Cyber risk quantification – how to navigate the landscape

"If you deal with enough sensitive data…then that makes you particularly vulnerable"

Cyber risk quantification – how to navigate the landscape

Cyber

By Mia Wallace

Having supported organisations through over 5,000 cyber incidents globally, the Clyde & Co team is under no illusions about the complexity required to navigate the heavily interconnected and fast-evolving cyber risk landscape. Highlighting some of the cyber trends they are seeing impact the global law firm’s broad roster of clients, Clyde & Co partners Helen Bourne and Rosehana Amin, emphasised the range of solutions and partnerships required to mitigate their impact.

Bourne (pictured left) noted that, particularly given how the external trading environment is squeezing businesses’ resources, few organisations have the bandwidth or internal structures to deal with a major outage by themselves.

Clyde & Co’s proposition has been developed with the breadth and depth of the cyber risk facing global companies in mind, Bourne said, and it’s built around three pillars – readiness, response and recovery. And underpinning these three pillars, is the pervading need to work with high-quality, like-minded strategic partners, she said, and for Clyde & Co that means partners who can offer real-time advice and insights.

“For example,” she said, “as soon as the MOVEit vulnerability was identified back at the end of May, we first heard about it through our strategic partners who briefed us on everything they knew about it. Because we’re technical specialists though, we do a high degree of knowledge around cyber risk so we can understand the legal implications arising from an incident.

“Because MOVEit was essentially a supply chain breach, that meant there was a gradual evolution of knowledge around the risk. Those who knew that they use the software were fine but there were others in the supply chain who didn’t know that the suppliers of their suppliers used MOVEit software and therefore that they might have a notifications obligation they didn’t even know about.”

Working with the right partners meant the team was prepared to support its clients before the first MOVEit breach was even identified, she said, an especially critical value-add given the time-sensitive nature of cyber incidents.

Amin (pictured right) also emphasised the advantage of clients having access to 24/7, 365 solutions. Whether they’re a multinational balancing the compliance and regulatory standards of multiple international jurisdictions in the event of a breach, or a company with a million customers who potentially need to be notified, she said, the fundamental need is the same.

Supply chain challenges

Supply chain challenges are certainly a key theme for the market at the moment, Bourne said. As challenging as they are, incidents such as the MOVEit breach and the Accellion data breach can serve as timely reminders of the material impact these events can have and the vulnerabilities inherent in software.

“There is a reliance on software in the supply chain and software will also carry with it vulnerabilities,” she said. “Supply chain issues like MOVEit allow people to focus on the risk and map it out more effectively. I think people are genuinely now talking about mapping their entire supply chain, and understanding those single points of failure and where their real vulnerabilities are.”

Cyber’s “usual suspects”

In addition to the recent focus on supply chain vulnerabilities, market conversations are still touching on the “usual suspects” of cyber risk including phishing. A lack of cyber hygiene continues to drive a material amount of all cyber incidents, she said, because human error remains a critical and somewhat impossible to eradicate risk.

The team has also seen an increased sophistication in phishing attacks which is making them even more difficult to mitigate – and Bourne expects that AI will play a part in compounding this threat. Human error is inevitable to a large degree, Amin said, but what organisations can control is the risk management structures they put in place to reduce its frequency and impact.

Another key area of consideration, Amin said, is that of sector-based cyber risks. The transport industry is among those being increasingly targeted, with threats to the marine or aviation sector having very significant implications for supply chain systems. Clyde & Co’s close contact with multiple law enforcement authorities has also revealed that education and other professional services are also a particular target at the moment.

“What’s important to note,” she said, “is that you might be very small, you might not be a multinational with 1,000s of data points but, if you deal with enough sensitive data – like those in the healthcare sector or the tech space do – then that makes you particularly vulnerable to certain aspects of cyber risk. And I think it’s important to acknowledge sector-based risks, not just because they’ve become a target but also because the consequential response to them varies so greatly.

“There’s not just one way to respond to these incidents. The compliance and reporting obligations arising from these incidents vary depending on the sector. Because you’re dealing with different industry bodies, expectations and customer bases. So, it’s important for businesses to be appropriately risk managed and have adequate insurance – and a real understanding of what their obligations will be for each specific sector and jurisdiction.”

What are your thoughts on this story? Feel free to share them in the comment box below.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!