As we close out 2022, the threat of cyberattacks continues to soar along with the costs of data breaches leading the Chief Executive of one of Europe’s biggest insurance companies, Zurich, to conclude on December 26, 2022, that cyberattacks are becoming “uninsurable.” Over the last year, data breaches resulted in the unauthorized disclosure of billions of records of personal information. Companies are increasingly faced with the prospect of significant civil and even criminal liability based upon how they handle a data breach. With new cybersecurity and data privacy regulations going into effect in 2023, this issue is no longer one confined to the IT department. As the cyberthreats continue to rise, cyberinsurance will likely become harder to obtain in the future and there will be more exclusions. In August 2022, Lloyds of London, the world’s largest insurance and reinsurance market, announced that beginning in March 2023, state backed cyberattacks would be excluded from its standalone cyber insurance policies. The risk of a cyberattack is one of the most important concerns of organizations of all sizes.

Cybercrime and cybersecurity compliance have become the Department of Justice’s (DOJ) top priorities. In October 2021, DOJ announced the Civil Cyber-Fraud Initiative, which was designed to impose harsh financial consequences for lax cybersecurity and encourage the timely reporting of cybersecurity incidents using the False Claims Act. In October 2022, a jury convicted Joseph Sullivan, Uber’s former Chief Security Officer, of obstructing justice by failing to report a new data breach of Uber while it was being investigated by the Federal Trade Commission (FTC) for a prior one. This was the first time a corporate officer was held criminally liable for actions related to a data breach, but it will not be the last.

Numerous class action lawsuits alleging data privacy violations were filed in 2022, including more than 50 alleging that companies used Meta Pixel, Facebook’s tracking tool, to monitor user activities on their websites and shared this data with Meta without user consent. On December 22, 2022, Meta agreed to pay $725 million to resolve a class-action lawsuit accusing Facebook of allowing third parties, including Cambridge Analytica, to access users’ personal information. 2022 also saw an increase in penalties by both federal and state data privacy enforcement agencies and state attorney generals for violating children’s privacy laws, sharing information about consumer’s online activity with third parties, and lax cybersecurity. Epic Games paid $275 million to settle FTC allegations that it violated the Children’s Online Privacy Protection Act, and the FTC fined Twitter $150 million for using account security data for targeted advertising in violation of a 2011 consent decree. The California Attorney General fined beauty retailer Sephora $1.2 million for violating California’s Consumer Protection Act by sharing information about consumers’ online activity on its website with third parties without proper disclosure and user consent. New York’s Department of Financial Services has imposed multi-million dollar fines against several companies for failing to comply with New York’s Cybersecurity Regulations and implement reasonable cybersecurity measures, including EyeMed Vision Care LLC, Robinhood Crypto LLC, and Carnival Corporation.

Based upon publicly available statistics and data, at least 50% of companies suffered a cyberattack over the last year. It is not a matter of if a cyberattack of your network will occur, but when. One of the scariest cyberattacks remains ransomware attacks. While the number of ransomware attacks seemed to decline in the United States during the first quarter of 2022 coinciding with Russia’s war against Ukraine and increased cyberwarfare operations directed at Russian and Ukrainian targets, as the year progressed, we saw a surge in ransomware attacks. For instance, on December 2, 2022, Rackspace, one of the largest cloud and email hosting providers in the United States, suffered a ransomware attack that forced it to shut down its hosted Microsoft Exchange service disrupting the business operations of thousands of small businesses who could not access their emails.

Ransomware attacks have grown more sophisticated and aggressive incorporating a significant number of new ransomware variants. Cybercrime has become increasingly lucrative and Ransomware-as-a-Service (RaaS) is extremely popular on the dark web. The high pressure tactics of ransomware gangs employ double extortion. After gaining access to a network, typically using compromised credentials or unpatched vulnerabilities, ransomware attackers move across a network looking for the most valuable data (often containing personally identifiable information or proprietary information), exfiltrate that data, and encrypt the compromised network using ransomware, a type of malware. Then, the attackers demand an exorbitant ransom for the decryption key so the victim can access their files and threaten to post or sell the stolen data, thereby exerting additional pressure to pay the ransom. In addition to publicly shaming organizations when they refuse to pay, failure to pay cybercriminals will likely result in the corruption or deletion of data on a victim’s network in 2023. Cybercriminals are changing their extortion techniques because companies are increasingly able to recover their own data using backups so they no longer need to pay ransoms.

According to IBM’s 2022 Cost of Data Breach Report, the average total cost of a data breach is $4.35 million, the cost of a ransomware attack (not including the cost of the ransom itself) is $4.54 million, and the most common cause of a data breach is the use of stolen or compromised credentials. Significantly, the costs of data breaches are the highest in the healthcare and financial industries. The average healthcare breach costs a whopping $10.10 million. Further, a healthcare data breach not only endangers the financial security of the affected organization, but also poses a serious threat to public safety.

Top 5 Cybersecurity and Data Privacy News Year’s Resolutions

Faced with all of these increasing threats, take action now to invest in good cyber hygiene to protect your organization from liability in 2023. This could also help your prospects of obtaining cyber insurance next year, which experts predict will continue to become more difficult. Here are five recommendations designed to mitigate your organization’s cybersecurity risks:

#1 – Implement a Cyber Incident Response Plan

• The first 48 hours after discovering that cyberactors have infiltrated your network are critical to securing your network, minimizing the damage, obtaining and preserving evidence, and complying with both an organization’s contractual obligations as well as its legal obligations. Companies that have a cyber incident response plan (CIRP) save on average $2.66 million in responding to a data breach. Yet, more than a third of organizations do not have a CIRP. That number is even higher among small to mid-sized companies. Less than 50% of those companies have a CIRP and 51% of small businesses have no cybersecurity practices in place.
• A CIRP will be necessary to comply with new federal requirements. While many organizations in the defense industrial base already have requirements to report cybersecurity incidents to the government — specifically, the Department of Defense Cyber Crime Center — within 72 hours pursuant to DFARS Clause 252.204-7012, several new federal requirements will go into effect beginning in 2023. In 2023, the U.S. Securities and Exchange Commission is expected to announce final cybersecurity rules. The proposed rules announced in March 2022 required, among other things, that public companies disclose “material” cybersecurity incidents within four business days. Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), by 2024, companies falling within 16 broadly defined critical infrastructure sectors will be required to report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and any ransom payment within 24 hours.

#2 – Implement Essential Cybersecurity and Data Minimization Measures

• Adopt a Zero Trust Network Access framework and Endpoint Detection and Threat Response (EDR) tools. Most companies have firewalls and antivirus software but many lack EDR, which is crucial to prevent a cyberattack. EDR is used to detect and investigate threats on a network’s endpoints and respond to those threats. It is also imperative that your organization employ multi-factor authentication (or even better, passwordless authentication) throughout your network.
• Incorporate data minimization procedures into your company policies to minimize the amount of personally identifiable information (PII) and customer proprietary information maintained on your network. Don’t keep unnecessary customer, student, or employee records. Take steps to destroy records containing PII when they are no longer needed.
• To limit your cyber exposure and ensure data privacy compliance, it is critical to maintain an inventory so you know what data your company keeps and where. This is known as data mapping. After a cyberattack, entities often do not have a data map, which makes it difficult to know what data the hackers may have compromised. If your company doesn’t have data controls or an inventory, it is unlikely that necessary steps have been taken to protect any sensitive data.
• Encrypt any PII wherever it is located on your network. If unauthorized persons obtain access to your network, the encryption of PII will prevent the necessity of having to do breach notifications as state privacy laws define a data breach as the unauthorized disclosure of unencrypted personal information.

#3 – Ensure your Company is Performing Security Patching and Critical Vulnerability Updates in a Timely Fashion

• Unpatched vulnerabilities are one of the primary means by which cyberattacks occur. It is essential that organizations have an effective vulnerability and patch management process.
• The devastation caused by failing to promptly perform security updates is illustrated by the September 2022 ransomware attack on New York’s Suffolk County that has thus far cost more than $5 million to fix. The attackers gained access to the County Clerk’s Office by exploiting an unpatched vulnerability in the Log4j open-source software. This vulnerability existed on the network for more than seven months after U.S. officials advised organizations to address this critical vulnerability. Suffolk County also failed to perform necessary security upgrades and heed governmental security warnings.

#4 – Understand your Supply Chain and Ensure Third-Parties are not violating the Privacy Rights of Your Customers

• Third-party service providers and software solutions have become a common target of nation state threat actors. As detailed in the 2022 Microsoft Digital Defense Report, nation state threat actors will likely continue “to exploit trusted relationships in enterprise supply chains, emphasizing the importance of comprehensive enforcement of authentication rules, diligent patching, and account configuration for remote access infrastructure, and frequent audits of partner relationships to verify authenticity.”
• Federal agencies and state data privacy enforcement agencies are closely scrutinizing any personally identifiable information that is shared with third parties. It is imperative that companies enter into agreements with service providers or technology tracking vendors to ensure they are properly safeguarding any consumer data.

#5 – Institute Regular Cybersecurity Awareness Employee Training

• Cybersecurity is everyone’s responsibility. Employees can act as a human firewall if provided regular, periodic cybersecurity awareness training. This is critical as 95% of all data breaches occur as a result of human error. Phishing emails and text messages are the preferred attack method of cybercriminals to obtain credentials to access private networks. Stolen credentials are responsible for over 80% of today’s data breaches.
• Cybercriminals will find the weakest link. On December 21, 2022, the FBI warned of a new cybercrime scam. Cybercriminals are using search engine advertisements to impersonate websites for the purpose of misdirecting users to websites that distribute ransomware or steal login credentials and financial information. See Internet Crime Complaint Center (IC3) | Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users.

Conclusion

As the last few years have demonstrated, it is not a matter of if your company will experience a cyberattack, but when. Many companies have even experienced multiple data breaches in a single year. Even more frightening, cyber threat actors often remain undetected on corporate networks for weeks (and occasionally months) exfiltrating confidential and proprietary data before being detected or making their presence known by demanding a ransom and encrypting the corporate victim’s data. By taking these steps your organization can reduce the likelihood of a cyberattack, mitigate the scope of the attack if one does occur, and limit its criminal and civil liability for any data breach.