing in the regulatory environment regarding new guidance from OFAC and the SEC, they tackle some of the main trends at a strategic and tactical level and explain how those are impacting organisations in the legal profession around the world. Read some of the key takeaways below.
- There is a radical acceleration in the pace of digital transformation across both public and private sector industries globally. In North America, the pandemic has facilitated conversations at board level and executive levels towards not only adopting new technologies that will enable remote connectivity into the workplace, but to also survive in a global market that is increasingly uncertain. However, as technology continues to grow pervasively within organisations, the ability to exploit that interconnection by criminals and nation states also grows.
- A fundamental characteristic of the modern cyber threat landscape and its future evolution is its increased politicisation, particularly around the Ukraine crisis. Throughout the crisis, the reality of some of the disruptive cyber-attacks launched by both nation states, and by criminal organisations affiliated with parties in the crisis has become more evident. Over the last two years in the US, there has been an increase in targeted ransomware operations impacting critical national infrastructure and even ransomware as a service operation.
- Double extortion is another key trend seen in the global threat landscape over the last few years. As technology and defence to mitigate the impact of cyber-attacks improves, criminals, nation states and activists are becoming more prolific and smarter about the way they operate. With extortion, they have quickly realised (particularly since the inception of legislation like the EU’s General Data Protection Regulation and the Chinese cybersecurity law) that data is not only just a commodity from an espionage standpoint, but it is also a commodity from an extortive standpoint. The commoditization of data has now made the ransomware groups focus not just on disabling the ability for an organisation to operate, but to also focus on posing a threat of data leak to extortion at the same time as disruption to operation.
- When looking at the SEC’s guidance for public companies, it focuses on the disclosure process, risk management, and governance. Looking at the guidance and enforcement cases that have been brought, there is a focus on companies that didn't have what were viewed as reasonable controls or reasonable governance processes. It is now crucial that once someone in the organisation knows that there is an issue, they understand the need and expectations around disclosure.
- Cyber breaches represent a real challenge from a defensive perspective regarding regulations and recommendations by regulatory bodies towards third party supply chain and risk management. For multinational organisations with multiple providers across their global infrastructure, ensuring they are secure, resilient and also compliant requires them to start thinking about this now, before the regulation and the legislation comes online.
- Cyber due diligence across third-party relationships can be an effective way to provide more assurance around some risks that are outside of your direct control like partnerships, acquisitions and certainly for portfolio companies.
For the full discussion tune into Law.com’s webinar The Changing Cybersecurity Landscape: Managing Risks from Sanctions Compliance to Double Extortion available on demand now.