From large-scale hacks to new rules governing cyber practices, the cyber landscape continues to become more complex. The risk for breaches is higher than ever before. The numbers support this declaration. According to the Identity Theft Resource Center Q3 2023 Data Breach Report, there was a record-breaking number of data compromises (2,116) during the first nine months of the year. Costs are also increasing with IBM finding in its 2023 Cost of a Data Breach report that the global average breach cost was $4.45 million, representing a 15 percent increase over three years. Last year also saw a record high for breaches and corresponding class actions. Where significant data breaches occur, class action exposure increases exponentially.

So, what can organizations do to improve their cyber programs as threat actors sophisticate and the rate of compromise increases? The goal is not to eliminate cybersecurity risk, as this is an impossible feat. What can be done to better control this risk and respond more efficiently is to apply professional teamwork. Having internal staff and outside partners with the right knowledge and resources is crucial.

Keeping apprised of hot topics that elevate risk will help organizations advance good cyber health, remain compliant, and better control class action risk. For the Angle’s final 2023 roundup, let’s take a look at four key cyber events and trends that surfaced.

MOVEit Hack

Certain events can cause widespread attacks that quickly place a large number of organizations at risk. In May 2023, the MOVEit breach started from a third-party software vulnerability and the effects felt are ongoing. According to analysis by Emsisoft, as of Dec. 24 there were 2,699 businesses that reported they were affected by the breach with 93,318,034 individuals’ data compromised. Victim data ranges from schools, healthcare, registered drivers, and more.

Many organizations used this accredited transfer file management for sensitive data transfers, as it met high regulatory standards. A zero-day vulnerability in both the on-prem and cloud environments emerged that no one was equipped to handle. Threat actors were able to gain access to customer accounts. There was no immediate patch available, rendering containment and mitigation extremely difficult (note MoveIt has claimed a patch was available May 31). Additional vulnerabilities also materialized. The hack was traced back to Clop, a ransomware cybercriminal group.

This is an example of how a small vulnerability can quickly turn into a disaster that highly increases litigation exposure. Many MOVEit incidents involve over one million impacted contacts and the types of data impacted tend to be rich files with complete contact data, such as complete client or employee lists containing full PII sets. Affected individuals have already started filing lawsuits against organizations using MOVEit and class actions could be on the horizon. This event highlights the importance of keeping apprised of the cyber habits that vendors employ and the overall risks that large hacks pose; organizations and those tasked with protecting them from Cyber threats must be proactive and vigilant not just within their own organization but with vendors, partners and third-party software providers who may also touch their data or have connections to their networks.  

New Securities and Exchange Commission (SEC) Rules

Last July, the SEC adopted new cybersecurity rules that send a message about the serious threat cyber incidents pose. The rules provide a way to prioritize cyber risk and to respond in a uniform expedient manner. Organizations will need to disclose material cyber incidents pursuant to a prescribed timeline and information regarding risk management, strategy, and governance on an annual basis. All SEC registered organizations should already have reviewed the rules in depth and taken steps to comply.

Compliance with the rules came due in December for most public companies. Smaller reporting companies have an extension until June 15, 2024. To adequately comply, there needs to be board-level attention on minimizing, managing, and responding to cyber risk. A significant change is the requirement to disclose material cybersecurity incident occurs within four days. There was some initial skepticism around meeting this tight deadline which the SEC addressed by not requiring disclosure of technical breach details and allowing for judgement on what is considered material and when to start the clock. After more reporting ensues the expectations around this and other facets of the rules will likely be clarified further.  Already we are starting to see interesting but unexpected impacts of these rules.  It has been reported that ransomware threat actors are threatening to report companies to the SEC for non-compliance with these new rules if they do not pay the ransom being demanded.

Legal Education Requirements

In the legal industry, New York lawyers had a new requirement involving cyber education take effect in July. It mandates one hour of CLE credit to satisfy the new Cybersecurity, Privacy and Data Protection category. This sends a message about how much cyber and legal intertwine, which is heightened because of the ethical duties.

Lawyers cannot effectively practice law today without knowledge about cybersecurity law, potential threats, and best practices. Confidentiality, competence, and candid communication are central to practicing law ethically. Cyber risk should be another foundational piece of legal education and training. New York has taken the first step to affirming this notion and other states will likely follow in the coming years. Until then, all lawyers should already be remaining cyber aware in their everyday practice and help set cyber goals for their organization. Some best practices include subscribing to cyber news alerts, advocating for legal’s involvement with incident response planning, and partnering with providers that can help vet new legal tech solutions.  Additionally, law firms are prime targets for ransomware attacks – law firms are data aggregators who often hold material volumes of highly sensitive information for many companies making them high value targets – and we continue to see major firms being the subjects of successful attacks each year.  By raising the bar in regards to Cyber competence and knowledge required, New York and other states who follow will help lawyers better advise their clients but also better protect the client data them themselves store.

Deepfakes

Cybercriminals keep finding ways to intercept data, rendering it important to keep on top of trending attack methods. Last year deepfakes made the list. According to Sumsub’s annual Identity Fraud Report, from 2022 to 2023 there were 10x more deepfakes globally. This is a very large increase in a short period of time due to the rise in AI-enabled technologies.

Deepfakes are videos, pictures, or audio that have been convincingly manipulated to misrepresent a person saying something they never said or doing something that they never did. Cybercriminals can access public company data and make changes or synthesize new content. Think of a situation where someone manipulates audio to sound like a direct manager authorizing a wire transfer or a fake video of a CEO making a statement in direct contraction with company values. Serious financial and reputational injuries can follow.

Organizations must have dedicated personnel and external partners to keep up with the evolving threat landscape and deploy strategies and tools to mitigate risk. Watch deepfake trends and ensure that employees know how to spot them.

Conclusion

Cybersecurity is an ongoing initiative that only becomes more important as digitization expands. Preparation and proactive planning are key, as even a small amount will go a long way and can help save an organization’s reputation, business, and assets. Keep up to date on important cyber events, breach trends, and pertinent rules. Make sure to account for these things in security initiatives, cyber incident preparedness efforts, response plans, internal education, and outside partner vetting.