Eric Rosenbach, a former “Pentagon Cyber Czar” and co-director of the Belfer Center for Science and International Affairs at the Kennedy School at Harvard, explains cybersecurity in a simple term. According to Rosenbach, “cyber risk management is an essential part of governing. It is a fundamental component of operations. Understanding and mitigating risk has become an essential skill not only for security and technology specialists but also for leaders in government and business.”
As the frequency of cyber-attacks increases, institutional investors are at the forefront of the battle to understand their investments’ exposure to cybersecurity risks. Tragically, organizations are not immune to new cyber threats. The lockdown of 2020 linked to the novel coronavirus pandemic has further increased investors’, businesses’, and government agencies’ exposure risk to cyber insecurity. Cybercriminals have capitalized on the lockdown to increase their attacks as businesses, individuals, and governments embrace new practices such as working remotely and social distancing. Due to a lack of preparedness, vulnerable businesses and government infrastructure are now more exposed to cyber-attacks.
Unaddressed cybersecurity threats have a negative impact on the economy, businesses, and investors. However, government, businesses, and individual investors have a huge role in addressing cyber-attack risk. A sustainable approach to addressing threats posed by growing cyber activity requires a shift to a proactive strategy instead of merely reacting as problems arise.
Cyber security as a governance issue that presents a risk to investors and businesses
Cybersecurity, if not managed effectively as part of a comprehensive plan of corporate governance (the “G” of ESG), will present a clear risk to the value of companies within an institutional investors’ portfolio. While many factors contribute to a need for increased cybersecurity, the lockdown of 2020 has dramatically changed how society interacts, does business, communicates, and travels, heightening risks for those who are not as effective at adapting to change. Since the lockdown, business activities have increasingly shifted to digital platforms. Financial institutions are rethinking business strategies and increasing spending on information technology and cloud technology systems that enable employees to work remotely, in order to reduce the spread of the novel coronavirus (COVID-19). As businesses strive to adapt to working remotely, businesses and investor risk exposure to cybersecurity has increased since the lockdown of 2020.
A study by Deloitte Cyber Intelligence Centre concludes that “there has been a spike in phishing attacks, Malspams and ransomware attacks as attackers are using COVID-19 as bait to impersonate brands thereby misleading employees and customers.” Similarly, the Boston Consulting Group noted that, “financial services firms are 300 times as likely as other companies to be targeted by a cyberattack—and dealing with those attacks and their aftermath carries a higher cost for banks and wealth managers than for any other sector.” Despite the growing need to strengthen information security and cyber resilience, many financial institutions are ill-equipped to respond effectively, thereby raising institutional and non-institutional investors’ concerns.
In June of 2020, the Security and Exchange Commission (“SEC”) alerted the public about the rise of ransomware attacks on United States financial institutions. According to SEC, its Office of Compliance Inspections and Examinations (OCIE) observed “an apparent increase in sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisers, and investment companies. The perpetrators behind these attacks typically demand compensation (ransom) to maintain the integrity and/or confidentiality of customer data or for the return of control over registrant systems.”
Furthermore, global institutional investors are also concerned about the growing implications cybersecurity risks pose to their investment portfolios. A 2019 Responsible Investment Survey by RBC Global Asset Management stated that cybersecurity was the number one ESG risk of great concern to investors. Similarly, in an Ernest and Young survey of more than 60 institutional investors with approximately $35 trillion in assets under management, respondents noted that cybersecurity would be the third highest threat to investment portfolios in the next three to five years. Unaddressed or lack of preparedness for cybersecurity risk does poses a huge challenge to businesses and investors.
For instance, in June 2020 Argenta, an Antwerp-based savings bank, experienced its first cyberattack resulting in a shutdown of approximately 143 cash machines. Argenta did not publicize the amount stolen, as it is standard practice for banks and financial institutions to keep the extent of such a crime confidential in order to not erode public confidence in their institution’s security. Similarly, in the early month of July 2020, the Twitter accounts of famous individuals, including Barack Obama, Elon Musk, and Bill Gates, were compromised as part of a bitcoin scam. At the time of the scam, Twitter’s stock fell by 3% as the events exposed a huge security issue within the social media platform.
Cybersecurity as a National Security Issue
Cybersecurity remains one of the significant national security issues affecting government organizations at every level, federal, state, and local. It is in the government’s interest to strengthen its cybersecurity apparatus in order to prevent foreign and homegrown attacks against U.S businesses and infrastructure. The 2017 National Cyber Strategy (“NCS”) captures a fifteen-year plan to defend the homeland by protecting networks, systems, functions, and data. Before and during the lockdown of 2020, the United States has continued to experience some form of cyber-attack from foreign adversaries, whether it is foreign interference with elections or attacks on state or local government. According to the Department of Homeland Security (“DHS”) report on threat assessment, “Cybercriminals increasingly will target U.S. critical infrastructure to generate profit, whether through ransomware, e-mail impersonation fraud, social engineering, or malware. Underground marketplaces that trade in stolen information and cyber tools will continue to thrive and serve as a resource, even for sophisticated foreign adversaries.”
Lack of preparedness poses a huge challenge for the federal, state, and local government critical infrastructure. For instance, in 2019, the city of New Orleans incurred a $1 million cost linked to cyberattack ransomware. In another example, Baltimore also incurred a loss of approximately 18 million dollars after experiencing a cyberattack. School districts have also been hit hard by increasing cyber-attacks in the wake of the lockdown. A recent cyber-attack on the Miami-Dade County school district’s virtual classes demonstrates how cyber-attacks can have a significant effect on both the government and the learning environment.
What can Businesses and Government do to Address Risk posed by Cyber Insecurity?
Since a lack of preparedness and a lack of resources have been linked to the vulnerability of businesses and government infrastructure to cyber-attacks, one must ask the question: What can business and government do to prevent and mitigate risk exposure to cyber-attack?
Addressing or mitigating the severe impact of cyber insecurity requires a sustainable strategy. Business and government ought to see the cyberattack as invisible warfare that requires a proactive approach, combined with sophisticated due diligence. Business and government can proactively mitigate cyber-attacks by securing hardware, by encrypting and backing-up data on a secured server; by investing in cybersecurity insurance, and by testing and strengthening their existing cybersecurity policy.
1. Secure Hardware
Several businesses were taken unaware by the novel coronavirus that shaped the way society interacts. However, businesses that invested in secure password-protected and physically protected hardware infrastructure were better off.
2. Invest in CyberSecurity Insurance
By investing in cybersecurity insurance, businesses and government agencies can deal with the significant financial costs related to a successful cyber-attack.
3. Encrypt and Backup Data in a Secured Server
A proactive cyberattack strategy consists of two features: preventing physical access to sensitive data and rendering the data useless if it falls into the wrong hands. Appropriate tools will include the ability to wipe devices remotely. In addition, to the extent that backup data captures an organization’s digital livelihood throughout a day, an organization will be able to return to the period just prior to a data breach in order to avoid the pain of a debilitating ransomware attack.
4. Strengthen Existing Cyber Security Policy
Businesses and government agencies will benefit from continuously reviewing existing cybersecurity policies and actively updating the procedures for new attack methods. For instance, federal funding and guidance would help state and local governments invest in cybersecurity infrastructure in order to avoid the vicious cycle of ransomware attacks experienced by Baltimore and New Orleans.
Please see the PDF version of this article for citations and important disclosures.