How you can prepare, safeguard and take action
Cybercrime continued to dominate headlines throughout 2021, with the global cost predicted to reach $10.5 trillion annually by 20251. As governments continue to navigate how to best deter cyber criminals, organisations must remain vigilant in the face of increasingly sophisticated cybersecurity attacks – arising from within and outside their organisation.
We look at the top five cybersecurity trends that defined 2021 and what they mean for Australian businesses in 2022.
Jump to
- 1. Regulatory landscape continues to evolve with the introduction of new mandatory notification regimes
- 2. Cyber extortion on the rise as ransomware continues to hold organisations captive
- 3. Next generation of supply chain attacks surge
- 4. Escalating insider risks spur focus on insider threat management
- 5. Cyber insurance market adapts approach as losses become unsustainable
Following an early wave of mandatory data breach notification regimes that focused on the compromise of personal information, we are now seeing an influx of sector-specific cyber incident notification regimes2 and the advent of cyberattack-specific notification regimes3. These new laws also supplement market disclosure regimes which have existed for some time.
In addition, each regime typically imposes different requirements as to when notification should occur, what it should say and who should receive it. Managing notifications across regimes and jurisdictions can present a major challenge for compromised organisations, particularly in the early days of a cyber response when information is scarce and there is immense pressure to make early and regular disclosures.
Breach notification enforcement is also on the rise as regulators increasingly hold organisations to account for delayed, misleading and deficient notifications.4
Actions you can take now
- Ensure you have a detailed communications plan and notification strategy that addresses:
- messaging to staff (tailored according to whether and how they are affected)
- communications with regulators, law enforcement and government agencies
- media engagement
- communications with service providers and business partners (including under contractual notification requirements)
- notification to enterprise customers and consumers, and
- notification to affected individuals.
- Ensure that all communications about the incident and about your organisation's response are accurate, appropriate for the audience and sufficiently transparent (without unnecessarily waiving privilege or including unhelpful speculation).
- If you are in a highly regulated industry, you should consider in advance how to coordinate engagement with multiple regulators, law enforcement and government agencies, particularly where updates will be required on an ongoing basis. Standard communications operating procedures for outages or natural disasters may not be appropriate.
- As mandatory regimes to make notifications about cyber extortion incidents or payments gather steam, you will need to incorporate those requirements into your cyber extortion response protocols.
2021 was a banner year for ransomware and cyber extortion – almost 33% of all companies experienced at least one cyber ransom incident5 and ransomware attacks cost businesses more than $20 billion, up from $325 million in 2015 (a 57x increase).6 Ransomware is now the fastest growing and one of the most damaging types of cybercrime.7 Despite this, many businesses are still severely unprepared.
2021 was also the year that these attacks claimed their first life8 and garnered widespread attention and a flurry of activity from governments and law enforcement across the globe.
Finding themselves under immense pressure to take steps to deter ransomware attacks and cyber extortion and to hold the perpetrators accountable, governments are increasingly directing their efforts at the following:
- The establishment of dedicated taskforces focused on disrupting cyber extortion – in October 2021, the Australian Federal Police announced that it had established a new multi-agency law enforcement taskforce, Operation Orcus, to centralise law enforcement efforts against ransomware groups. This followed the establishment of a similar taskforce by the US Department of Justice earlier in the year. Some of this law enforcement activity is already having some success, including:
- in June 2021, the US Department of Justice announced it had seized $2.3 million worth of bitcoin that was paid in connection with the Colonial Pipeline attack9; and
- in November 2021, Operation Gold Dust (a global law enforcement effort, with 17 participating countries) arrested two individuals associated with the REvil ransomware group10.
- Regulatory reform aimed at improving accountability and transparency – law enforcement is set to have greater powers to investigate and seize ransomware payments, and criminals will be subject to new standalone offences for cyber extortion. A standalone aggravated offence for cybercriminals seeking to target critical infrastructure was also flagged in the Australian Government's Ransomware Action Plan. The enforcement of new and existing criminal offences will also be supported by the information and intelligence gathering powers that were recently introduced by the Surveillance Legislation Amendment (Identify and Disrupt) Act 2021 (Cth), which allows the Australian Federal Police (AFP) and Australian Criminal Intelligence Commission to obtain three new warrants aimed at investigating, disrupting and prosecuting serious online criminal activity.
- Requiring notification of cyber extortion incidents or ransomware payments – as part of its Ransomware Action Plan, the Australian Government has announced that it will introduce new legislation that would require companies with an annual turnover of $10 million or more to report cyber extortion attacks to the ACSC (irrespective of whether they have paid a ransom). In the United States, the proposed Cyber Incident Reporting Act, 2021 would require organisations to notify the federal government within 24 hours if they make a ransom payment and would require entities who plan on making a ransom payment to evaluate alternatives before making that payment.
- International coordination – on 15 October 2021, 30 countries released a joint statement on countering ransomware, the result of a two-day virtual Counter Ransomware Initiative summit hosted by the US Government. We can expect to see greater international coordination and information sharing among these 30 countries (including Australia) to combat the transnational threat of ransomware activity.
- Cryptocurrency is coming under increased regulatory scrutiny – governments across the globe are cracking down on the use of cryptocurrency in illegal transactions. As part of the Ransomware Action Plan, the Australian government identified 'tackling cryptocurrency transactions associated with the proceeds of ransomware crimes' as a key disruption measure moving forward. In the United States, the Department of Justice created the National Cryptocurrency Enforcement Team to prosecute illegal transactions involving cryptocurrency.
- Overhaul of Australia's sanctions regime – amendments to Australia's Autonomous Sanctions Act 2011 (Cth) passed at the end of last year allows the government to adopt sanctions programs that are responsive to transnational issues of concern. The government specifically identified malicious cyber activity as one transnational issue it will use its new power to target, where the Minister for Foreign Affairs has the power to designate entities and individuals involved in malicious cyber activity. This would prohibit organisations that are the subject of a cyber extortion attack from making payments in connection with the incident if the attacker is a 'designated entity'. As a result of these new laws, it will be more important than ever for organisations to undertake thorough due diligence on attackers, intermediaries and the digital wallet into which the funds will be deposited, and the risks associated with making payments to resolve attacks will be further accentuated.
Actions you can take now
- Understand the regulatory requirements and prohibitions around engaging with threat actors. You should seek advice (where possible, in advance of any cyber extortion) on the legality of paying a ransom in various scenarios, how best to approach the evolving sanctions landscape, and cyber extortion notification requirements across the jurisdictions in which your business operates. This will help to inform cyber response plans and avoid the need to obtain detailed legal advice in the heat of a crisis (though advice specific to the circumstances will likely still need to be obtained at the time).
- Know your experts. It will be important for you to know, in advance of any cyber extortion, which experts to engage with and when (for example, cyber forensic investigators to assist with information gathering about the nature of the incident and the information that has been affected, and if appropriate, negotiators). Thought should be given to who in your organisation is responsible for engaging those experts and how they will engage with the broader incident response team.
- Put in place a cyber extortion recovery plan that outlines accountabilities within your organisation for co-ordinating and implementing your response, including service continuity and data restoration. In particular, consider:
- the extent of board involvement in decision making (including who is responsible for making that decision. Will authority in relation to ransomware decisions sit with the whole board, or will a sub-committee have delegated authority?);
- how updates will be given, and how frequently those updates will be given to the board. How the board should be notified of, and receive updates in relation to, a ransomware attack or digital extortion; and
- the options available to your organisation when deciding how to respond to a cyber extortion. There are three key options available: not to engage with the threat actor; engage with the threat actor and not pay the ransom demand; and engage with the threat actor and pay the ransom demand. You will need to assess these options at the time, having regard to the information available.
- Implement a comprehensive training program for all staff who are ultimately responsible for protecting your critical information assets, as well as those who would be involved in the actual response and recovery effort. It is also prudent to ensure regular testing and updating of IT systems and processes is in place to respond to, and recover from, ransomware attacks and/or cyber extortion.
- Familiarise yourself with your organisation's cyber insurance policies to ensure your organisation has coverage for items including external legal advice, incident response and technical forensics, extortion negotiation and payment.
- If you do not have cyber insurance cover, consult with your insurance broker to see whether or not cyber insurance is an appropriate risk mitigation tool for your organisation.
- Engage legal and cybersecurity experts to assess your organisation's cyber resilience capability and preparedness for a ransomware attack or cyber extortion (eg by running simulations).
- Get involved in consultation. There will be opportunities to engage with government regarding the shape of the reforms. Allens can help share your views on how the reforms can be crafted to avoid creating undue compliance friction and risks for your organisation.
Supply chain attacks are an enduring feature of the cyber landscape, as threat actors continue to actively leverage third party vendors and technology to penetrate their ultimate target. The switch to remote working during the COVID-19 pandemic has amplified this threat, with supply chain attacks rising by 430% in recent times.11 Log4j, SolarWinds, Colonial Pipeline, Microsoft Exchange, Kaseya and JBS are just a few of the 2021 supply chain compromises that dominated the cyber landscape in 2021, which saw over $85 million in ransomware demands (to date).
We are now also seeing a surge in software supply chain attacks and in particular the compromise of open source libraries and tools, as attackers look for new ways to maximise their blast radius, automate their efforts and avoid detection. This leaves organisations looking to secure technologies introduced from or located outside their perimeter with an unenviable task. They must anticipate and address third party cyber risks in circumstances where the average software project has 203 dependencies and 'involves multiple off-the-shelf components, including third party APIs, open source code and proprietary code'.12
As a consequence, we are likely to also start seeing greater regulation (whether direct or indirect) of certain types of ICT service providers, particularly in critical sectors which tend to rely on a handful of unregulated third party technology providers. The increased focus on these suppliers has been a recurring theme in the Australian Cyber Strategy and APRA's 2020-2024 Cyber Security Strategy (including its recently released Supervision Priorities for 2022,13 which include consultation on a new operational resilience standard). In addition, under Australia's expanded security of critical infrastructure regime introduced late last year:
- responsible entities of critical infrastructure assets (including large banks, superannuation funds, health service providers, large supermarket chains etc) must notify those data storage and processing providers which are providing a service relating to business critical data14 that they are providing such a service; and
- those data storage and processing service providers will themselves then be deemed to be a responsible entity of a critical infrastructure asset and must therefore comply with the relevant notification and positive security obligations imposed under that regime.
Operational resilience and the systemic risk posted by a concentration of IT service providers is also being addressed in the European Union. The European Commission has drafted a Digital Operations Resilience Act (DORA) which will not only impose outsourcing requirements on financial services organisations procuring ICT services, but will also bring critical ICT third-party providers (including cloud, software and data analytics providers) within the regulatory perimeter by directly requiring that they comply with certain regulatory standards and by ensuring oversight over such suppliers.15
Actions you can take now
- Know your software. The recent spotlight on open source vulnerabilities and the resulting global scramble to patch systems at scale following the discovery of the log4j flaw highlights the importance of:
- understanding the downstream software dependencies of third parties and contractually requiring that suppliers provide complete and up-to-date lists of all their external software components (both open source software and other off-the-shelf solutions) used in any engagement; and
- ensuring that your inhouse teams are able to quickly identify whether particular software components and tools have been used in the development of internal applications, including by regularly scanning and updating their software asset inventory.
- Ensure alignment with critical infrastructure reforms. If you are a responsible entity under the expanded Australian security of critical infrastructure regime, implement a program to notify and where appropriate uplift existing arrangements with data storage and processing providers providing a service relating to business critical data. If you are a data storage and processing provider providing a service, consider what additional obligations will be imposed under the regime.
- Know your third-party service providers. Conduct an inventory of all third parties that have access to your systems and/or your data. Undertake due diligence and perform risk assessments on vendors before deploying their technology or permitting them to access your systems or data.
- Document and implement a third party engagement policy. The policy should outline the processes your organisation should follow in any engagement with third parties (from due diligence to contracting and ongoing vendor management through to termination), according to the risk classification of the arrangement.
- Restrict third party access to the essentials. Third-party access to your systems and data should be limited to the minimum level necessary to perform the relevant role. Any access by supply chain vendors should be authenticated, tracked and audited to ensure that the extent and nature of access is appropriate and that it is terminated when no longer required.
- Establish robust contractual protections…and enforce them. The assurances that you obtain from suppliers, and the obligations that you impose, should be relevant and proportionate to the risks faced. They also need to be tested and enforced. Where appropriate, your contract should also outline the engagement required by the supplier if a flaw or compromise is discovered and your recourse where such engagement or remediation is unsatisfactory.
- Don’t forget about intragroup arrangements. Group members are still third parties in the eyes of regulators – as Yahoo, Equifax and RI Advice have all discovered. It is just as important that you assess, test and address cyber issues presented by intragroup arrangements as it is for unrelated third party arrangements.
- Watch this space. As recent compromises force organisations to re-examine the assumption that open-source software is secure because it has so many eyes on it, we may see moves to try to regulate open source software and practices. A meeting at the White House in December last year saw executives from the likes of Microsoft, Google, Apple, Facebook, Amazon and others meet with officials to discuss the need for better security in the open-source community.16 White House National Security Advisor Jake Sullivan convened the meeting, noting that it was a 'national security concern' for foundational open source software to be maintained by volunteers.17
Insider cyber risk is an escalating yet often overlooked and underestimated problem for organisations. Rapid digital transformation, remote workforces, increased use of the cloud, pandemic-induced business and personal stressors and, increasingly, incentives offered to disgruntled employees by external threat actors,18 have all contributed to the steep rise in both the frequency (44%) and cost of insider cyber threats over the past two years.
More than a quarter of all cyber events globally originate inside an organisation – either as a result of error (eg misdelivery, misplacing assets, misconfigurations, publishing errors and disposal errors) or misuse (eg privilege abuse or collusion with outsiders)19.
In Australia, the story is even worse. The OAIC's latest twice-yearly report on data breaches found that human error was the primary cause of approximately 30% of data breaches between January and June 202120. Given the difficulties organisations face in protecting against highly sophisticated cyber attacks by external actors, reducing the incidence of insider risk will go a long way to reducing the overall risk profile of your organisation.
Actions you can take now
- Implement an insider threat management program for the prevention, detection and mitigation of, and response to, insider cyber risks.
- The scope of your insider threat management program will be critical to its success. Your program should not be limited to addressing individual behaviours – it should also have regard to:
- the organisational context in which these behaviours operate (eg a culture which might create insider dissatisfaction); and
- outside risk factors (eg industry competition or malicious threat actors that might encourage or incentivise insider theft or misuse).21
- Your access control protocols and practices are a key component of any insider threat program. They should cover the technical and operational access controls to be applied and when they should be reviewed, how access will be monitored, logged and reported on, when access rights should be revoked (eg when someone changes roles, leaves the organisation, or at the completion of a project), and the procedure to be followed in the event there is a failure in access controls. As a general rule, access to data and systems should be limited to the minimum level necessary for a person to perform their role.
- Cybersecurity awareness and skills training will help staff avoid certain incidents and detect potential risks before they arise.
- Creating a no-blame culture (for mistakes) will encourage staff to speak up as soon as they become aware of any actual or potential vulnerability or compromise so that you can move to swiftly contain and mitigate any damage.
- Your insider risk management program should be designed and implemented with legal and ethical considerations in mind. As your organisation continues to invest in behavioural monitoring and sensitivity analysis to facilitate insider risk management activities, you will need to carefully consider, in particular, the privacy and surveillance implications of these practices and the controls that will need to be applied to address them.
The volume and severity of cyberattacks is skyrocketing and with it, ransom payouts and business rectification costs. Unsurprisingly, the volume and size of claims made on cyber insurance policies has also been steadily increasing. This has led to a hardening of the cyber insurance market.
Insurers have responded in a number of ways. There has been a significant increase in premiums and a narrowing of cover across the market, together with a reduction of capacity. Many insurers have also changed the way that they asses the claims risk of their insureds. Self-assessments and attestations are disappearing. Organisations looking to purchase or renew cyber policies are often being technically and operationally interrogated, monitored, and required to implement a host of controls, as insurers take a much more active approach in assessing insurability and claims risk.
Actions you can take now
- Get ready. When considering whether to provide or renew coverage (and on what terms), underwriters are increasingly examining – in detail – information about organisations' cyber strategy, governance arrangements, IT security spend, the volume and type of data held, the security controls applied to protect information assets, and reliance on shadow IT (information technology or services not approved by the IT department). Underwriters are also investigating third party arrangements, cyber-awareness culture, testing regimes, details of any prior data breaches, how prepared organisations are to respond to a cyber event and whether they have run any war gaming exercises to stress test their arrangements. Find out what information your insurer requires and the security controls the insurer seeks to impose well in advance of the renewal process. Being prepared will make it easier to demonstrate a mature security posture throughout the process and may result in a better renewal outcome.
- Demonstrate buy-in from the top. Insurers are increasingly focussing on executive level sponsorship of cyber security and resilience, including by making regular tabletop scenarios that include senior management participation a condition of coverage.
- Know your policy. Make sure you understand precisely what first-party losses and third-party liabilities the policy covers, as well as the limits and exclusions and any conditions of claiming under your policy. If there are parts that are unclear, discuss them with your broker, or with your lawyers.
- Cyber insurance should be a product of last resort. Any organisation with cyber-related exposure should be undertaking risk assessments, implementing a cyber strategy and uplifting its practices where there are gaps, regardless of whether it is seeking insurance coverage. Even the broadest cyber insurance policies will not cover all losses that might be sustained as a result of a cyberattack and even where it does, cyber insurance is no substitute for good risk management.
Footnotes
-
Steve Morgan, Top 6 Cybersecurity Predictions And Statistics For 2021 to 2025 (30 December 2021).
-
In Australia, a positive notification obligation is in the process of being implemented in respect of a broad range of critical infrastructure assets. This will require entities to notify the relevant agency of a cybersecurity incident within 12 hours if the incident has had or is having a significant impact on the availability of the critical infrastructure asset, or 72 hours where the incident has had or is having a relevant impact. See also, the approval by US banking regulators (the Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency) last year of a rule directing banks to report major cybersecurity incidents to their primary regulator as soon as possible and within 36 hours of discovery. This is similar to the requirement imposed on APRA regulated entities under CPS 234.
-
In October 2021, the Department of Home Affairs released its Ransomware Action Plan which signposts legislative reforms that would require companies with a turnover of $10 million or more a year to report ransomware attacks (as opposed to ransomware payments) to the Australian Cyber Security Centre.
-
The Securities and Exchange Commission (SEC) flagged late last year that it intends to supplement or modernise its cybersecurity guidance issued back in 2018 (the Commission Statement and Guidance on Public Company Cybersecurity Disclosures) by releasing a rule proposal specifying how companies should address incident disclosure. This follows action taken by the SEC last year against eight financial services firms for cyber breaches and its growing frustration at delays and deficiencies in cyber disclosures (both misleading statements and omissions) and inadequate notification policies and procedures (see Christopher Hetner and Lisa Quateman, Cyber Disclosures: New Regulation on the Horizon (10 December 2021).
-
Mass Needhma, IDC Survey Finds More Than One Third of Organizations Worldwide Have Experienced a Ransomware Attack or Breach (12 August 2021).
-
Steve Morgan, Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (13 November 2020).
-
Cybersecurity Ventures expects that a business will fall victim to a ransomware attack every 11 seconds by 2021, up from every 14 seconds in 2019 (see Steve Morgan, Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (13 November 2020)).
-
Steve Morgan, Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (13 November 2020).
-
The United States Department of Justice, Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside (7 June 2021).
-
Joe Tidy, REvil: Day of reckoning for notorious cyber gang - BBC News (8 November 2021)
-
CrowdStrike, What is a Supply Chain attack? (8 December 2021).
-
CrowdStrike, What is a Supply Chain attack? (8 December 2021).
-
Australian Prudential Regulation Authority, APRA's Supervision Priorities (1 February 2022)
-
Business critical data is defined as business critical data means: (a) personal information (within the meaning of the Privacy Act 1988) that relates to at least 20,000 individuals; (b) information relating to any research and development in relation to a critical infrastructure asset; (c) information relating to any systems needed to operate a critical infrastructure asset; (d) information needed to operate a critical infrastructure asset; or (e) information relating to risk management and business continuity (however described) in relation to a critical infrastructure asset.
-
Linklaters, An act of two halves: How the EU plans to build operational resilience in financial services (18 March 2021).
-
Lucas Ropek, AfterLog4j, Open-Source Software Is Now a National Security Issue (13 January 2022).
-
Jonathan Greig, After Log4J, White House fears the next big open source vulnerability (14 January 2022).
-
Krebs on Security, Wanted: Disgruntled Employees to Deploy Ransomware (19 August 2021) and Loukia Papadopoulos, Hackers Are Offering $1M to Employees Who Install Ransomware on Company Computers (22 August 2021).
-
Ponemon Institute, 2022 Cost of Insider Threats Global Report (2022).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Report: January – June 2021 (23 August 2021).
-
Angela Horneman, Sarah Miller and Andrew P. Moore, Insider Risk Management Program Building: Summary of Insights from Practitioners (May 2021).