As those cyber risks have increased, so too has the growth of insurance coverage for cyber incidents. But while cyber insurance has begun to receive more uptake, increasingly stringent standards for coverage as well as confusion about the options available for cyber incidents could leave some companies in the lurch.

According to the 2022 Cyber Readiness Report from insurance provider Hiscox, almost two-thirds (64%) of companies now have cyber insurance as either a standalone insurance policy or as part of another policy. This represents a small rise from 58% two years ago. The highly regulated financial services sector has the highest rate of cyber insurance adoption at 74%, while the construction and travel/leisure industries have the lowest adoption at 53% each.

Crimes of opportunity

Judy Selby, a partner in the insurance practice at law firm Kennedys and a regular speaker on cyber issues, said that she’s beginning to see an improvement of companies’ general cyber awareness that current hacking incidents are largely “crimes of opportunity,” rather than dependent on the industry in which a company operates.

“I think for years, there was a thought process that nobody would be interested in my data, my company’s data,” Selby said. “And if you remember the days of the big retail incidents, the data breaches, I remember companies saying to me personally, well, we don’t have credit cards, so nobody’s going to want our information.”

Now however, she added, “I think the uptake is getting higher now than it used to be. And part of that was this realization that yes, it can happen to us, which is a really big deal. And also recognizing that the exposures come from so many different angles.”

Indeed, the Hiscox survey found a strong correlation between exposure to a breach and a desire for cyber insurance. Out of the firms that did not have cyber insurance or did not plan to get it, nearly 80% had not experience a cyber-attack within the past year. Just over half (51%) of those were also considered “novices” in cyber readiness, according to the Hiscox scale.

Even among those companies that had cyber insurance, however, there remained some stratification between the types of coverages they held. Notably, companies were split roughly down the middle as to whether they held a standalone cyber policy or covered cyber as part of a larger policy. Among companies with 250 or more employees, 35% had a standalone cyber policy in place, and 40% had cyber coverage as part of another policy. At companies with under 250 employees, those figures were 28% and 29%, respectively.

“I think the uptake is getting higher now than it used to be. And part of that was this realization that yes, it can happen to us, which is a really big deal. And also recognizing that the exposures come from so many different angles.”

Selby said she is a proponent of standalone coverage, if possible, for a few reasons. First is simply “because the coverage is so comprehensive, you have all this great first-party coverage for dealing with an incident.” Particularly with more sophisticated cyber-attacks, policies that include business interruption coverage, regulatory coverage, and liability coverage are coming into play.

Concerning the latter, Selby noted that many companies are “not technically or financially able to respond to an incident on their own.” When a network is encrypted and the company’s access to it is blocked, for example, even the simplest of questions become complicated: How do we communicate with each other? How do we hire vendors to come in and help us? And even if we wanted to pay a ransom, how would we do that?

“These are things you don’t want to have to learn on your own,” she explained. “And so, the first-party coverage can be a real lifeline to companies to efficiently and effectively manage this incident from [not only] a financial standpoint [and] an operational standpoint, but also from a reputational standpoint.”

Preparing for a cyber incident

Outside help on cyber incidents may be increasingly necessary because overall cyber readiness is falling, the Hiscox survey notes. Respondents’ self-assessment of overall cyber readiness fell by 2.6% overall during the past year, with the number of companies qualifying as “experts” falling from 20% to 4.5%. The survey attributed those decreases to awareness of new vulnerabilities such as the Apache Log4j logging library vulnerability, as well as a continued talent crunch for cybersecurity experts.

That’s why Selby said she tells clients to not only get to know the details of their insurance providers’ coverage options (and subsequent limits on policies), but also what she calls providers’ “cyber squad” team. A typical cyber insurance provider will have a mix of panel firms, forensic analysts, notification vendors, and more that can be a godsend in a pinch, often provided at discounted rates.

This extra value can be important when making a business case for cyber insurance as well, she added, as the insurance has become more expensive and the scrutiny for coverage has gotten more intense. Some security measures, such as multi-factor authentication, are now table-stakes for coverage, which could scare off some businesses. However, Selby drew an analogy to property insurance: Every provider is going to ask not only about fire incidents that happened in the past, but sprinkler systems and fire exits that could help prevent them in the future.

“It always surprises me when people… complain about having to provide the information,” Selby said. “It’s like, if you don’t understand your own risk, why would you expect another company to say, okay, we’ll insure that for you, we’ll take that risk on your behalf when you don’t know what it is? And then when you say that, they go, oh yeah, that makes sense.”

Ultimately, cyber issues aren’t going away, particularly as the Hiscox survey found the median cost of a cyber-attack nearly doubled in the both the United States and the United Kingdom last year. That means cyber insurance will also continue to represent a piece of companies’ risk mitigation profile by necessity.

“The issues that people have with applying for the coverage, that shouldn’t stand in the way,” Selby said. “I think people should proceed and get the coverage, and when you get it, keep it, even if the price has gone up.”

The US Department of Justice (DOJ) announced charges in November against multiple defendants in connection with fraudulent email schemes that targeted Medicare and Medicaid programs, private health insurers, and other victims. The defendants were charged in connection with multiple business email compromise schemes that involved money laundering and wire fraud and resulted in losses of more than $11 million.

Business mail compromise schemes are a type of phishing attack that attempts to deceive an entity into transferring funds or disclosing sensitive information.

In these cases, fraudulent emails were sent to public and private health insurance programs that requested future payment be sent to “new bank accounts that did not belong to the hospitals” and instead were sent from “accounts resembling those associated with actual hospitals.” Based on these deceptive emails, five state Medicaid programs, two Medicare administrative contractors, and two private health insurers made payments to the defendants and their co-conspirators instead of the hospitals.

“These defendants defrauded numerous individuals, companies, and federal programs, resulting in millions of dollars in financial losses to vital federal programs meant to provide assistance to those in need,” said US Attorney Ryan K. Buchanan for the Northern District of Georgia in a DOJ statement.

The DOJ detailed some of the charges and allegations against the defendants, as follows:

• • • A Columbia, SC man was charged with three counts of money laundering and one count of unlawful procurement of naturalization. He alleged used a stolen identity to open bank accounts in the name of a shell company in order to receive more than $1.4 million fraudulently diverted from a Medicaid program, a hospital, and others. He also allegedly laundered $583,000 of the proceeds.
    • An Atlanta man was indicted on four charges of money laundering after he allegedly used false identities to open bank accounts in the names of the false identities and shell companies. He received approximately $2.4 million from Medicare and several private companies. He laundered approximately $679,000 of those proceeds.
    • Another individual from Atlanta was charged with three counts of wire fraud, two counts of aggravated identity theft, and six counts of money laundering for using stolen and false identities to open accounts in the names of shell companies. She received nearly $830,000 in proceeds and laundered approximately $535,000 through large cash withdraws.

Holidays increase risks

Last year, there was a “30% increase in the average number of attempted ransomware attacks globally over the holiday season” from 2018 to 2020, compared to monthly averages, according to research from cybersecurity firm Darktrace. Researchers for the firm “also observed a 70% average increase in attempted ransomware attacks in November and December, compared to January and February.”

This increased holiday risk is also true in the healthcare sector. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert for Labor Day 2021 because they had “observed an increase in highly impactful ransomware attacks occurring on holidays and weekends — when office are normally closed — in the United States.” Attacking on or around holiday weekends “provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware” because IT departments are at limited capacity for extended times.

Because staffing in all departments is often reduced during the holidays, it is important for all employees to be alert for suspicious emails that might include links that would expose the provider or insurer to malware or that might be an attempt to fraudulent divert payments from the intended recipient.

In fact, the average weekly attacks in the healthcare industry increased 69% in the first half of 2022 compared to 2021, according to a recent report from research firm Check Point, with healthcare providers being among the victims of some of the more serious cyberattacks. In the third quarter, healthcare was the most targeted industry for ransomware attacks with 1-in-42 entities impacted by ransomware, according to Check Point.

For example, a January attack on Broward Health in Florida exposed the medical information of more than 1.3 million individuals to cyber criminals, according to Check Point. In October, a ransomware attack hit CommonSpirit health system, which operates 142 hospitals across 21 US states. The attack blocked access to the system’s electronic health records and disrupted patient care.

Whether it is a business email compromise scheme to divert payments from Medicare and Medicaid or another phishing email that exposes a provider or insurer to a costly malware attack, it is imperative that everyone be alert to cyberthreats, especially as we head into the holiday season.

Underprepared for significant business threats

Cyber-incidents are topping the lists of the KPMG 2022 CEO Outlook report and the Allianz Risk Barometer 2022. KPMG’s report highlights the rapid evolution of the cyber environment and details how CEOs recognize that they are underprepared, with 24% admitting so in 2022 compared to only 13% saying the same thing in 2021. In 2022 thus far, ransomware attacks occurred worldwide every 11 seconds (a 20% increase from 2019). Some of these attacks are high-profile breaches.

The Allianz report places “cyber incidents” as the most significant business risk in 2022, outranking more conventional business threats such as business interruption, climate change, and workforce issues. Allianz notes that its respondents say that cyber is not as well understood as some traditional threats; consequently, mitigations are less well-developed.

Right now, there are three steps law firms can take to bolster their existing cyber-risk profiles, including:

1. Enhancing hybrid workforce security

Since the global COVID-19 pandemic in 2020, many firms are still operating under a remote or hybrid workforce situation. The distributed nature of today’s workforces increases a firm’s cybersecurity vulnerability because workers either use their personal computers for work or use their work laptops for some personal tasks. Additionally, third-party apps designed to foster collaboration and increase productivity are increasingly problematic. They could open the door to a cyber-attack because many have limited security tools, their default security options are not optimal, and it can be challenging for IT teams to access an app’s cybersecurity settings.

Do your employees have the right skills to protect against cyber-attacks? One way to educate employees is to conduct cyber-crisis exercises. Best practices suggest this must happen more than once a year. A report in Dark Reading, a widely read cybersecurity news site, provides a benchmark for employee cyber-resiliency: “An analysis of more than 6,400 crisis response decisions shows that technology and financial services companies prepare the most for cyberattacks, running nine and seven exercises per year, respectively.”

2. Strengthening the partner ecosystem

Three-quarters of the CEOs in KPMG’s report say they recognize that protecting their partner ecosystem — the network of suppliers, providers, contractors, and business partners — and supply chain is as important as shoring up their own organization’s cyber-defenses. As companies and their partners increase their mutual connectivity in the name of efficiencies and cost savings, these initiatives also expose vulnerabilities and gaps in systems and processes that cybercriminals can exploit.

What can you do to beef up your partners’ risk profiles? Experts recommend an approach that focuses on three Cs:

• • • • Tightening contracts and compliance to introduce additional controls and restricted access for third parties;
      • Exploring avenues for collaboration and community to share intelligence and increase knowledge; and
      • Increasing cooperation; because this issue is both global and systemic, it is challenging for a single function (IT) or entity (your firm) to do this alone. Exploring intra-industry, cross-sector, and public-private paths is essential to mitigating future cyber-risks.

3. Staying on top of technology innovations

The nature of cyber-attacks is that they are constantly evolving. While malware, ransomware, phishing, and social engineering attacks are common, newer technologies pose new risks. Security software company Symantec reports that, on average mobile app stores block 24,000 malicious mobile apps daily; while others have noted cybercrime is becoming more scalable and, therefore, more accessible for bad actors to launch more sophisticated attacks.

Indeed, the increased frequency of attacks is happening as experts are starting to realize the limitations of traditional risk-prevention methods such as standard password authentication, static networking, and trust-based security systems. But technology advancements also provide a way to mitigate this risk. Some of these are the ability to learn and modify behavior based on insights from artificial intelligence, machine learning, and adaptive networks technologies.

Given that October is National Cybersecurity Awareness month in the United States, this might be an excellent time to move beyond awareness and into taking action to better protect your firm and increase its cyber-resiliency.

Traditional systems security for years has followed the Trust but verify method in which once users are logged into a system then they are automatically trusted. The emphasis there is on protecting internal systems and information from outside attackers by using firewalls and passwords.

Unfortunately, as technology and attackers have grown more sophisticated, the Trust but verify method has become harder to maintain and less effective. Organizations have had to change their approaches to systems security in order to accommodate traveling users, users that work from home, users that bring in their own devices, as well as cloud-based software, other repositories, and more. The traditional boundaries of a network perimeter are drastically changing.

Migrating to a zero trust model can be done gradually, which is a benefit for smaller organizations that cannot afford a large initial investment.

With the growth of cloud computing, organizations are very globally connected; and their digital information is stored and used in private and public clouds of data and applications. Conventional boundaries for an organization’s network have expanded and become ever more obscure, opening the potential for cybersecurity problems. Zero trust offers a new way of viewing our computers and information that may make securing them easier.

With zero trust, implicit trust is eliminated, and continuous verification is required. By always assuming that a security breach has likely already occurred, a zero trust system will constantly limit access to only what is needed while continuously looking for malicious activity. Zero trust can reduce an organization’s risk from data breaches, ransomware, and insider threats. While zero trust is clearly more restrictive, it can simplify an organization’s cybersecurity defensive posture and provide a more easily secured system environment to better protect the organization’s data and assets.

In a security breach, trust is a vulnerability that is exploited. By eliminating trust as an issue, an organization’s systems become more secure and data breaches are prevented. However, this lack of trust doesn’t mean you don’t trust your users, instead it is akin to requiring users to use a key card every time they access a building.

Zero trust recognizes the reality that today’s computer systems are hostile places. Yet, zero trust is a not a product or an application. It is a set of principles that help you define a cybersecurity strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.

The first step with zero trust, as with any new method or technology, is to understand how it addresses your organization’s unique business problems. What outcomes do you expect? How does zero trust address your needs? Without understanding your business needs and problems first, any new method or technology will ultimately fail.

Building zero trust

Migrating to a zero trust model can be done gradually, which is a benefit for smaller organizations that cannot afford a large initial investment. According to the US National Institute of Standards and Technology (NIST), many organizations may continue operating their newer zero trust in tandem with their older perimeter-based systems for years. To plan and architect your zero trust network, the following initial steps are suggested:

• • • Start by building leadership trust — You need to seek understanding, support, and input from your firm’s leadership. Management support is critical to a successful transition to zero trust.
    • Define your most vulnerable attack surfaces — Start by identifying your biggest risk areas both now and in the foreseeable future, and work to apply initial zero trust initiatives that encompass processes, people, and your existing technology. Moving gradually will keep your firm from becoming overwhelmed with implementing new technology and policies across entire systems.
    • Map how your data flows — Document how your data moves around your devices, applications, and assets. It is essential to understand this data flow. Who is using it? Where is it coming from? To identify which data flows should not be trusted, you need to know which are critical to your firm and should be allowed. This mapping of data flow is the key to making zero trust work.
    • Harden your identity management — Users are the weakest link in any security system. Review your user authentication process and implement multi-factor authentication and tougher password policies to harden your identity management. Also, implement and regularly review login names and make sure they match active users.
    • Assign minimum rights (least privilege) — Review how your systems and data are secured and assign the minimum rights to the minimum number of accounts needed to access data or systems. The default access should be no access.
    • Whom do you trust? — Build a whitelist of who to trust. This includes users, devices, applications, processes, and network traffic.
    • Micro-segment your security — Dividing your security into smaller segments allows you to minimize any damage in case of a breach or compromise of any one area.
    • Define your zero trust policies — After you have architected your new system, write the needed policies to match. Defining who, what, when, where, why, and how for every user, device, and network that gains access to your system.
    • Monitoring is critical — As you build your zero trust system, it is critical to have an aggressive monitoring system in place. For zero trust to be effective you will need to continuously monitor access and look for any area where trust should be revoked and any unwanted access and be identified.

Zero trust is a journey that will take years to complete. “Never trust, always verify” is a fundamental shift in how we currently think about security, but it is a necessary shift. Security breaches are on the rise, and our old paradigms of security are not working as more devices come online and local networks evolve to cloud networks. Our data is increasingly at risk, and zero trust is a new and more effective way to protect ourselves.

Yet, what is considered an impediment and barrier to KM is often the result of confusing KM with information management (IM).

Instead, KM and IM should be considered more alike in their value systems rather than a competing priority in which an organization must choose between securing information and data versus sharing information and data. In accepting that there are both enablers and barriers to any organizational priority, a strong KM culture includes many of the same enablers that zero trust is tasked with supporting. KM, when it is aligned with zero trust, creates an even stronger KM value in the organization. And zero trust, like KM, succeeds best when working from the position of the four KM enablers: people, process, technology, and governance — as well as a strong organizational policy, which is critical for zero trust.

The successful implantation of KM and zero trust should be:

• • • business focused;
    • supported by senior management;
    • embedded with the strategic vision and principles of the organization;
    • focused on higher value knowledge and higher value data;
    • able to demonstrate measurable benefits, such as competitive advantage and process improvement in tandem with risk mitigation and security; and
    • employed as a full organizational change.

Despite the decades-held belief that most security threats are external, it is inside threats that have risen to become a serious cause for concern, most recently this is due to the extension of network access across mobile devices, cloud users, and employees working in hybrid or fully remote environments.

Behind the emergence of zero trust is a broad concept that applies to technologies, networks, IT architectures, and security policies. This concept holds that users within a network should be treated as if they could pose a threat. Therefore, enterprise resources and data are to be protected individually and access to these resources should be evaluated and analyzed continuously.

The zero trust future

Zero trust is not a particularly unique approach. IT professionals would consider the principles of this model to be a good housekeeping practice for any healthy secure enterprise. Most IT professionals have long taken great pains to design systems that consider inside risk as dangerous as any other risk. Therefore, zero trust systems have been developed to behave as an integrated platform that contextualizes information based on identity and security that has shifted risk measures from traditional perimeter models (e.g. firewalls) to one that is identity-centric. Through this process, key questions emerge, such as who has access to what information? When do they have access? How much access is given, and what business purpose does their access support?

This identity-centric approach is consistent with KM mapping. KM mapping outlines the business challenge of what we know with strategic goals that can then be supported with KM interventions, such as a knowledge base, intranet, sales wikis, and CRM platforms. Additionally, to be successful, both KM and zero trust require agreed-to measurable outcomes.

This simplified explanation of zero trust in a KM world is consistent with KM values that improve business agility which brings with it the priority of protecting internal data and internal assets.

Strategies to overcome perceived KM barriers brought on by a commitment to zero trust overlay with the implementation of zero trust models. These strategies include:

• • • mapping “need to know” information (KM) alongside “need to secure” (zero trust);
    • finding common alignment with strategic goals;
    • outlining business objectives and agility with business security; and
    • agreeing upon measurable benchmarks and outcomes, remembering that i) not all measures are monetary values; ii) not all measures should be targets; and that iii) common solutions can be identified to overcome “imposed” targets.

Much like KM, zero trust is a new mindset that requires sweeping changes to be implemented effectively. On the surface this seems daunting, but after evaluating KM and zero trust, both can be implemented to improve organizational value and effectiveness.

Ransomware’s first documented attack was relatively rudimentary and delivered via floppy disk containing a malware program in 1989 that told its victims to pay $189 in ransom to a PO Box in Panama. Today ransomware criminals are significantly more sophisticated, thanks to advances in cyber-methods and cryptocurrencies.

The US Secret Service reported a marked growth in crimes involving cryptocurrencies and digital extortion schemes, including ransomware, in 2021. Other reports show that ransomware is fast becoming a tool of choice for far flung cyber-criminals. Verizon, which has been analyzing data security trends since 2008, finds in their 2022 Data Breach Investigations Report that ransomware has increased almost 13% since last year — a rise as big as the last five years combined, and ransomware was present in almost 70% of malware breaches last year.

The people problem

Security experts agree that the human element is a crucial driver of this type of digital threat. Verizon’s report puts a number to it, citing that 82% of data security breaches involve human error — most often employees who inadvertently expose systems to data threats.

“Most ransomware attacks are made possible through the vulnerabilities caused by humans (i.e., the employees of the firm). This is why hyper-vigilance about phishing emails is crucial,” explains Jennie Wang VonCannon, a Certified Information Privacy Professional and Partner with Ellis George Cipollone O’Brien Annaguey. “Many times, it is an employee who clicks on an email which contains malware, inadvertently deploying it onto their computer which then infects the entire network. Or someone enters their login information after receiving an email request to do so, thinking it’s legitimate, and just like that, the malicious actors can enter the firm’s network and encrypt the firm’s data and hold the decryption key for ransom.

Management should educate their personnel about how to spot a scam email and the importance of not clicking on any links or even opening the email, if possible, adds VonCannon. “Depending on the organization’s culture, it may want to conduct regular tests by sending out suspicious-looking emails to keep employees primed to spot a phishing attack.”

Weidlich agrees that many data breaches occur due to employee error, either clicking on a phishing link or through malfeasance, such as stealing data. “It’s crucial to let employees know how important the issue is to the firm,” he says. “Talk to employees, train employees, and view employees as a defense against breaches.”

Depth of your data

A fundamental step in mitigating the harm of a ransomware attack is understanding what data your firm collects and maintains — and the access rights that certain parties have to it.

Trina L. Glass, a shareholder and member of Stark & Stark’s Investment Management & Securities Group, suggests that firms inventory their data to know who has what kind of access. “Prior to implementing controls and procedures to help prevent or mitigate a firm’s risk of a ransomware attack, the firm should first know what data it collects, where the data resides, and who has access to the data,” says Glass, adding that firms also should take steps to reduce copies of sensitive firm and client data.

Indeed, supply chain weaknesses, partners, and vendors pose a unique data risk; and these third-party risks are increasing, according to Verizon’s data risk analysis. Glass says that firms should take appropriate precautions. “Educate and train your employees and third-party vendors on your firm’s information security control procedures,” she explains. “Most ransomware attacks are orchestrated through phishing scams, third-party software vulnerability, and credential stuffing.”

There are several basic IT security measures that firms must take to prevent malware disruptions, including:

• • • • establishing security practices and policies;
      • ensuring software patches and virus protections are current, proactive system protection such as firewalls;
      • encrypting information; and
      • installing two-factor authentication.

What to do when an incident occurs

Should a ransomware incident occur, most law firms already will have a crisis playbook in place that would likely trigger the firm’s lock-down protocols. Communication during this period is critical, Glass says, noting that at this point, firms should activate their incident response plan. “Since you’ve taken the time to implement a comprehensive plan, you will know to whom, internally, to immediately escalate the incident and what details to include in your notification,” she says. “The who should also include law enforcement, your insurance carrier, IT vendor, and outside counsel.”

A forensic analysis of how the risk came about will likely occur soon after discovering the incident. This intervention involves understanding what data and systems were compromised and how and when that happened, VonCannon adds. “If the entire network is encrypted and the firm’s computers [are compromised], firms need to think about getting back online as soon as possible using the up-to-date data backups that they have been diligently keeping so that they can continue operating in the event of a ransomware attack. They should also immediately consult with an expert in this field, such as an attorney with cybersecurity and data privacy experience, who can coordinate the firm’s response.”

Weidlich agrees, and advises that there are three defensive measures firms must immediately take should they find themselves on the receiving end of a ransomware or data security incident. Those include: i) hiring a data-incident firm; ii) hiring a crisis-communications firm; and iii) informing legal authorities since every state has unique laws that must be followed.

The big questions: Transparency & the ransom payment

Two decisions that every law firm must make in the aftermath of a ransomware attack have the potential to divide firm management and will need careful consideration on a case-by-case basis.

The first question on which to achieve consensus is whether to disclose the attack publicly or not. Law firms will naturally be conservative around making public statements and want to minimize liability risk; yet Weidlich counsels that it is possible to communicate a breach in a way that respects those views. “Firms should publicly communicate beyond the legal requirements and standard practice,” he says. “The focus should be on rectifying the situation.” He cautions that any communication must be empathic, and firms can achieve this by acknowledging to clients the inconvenience arising from operational disruption and stating if and how the breach will affect clients and other outside stakeholders.

Second, the firm will also need to determine whether to pay the ransom or not.

Glass cautions that, generally, firms should not be quick to pay ransomware requests. “The FBI… does not support paying ransom in response to a ransomware attack,” she says. “Paying a ransom does not always guarantee that you will receive your data back or prevent future attacks.”

Weidlich observes that ransomware attacks present great difficulty concerning how firms respond to them. “Firms must realize that whatever action they take — whether they pay the ransom or not — they will be criticized,” he explains. “If you pay the ransom, you’ll be criticized for encouraging criminals; but if you don’t pay, you’ll be criticized for not caring enough about clients’ data.” To ensure that all sides receive due consideration, the firm must be clear on why it’s taking the action and be just as clear in communicating that, he adds.

Of course, the best defense against potential ransomware threats is a strong offense. Firms can accomplish this through updated policies and protocols that provide clear guidelines to employees and third parties with system access, regular training and testing to shore up your systems against attacks, and an active crisis-management plan that can validated against known and emerging digital threats.

Because healthcare organizations are so heavily dependent on access to data — such as patient records — to maintain their operations, they are a frequent target for ransomware attacks. Even a short delay in access to records can result in negative outcomes for patients.

A full 61% of the healthcare organizations that reported ransomware attacks had their data encrypted during the event, according to the Sophos report, The State of Ransomware in Healthcare 2022. This was slightly better than the 65% encryption rate across all industry sectors worldwide, “indicating that healthcare was better able to stop data encryption in a ransomware attack,” Sophos said, noting that it also is an improvement from the 65% encryption rate in healthcare in 2020.

The report findings are based on an independent “vendor-agnostic” survey of 5,600 information technology professions in medium-sized organizations, including 381 healthcare respondents across 31 countries.

The report also showed an improvement in the rate of extortion-only attacks to just 4% in 2021, compared to 7% in 2020. In extortion-only attacks, the data is not encrypted but the healthcare organization was “held to ransom with the threat of exposing data.” The improvement could be because more healthcare organization have cyber-insurance, “which demands higher cybersecurity defense enhancements.”

The increase in successful ransomware attacks has “affected healthcare more than any other sector,” according to Sophos, which is based in the United Kingdom. Healthcare had the “highest increase in volume of cyber-attacks (69%) as well as the complexity of cyber-attacks (67%)” when compared with cross-sector averages.

Improved ransomware outcomes

Almost all (99%) of healthcare organizations subject to ransomware attacks in 2021 got “some encrypted data back” compared with only 93% in 2020. Within this group, 72% were able to restore encrypted data from backup files; 61% also reported that they “paid the ransom to restore data”; and 33% used other means to restore data. These numbers show that “many healthcare organizations use multiple restoration approaches to maximize speed and efficacy” to restore data and operations. More than half of healthcare organizations (52%) reported using multiple restoration methods, according to Sophos.

Interestingly, 14% of healthcare organizations reported using “three methods in parallel” to restore their data, which was the highest rate across all sectors and double the global average.

However, healthcare organization that paid the ransom to restore their data got back only 65% of their data compared with 69% in 2020. Only 2% that paid the ransom received all of their data, down from 8% in 2020.

Cost of ransomware attacks

Although healthcare tops the list for volume of payments, it is at the bottom for the amount paid with the “lowest average ransom payment” around $197,000 of all sectors. Although the amounts paid were lower than in other sectors, the “overall amount of ransom paid by healthcare in 2021” went up by 33% compared to 2020, according to Sophos.

Only three respondents said their organization paid $1 million or more, according to the report. In contrast, 60% of the ransoms paid were less than $50,000. The lower amounts likely due to the “constrained finances” of healthcare organization, especially those in the public sector, according to Sophos.

Paying the ransom, however, is not the only cost of a ransomware attack. Ninety-four percent of respondents said the ransomware attack impacted their ability to operate and 90% of private sector healthcare organizations responded that the attack “caused them to lose business or revenue.” In fact, the average cost for a healthcare organization to remediate the impact of a ransomware attack went up to $1.85 million in 2021, compared to $1.27 million in 2020. This was the second-highest average cost across all sectors.

It took 44% of healthcare organizations “up to a week” to recover from a ransomware attack in 2021, and 25% took up to a month to recover. The average time for healthcare organizations to recover was one week.

Use of cyber-insurance

Only 78% of healthcare organization reported having cyber-insurance against ransomware, with 46% also saying that here are “exclusions or exceptions in their policies.” Additionally, 93% of healthcare organizations with cyber-insurance reported it was getting harder to secure coverage with 34% saying it was also more expensive. Additionally, healthcare organizations reported the level of cybersecurity required to qualify for coverage was higher, policies are more complex, and fewer companies offer cyber-insurance.

For healthcare organizations with cyber-insurance coverage, 97% that were hit by ransomware and had ransomware coverage report that their policy paid out in the “most significant attack.” More than 80% reported the insurer paid the costs incurred to restore operations; however, only 47% reported that the insurer paid the ransom.

In the first half of 2021, the Financial Crimes Enforcement Network (FinCEN) received 30% more ransomware-related suspicious activity reports than in the entire previous year. In late January 2022, the US Department of Homeland Security warned that Kremlin-backed hackers could soon target critical US infrastructure, such as utility providers and banks. The White House countercorruption strategy notes that the US government will continue assessing how digital assets and cybercrime are supporting corrupt actors, and how corrupt regimes are using ransomware and other illicit cyber activities to further their foreign policy goals.

The efforts to counter the threat will almost certainly include additional designations against digital wallets linked to malign actors and increased cooperation between law enforcement and private-sector entities to identify, track, and recover ransom payments and take down malign actors.

Ransomware operations are dominated by Russian-speaking cyber actors, and Russian intelligence agencies turn a blind eye to, protect, and sometimes support these criminals, as long as they do not target Russian assets and occasionally perform tasks for the government. Possible government tasks include targeting adversaries’ financial institutions and critical infrastructure as a form of hybrid warfare.

FinCEN and other government agencies will play a key role in the battle against ransomware and state-linked cyber actors by issuing advisories and working with law enforcement to recover funds. The US government also will almost certainly focus on mixing services, virtual currency exchanges, and other operations that help malign actors conceal transfers of cybercrime proceeds. The US Treasury has an array of cyber-focused sanctions tools and an expansive executive order targeting Russia’s malign activities at its disposal to mitigate the risk of malicious cyber-attacks linked to state  actors.

Staying ahead of the curve

US firms must be forward leaning in their efforts to examine their compliance programs and reassess their risk appetites regarding corruption, particularly with many new sanction designations related to Russia’s invasion of Ukraine, and especially against Russian elites, government officials, and oligarchs. Strategic corruption red flags include jurisdictional risks, lack of transparency, involvement of politically exposed persons (PEPs) in financial transactions, and other indicators.

Russia and China are known for weaponizing corruption to achieve their geopolitical goals, but other countries, such as Turkey and Azerbaijan, also use this strategy. Turkey’s state-owned Halkbank is accused of helping Iran evade US sanctions, and several attorneys with links to the US government were involved in efforts to free a Turkish businessman connected to the sanctions-evasion conspiracy. Azerbaijan and other post-Soviet states like Kazakhstan have co-opted elites, creating kleptocratic networks to further their foreign and domestic policy goals.

Jurisdictions labelled as being of primary money laundering concern by FinCEN under Patriot Act Section 311, such as Iran and North Korea, or greylisted for strategic deficiencies in anti-money laundering and countering the financing of terrorism (AML/CTF) by the intergovernmental Financial Action Task Force (FATF) also tend to weaponize corruption as a tool further their geostrategic goals.

On December 7, 2021, FinCEN issued a proposed Beneficial Ownership Reporting Rule, soliciting comments from those stakeholders who would be required to file Beneficial Ownership Information (BOI) reports. US firms and financial institutions should be particularly cautious about transacting or working with entities whose ownership and control is hidden behind a web of shell or front companies, as well as those located in jurisdictions with lax transparency requirements that do not require the identification of ultimate beneficial owners.

Although the involvement of a PEP in a business transaction or a company structure does not, in and of itself, indicate the presence of strategic corruption, PEP status warrants additional scrutiny. Enhanced due diligence is particularly important when the PEP is working in vulnerable industries, such as real estate, energy, defense, or IT, or in risky jurisdictions, or has an unexplained amount of wealth.

Companies engaged in these sectors should reassess their risk programs, possibly perform transaction monitoring, track changes in employment for clients — especially those in risky jurisdictions or who raise other red flags. Companies also should keep abreast of possible upcoming regulatory changes mandated by the Corporate Transparency Act, given the Biden administration’s commitment to treating corruption as a national security concern.

“It’s a blazing hot market, and all the more insane with Russia waging cyber war — but even before that, the demand was there,” says Jack Kelly, CEO of The Compliance Search Group, a recruitment firm for compliance professionals. “It’s a huge, important area and there is a big gap [between] jobs that need to be filled and people available.”

A World Economic Forum study reported that prior to the Ukraine invasion there were more than 3 million unfilled positions globally for cybersecurity professionals — a number that is expected to grow in part due to the exodus of up to 70,000 technical workers now leaving Russia since the war began, the Associated Press has reported. Some of these professionals will eventually manage to work in new locations, but given screening and background check requirements for regulated finance firms, the shortage will continue and firms likely will be paying more to attract talent.

Top-level positions are even more of a challenge, said Kelly. Universities are turning out entry-level candidates to fill some positions but “experience counts most” in cybersecurity, and in the relatively new field it is in scarce supply.

Scrambling to stay ahead of the threat

For years, financial firms have been scrambling to find cyber-specialists to manage a boom in cyber-attacks. More recently, firms have also encountered new challenges to meet cyber-defense requirements of financial regulators. For example, the US Treasury Department tightened its rules on reporting breaches in November, though it struck prescriptive language on governance and cyber-defense management structure for banks, after firms objected.

On the other hand, the US Securities and Exchange Commission has held firm on a proposed rule change that was approved last month that requires investment firms to create designated cyber-defense representatives and written supervisory procedures for handling the task. Indeed, the trend for all financial regulators has been to nudge firms toward elevating their cyber-defense programs to a board-level concern.

“We’re calling on CEOs to bring together the leadership teams and make it a CEO-level priority,” says Jamie Hoxie, an assistant US attorney for cyber-crime in New Jersey. What this means, recruiting experts say, is that firms need to find top-level talent capable of operating at the highest levels of the firm, either as a designated staff cyber-executive or in a capacity as an advisor with clout. The additional layer of oversight will likely add to demand for top-tier cyber professionals.

Cyber-defense is “a quirky area”

Cyber-defense is “a quirky area” that has traditionally been managed by IT senior staff without much involvement by compliance, said Compliance Search Group’s Kelly, adding that compliance teams are looking to add expertise as regulatory requirements increase.

The SEC’s recent cyber-rules require regulated financial firms to report breaches quickly, create programs reasonably designed to protect firms, and, for SEC registrants, have documentation of incidents and the steps registrants have taken to shield data and systems when examiners inspect them. Finance firms have pushed back on the proposed rules as an unnecessary intrusion into an area that banks and brokers have under control.

The finance industry’s cyber-defenses have been effective in observing heightened “Shields Up” protection alerts in the first months of the Russian invasion, according to a recent report from cybersecurity firm BlueVoyant. Across all sectors “cyber-attacks to date are mostly contained within the geographical borders of the conflict area” surrounding Ukraine and Russia,” the report notes. The SEC also issued a risk alert for compliance teams to have controls in place to prepare for potential market risk.

“It’s a blazing hot market, and all the more insane with Russia waging cyber war — but even before that, the demand was there… it’s a huge, important area and there is a big gap [between] jobs that need to be filled and people available.”

The finance sector is the “most well prepared” after spending billions of dollars on cybersecurity and dedicating thousands of staffers to protect their networks, says Austin Berglass, BlueVoyant’s global head of professional services. Nevertheless, the threat remains that a cyber-event that could cripple some firms, he adds. “The sector is seeing a constant barrage of attacks on a daily basis,” explains Berglas, a former FBI special agent in cyber-defense. “Finance sees it all, and malicious actors are constantly scanning for vulnerabilities.”

US officials worry that some of those attacks could breach security at an important firm, especially during the Ukraine war, and have seen the need to regulate the finance industry’s cyber-defense capabilities to a higher standard and to push firms to hire top professionals who will have clout inside their firms.

Assistant US attorney Hoxie said the DOJ wants cybersecurity to be “a CEO-level priority both in the level of security on their network” and in “baking in security in the way tech is built — rather than today, when it often occurs by bolting it on or making it the responsibility of the user to configure technology.”

So, it remains likely that financial firms will struggle with scarce talent and the need for background checks that have become increasingly difficult in some countries, most notably China, which turns out nearly four times as many information- and computer-science graduates from its universities compared with US institutions. With new regulations and persistent cyber-attacks outpacing qualified candidates, the hiring gap continues to widen —and for small firms, it may be more efficient to outsource the job to companies like his, Berglas says.

“Compliance officers, especially at small firms, see only see a very narrow view of the world,” he adds. “That takes a lot of cyber professionals for firms, and there are just not enough of them to go around.”

Strengthening cybersecurity is difficult, and advanced technologies such as the internet of things and the metaverse will inevitably make things worse. Indeed, a world in which more objects are computerized and digitized is a world with more targets for cyber-criminals. Even more concerning is the unpredictability of cyber-attacks that can trigger cascading network and system failures that are well beyond existing cybersecurity policies or strategies. Not surprisingly then, the Securities and Exchange Commission proposed in March rules for companies to periodically disclose their cybersecurity risk management policies and strategy.

However, as T.S. Eliot wrote, “Between the idea and the reality falls the shadow.” In other words, the gap between theory and practice can be wide.

Law firms and companies do not lack strategies or ideas for strengthening their cybersecurity policies; however, many lack practical guidance on how to effectively implement these policies and put them into practice. Strengthening cybersecurity standards extends beyond installing firewalls. Indeed, one of the most effective countermeasures with which to avert cyber-threats is to implement robust strategies, procedures, and standards that can protect an organization’s critical IT infrastructure while aligning with its business objectives or operational mission.

Creating a resilient cybersecurity framework

As cyber-attacks have become more sophisticated, the need to create a resilient cybersecurity framework has grown. Indeed, according to the UK’s Cyber Security Breaches Survey 2022, 39% of UK businesses said they were victims of cyber-attacks within the past 12 months.

Faced with this picture, it is natural to worry most about the range of risks caused by cyber-attacks. Yet, despite these worries, these risks can be managed. In this sense, a law firm or company must broaden its cybersecurity strategy by implementing effective countermeasures in order to create a resilient cybersecurity framework. This involves a thorough analysis of the critical components of an organization’s virtual ecosystem as well as identifying what could happen if any of the critical components failed or became compromised.

A law firm or company also should consider and identify the critical components of its overall computing environment and consider how each component interacts with one another. The aim is to ensure that it can identify the weakest link in its current computing environment framework by locating a weak component at an early stage and building an effective response to manage and mitigate potential attacks to its overall digital infrastructure.

Once a weak component is located and identified, it is paramount to assess what relevant cybersecurity policies and strategies need to be implemented in order the strengthen the weak component and achieve an overall secure computing environment framework. Equally important, organizations should establish which of their professionals is responsible for paying attention to the operation and security of the organization’s essential components — and this demands a top-down management approach. Senior managers and decision-makers should understand the driving force behind the development of an enhanced cybersecurity framework and establish a strong information security program that aligns with the organization’s business objectives.

One such measure would be for the organization to create a cybersecurity strategy that captures the conditions that are required for creating a cyber resilient environment. Demonstrating strength in some of the following areas is one way of creating effective countermeasures:

• • • Establishing well-defined processes and recovery plans to ensure the ability to fully recover and restore IT systems with minimal outage times.
    • Training employees on how they can perform their work responsibilities in a way that is able to preserve the confidentiality and integrity of sensitive data as well as encouraging employees to enhance security through vigilance and collaboration.
    • Ensuring that IT systems and networks are up-to-date and able to keep pace with ever-evolving cybersecurity threats.

Further, implementing the type of cybersecurity standards defined by the International Organization for Standardization can also be an effective tool with which to protect an organization’s IT systems and sensitive data and mitigate the risks of cyber-attacks. For example, one such standard can form a blueprint for organizations to implement the necessary procedures, policies, and framework to manage a law firm’s or a company’s information security, cybersecurity, and privacy protection; another allows organizations to protect its storage, processing, and transmission of cardholder data. In fact, that standard specifies 12 operational and technical requirements that can help organizations prevent credit card fraud and maintain a secure environment for its customers.

In today’s increasingly interconnected world, where people, goods, and services move across borders, it is paramount that organizations respond to cyber-threats in a timely and effective fashion in order to protect their most critical components and to contain, prevent, and shield their most important data from being attacked, stolen, or compromised. In order to best protect their IT systems, networks, and infrastructure, law firms and companies must define, develop, and implement robust cybersecurity strategies and procedures that can achieve the right balance between concern and action.