Daily

Analysis of the day’s most important stories at the intersection of cyber and financial risk with implications for companies (Organizations), policy and macro-economic challenges (Economics)

Daily |

Organizations: Tesco does need to look beyond just digital sales as part of its Digital Transformation; Home Depot and Ferguson help show the way

Following Tesco’s recent quarterly results, FT Alphaville makes the case for evolution not revolution in the British retail giant’s battle for revenue and margin growth. As the traditional bricks-and-mortar retailer battles much smaller digitally native competition like Ocado, some investors are warning the company to not fixate too much on driving more digital sales as the way forward.

Read full article
Daily |

Organizations: Public more willing than ever to move their business following cyber breaches. C-Suites ignore this at their peril.

A KPMG survey reveals that 90% of Canadians are ‘leery’ of sharing their personal data with an organization that has suffered a cyberattack or data breach, and 84% would consider moving their business to a competitor following a breach. A quarter of respondents report having had their login credentials stolen from a trusted site that experienced a breach, and 38% are not confident that their personal information can be kept safe.

Read full article
Daily |

Organizations: Zero Trust Model is not something that will generate accolades from shareholders, but the absence of a robust security approach increases the likelihood of damaging financial losses

Microsoft recently announced a Zero Trust Deployment Center as an offshoot of its Zero Trust Security Model. This center is intended to provide support to customers wrestling with the myriad challenges that have arisen from the accelerated digital transformations of the past several months.

Read full article
Daily |

Organizations: For company that embraces simplicity, Robinhood and its customers get a reminder that security isn’t so simple

Log in credentials for customers of online brokerages are for sale on the dark web and have led to a spate of accounts being drained of funds. Affected customers of Robinhood complain that the company has been slow to react to complaints that unauthorized transactions are taking place and note that the company cannot be contacted by phone. The difficulty reaching the company has frustrated users who are attempting to regain control of their accounts.

Read full article
Daily |

Organizations: CMA-CGA breach and rising threats facing maritime sector highlight need for more risk disclosure

CMA-CGA announced online services are now functional again, two weeks after the world’s fourth largest shipper suffered a ransomware attack that paralyzed web-based services and prompted a shutdown of parts of the internal corporate network.

Read full article
Daily |

Economics: Rising claims threaten to stall cyber insurance market growth as underwriters struggle to price risk

While the cyber insurance market has been growing rapidly with estimated annual premiums of more than $5B, structural issues may slow or stall growth in the near term if losses begin to exceed premiums. Around 50 companies are reported to have cyber insurance in excess of $500m, and to collectively pay an estimated $250m in premiums. Approximately 200 companies are reported to have cyber insurance policies covering between $200m—$499m, and collectively pay an estimated $900m in premium.

Read full article
Daily |

Economics: Flaws in Azure are a reminder of the downside risks of digitization. Only some companies are well positioned to manage them.

Two security flaws in Microsoft’s Azure App Services could have enabled a hacker to exploit two vulnerabilities—including taking over the administration server—according to a new report by Interzer. The flaws were reported to Microsoft in June and subsequently addressed by the company.

Read full article
Daily |

Organizations: Companies underreporting ransomware attacks means investors need outside tools and analysis to assess likelihood of breach and potential financial impact

The Europol ‘Internet Organized Crime Threat Assessment (IOCTA) 2020’ report calls Ransomware the most dominant cyber threat facing organizations, and points out that the reluctance of many victims to report attacks due to a desire to avoid reputational damage is causing difficulty for authorities to both accurately measure the scale of the threat, as well as to identify, investigate and respond effectively to breaches. Europol also highlights the significant vulnerabilities posed to supply chains by attacks on third-party service providers, and that these companies feel under particular pressure to avoid operational disruptions that would ripple across their customer network.

Read full article
Daily |

Economics: Acceleration of OT/IT integration results in significant increase in cyber threat. Companies that manage it well will outperform. Those that don’t, wont.

A recent survey from Claroty, a global leader in operational technology (OT) security, sums up the current situation with the continued merging of OT and IT: “Legacy OT devices—never designed for Internet connectivity—are now connected, the attack surface has expanded, and opportunistic adversaries are stepping up attacks. It’s become extremely clear that security is a foundational component of digital transformation.” Two statistics from the survey released this week of IT and OT security professionals at large enterprises stand out: Greater convergence of OT/IT since pandemic: 67% believe OT and IT have become more connected since the pandemic Not a question of ‘if’ but ‘how much’: 51.27% of respondents indicated their OT and IT are completely interconnected versus 2.55% that indicated ‘not at all/siloed"

Read full article
Daily |

Organizations: Most cyber attacks can be prevented or minimized through improvements in the most basic cyber hygiene

Microsoft’s ‘Digital Defense Report September 2020’-some of which we discussed last week, provides many insights into the state of cybersecurity which Cyberhedge will continue to highlight in the coming weeks. One key finding: most breaches are successful due to poor basic cyber hygiene within the organization.

Read full article
Daily |

Organizations: World’s fourth largest shipper hit by ransomware attack. Financial pain will likely be felt for months to come

French shipping giant CMA CGM, the world’s fourth largest shipping company, announced it was hit by a ransomware attack on September 28th. The attack reportedly paralyzed much of its global IT infrastructure. Although the company has indicated that operations have not been adversely impacted, as of today the company’s e-commerce website is still not fully operational.

Read full article
Daily |

Organizations: Half-trillion-dollar cosmetics industry upended by digital, cyber risks are growing and investors should be asking the right questions

Technology and the COVID‑19 pandemic are combining to rapidly transform the beauty industry. Artificial Intelligence (AI) and Augmented Reality (AR) allow a degree of personalization that is helping offset the loss of in-person product sampling that has long been a cornerstone of the cosmetics industry. Imaging and analysis technologies can detect issues such as skin oiliness, wrinkles and dark spots in a way that previously could only be done face to face.

Read full article
Daily |

Economics: Basic cyber hygiene is a key culprit in corporate breaches. Time for C-suites to look first at ‘people and process’, not the next ‘Next-Gen tool’

The lack of basic security hygiene is a key reason companies (and governments) continue to experience breaches, according to the annual Microsoft Digital Defense Report. In practical terms, “over 70% of human-operated ransomware attacks in the past year originated with Remote Desktop Protocol (RDP) brute force.” In other words, most ransomware attacks conducted by people (rather than machines) are targeting technology that is essential in this work-from-home era.

Read full article
Daily |

Organizations: Employees want remote work to become permanent, requiring fundamental changes to enterprise cyber security

A Tessian survey of 250 IT leaders and 2,000 working professionals in the US and UK conducted in August revealed that 1/3 of employees will not consider working for a company that does not offer remote working, and only 11% replied that they want to work exclusively in an office post-pandemic. 75% of IT leaders agree that permanent remote or ‘hybrid’ work will become the norm post-pandemic, and 85% report that this will increase pressure on their and their team’s abilities to secure IT systems.

Read full article
Daily |

Organizations: In wake of ransomware attack on billion-dollar eyewear giant Luxottica investors should ask the right questions

Billion-dollar eyewear giant EssilorLuxottica (EL) has reportedly suffered a ransomware attack that led to the shutdown of operations in Italy and China last week. It appears to have disrupted web-based commerce sites like Ray-ban and LensCrafters.

Read full article
Daily |

Organizations: Large amount of publicly exposed Personal Identifying Information of Corporate executives makes phishing attacks more effective

A cyber risk security assessment of Fortune 100 Company executives conducted by PiiQ Media found a significant amount of exposed Personal Identifying Information (PII) including email, relationship and password information on social media platforms. This information gives attackers valuable intelligence that they can use to craft sophisticated spear phishing attacks, which account for more than 80% of reported breach incidents.

Read full article
Daily |

Organizations: Airlines are heavily exposed to the revenues—and risks—of their credit card affiliation programs

Credit card affiliations at airline loyalty programs provide a significant revenue contribution to the airlines and have grown sharply during the COVID‑19 disruptions. Delta Air Lines received $4.1B in 2019 (approx. 9% of Group revenue) from their co-branded credit card program with American Express, up from $1.7B in 2012. Revenue from this program has been relatively stable in 1H20 (down only 5% from 1H19) as consumer spending using Delta-branded AmEx cards has been uncorrelated with the collapse in air travel. As a result of this stable credit card related revenue while airline ticket sales have collapsed, credit card affiliation revenue was well over 50% of Group revenue in 2Q20. United Airlines recent disclosures reveal that its credit card loyalty program is also a significant source of revenue.

Read full article
Daily |

Economics: On the release of new ESG metrics: Dollar-based metrics, not just standardized reporting, key to industry’s further evolution

The Big Four released a set of metrics today for companies to use for environmental, social and governance reporting internationally. It includes 21 core and 34 expanded metrics and disclosures ranging from climate change and nature loss to dignity and equality.

Read full article
Daily |

Economics: The ‘true cost’ of ransomware is far greater and longer lasting than investors realize

With the continued growth of ransomware in 2020, we revisit a ransomware article from Sentinel One. The piece outlines 6 key ways ransomware inflicts economic pain on companies in pointing out that the payment is often the headline but not the full cost: The payment; Indirect costs: costs of business interruption associated with a ransomware attack; Reputational loss; Liability: clients impacted by attacks seek compensation from breached company; Collateral damage; Data loss.

Read full article
Daily |

Economics: Possible to know in advance what retail companies will be market leaders and laggards on the basis of digital transformation

As retail has been disrupted nearly as much as any sector in the wake of COVID‑19, there are some clear lessons learned on how the landscape has dramatically shifted. Companies that were executing well on digital strategies have outperformed while those that weren’t have not only underperformed but many are no longer in business.

Read full article
Daily |

Organizations: Shift in focus from ‘efficiency’ to ‘resiliency’—in part due to cybersecurity concerns—will impact corporate Capex and Opex decisions

The US Department of Energy is expected to release detailed proposals by the end of September limiting the use of foreign equipment in the US power grid. These follow a May 1, 2020 Executive Order by President Trump ordering a ban on the use of utility infrastructure manufactured by ‘foreign adversaries’ due to the risk they pose to the power grid’s cybersecurity. Complying with the order will be complex due to the current reliance on foreign suppliers as well as global supply chains which stretch across many countries. In addition, vendor lists for utilities often number in the hundreds or even thousands and ensuring each one is in compliance will be a time consuming—and expensive—task.

Read full article
Daily |

Organizations: Kroger story illustrates how investing in Digital Transformation isn’t enough, outperformers do it better

Despite investing hundreds of millions of dollars in the years leading up to the pandemic, a WSJ piece posits that the largest grocer in America still wasn’t prepared to fully capitalize on the dramatic digital shift as well as some competitors. Despite investments in things ranging from remote fulfillment centers and self-driving robot delivery, Kroger wasn’t able to meet the spike in online grocery demands from customers.

Read full article
Daily |

Organizations: CEOs rated as ‘Leaders’ in cybersecurity are rightly most worried about malware but should focus more on better managing existing security stack

A pre-COVID-19 global survey of CEOs and CISOs conducted by WSJ Intelligence found large differences in focus, strategy and planning between more cybersecurity focused executives—labeled ‘Leaders’—and those less focused on cyber. ‘Leaders’ are much more likely to report (88%) that cybersecurity is the top priority risk factor facing the organization. 76% of the ‘Leaders’ review and update their cybersecurity strategy on an ongoing basis, compared with only 46% of other executives. Unsurprisingly, 82% of these ‘Leaders’ report that their BoD’s recognize that ‘Cybersecurity is critical and are fully engaged with it as part of a key business strategy’. This is compared to only 39% of the ‘non-Leaders’ who say the same about their BoD. And 88% of ‘Leaders’ report deriving excellent value from cybersecurity spending. Another critical difference is that ‘non-Leader’ CEOs and CISOs highest concern over the next 3-5 years is identity theft, while ‘Leaders’ are far more concerned with malware-type breaches like ransomware.

Read full article
Daily |

Organizations: Breach of major data center provider poses financial risk not just to Equinix, but to any company that relies on it to power their own business

$67bn data center giant Equinix was hit by a ransomware attack last week, the latest example of the vulnerabilities facing critical digital infrastructure in 2020. Per a company statement on 13 September: “At this time, our investigation is centered on information related to our internal business. The incident continues to have no impact on our customers’ operations or the data on their equipment at Equinix.”

Read full article
Daily |

Organizations: Most important issue for cyber insurance industry today is not the rise in ransomware incidents, it’s something more fundamental

Cybersecurity insurer Coalition’s 1H20 Cyber Insurance Claims Report details a dramatic increase in the cost of cyber breaches in 2020, driven by a big increase in the costs of Ransomware attacks. Coalition reports that Ransomware claims were on average 2.5x as costly as other breaches, and that the average ransom demand increased by 100% in 1Q20 from 2019, and another 47% from Q1 to Q2 2020 to an average $338,669.

Read full article
Daily |

Economy: New vulnerabilities in critical infrastructure a byproduct of merging of IT and OT

Researchers have found 6 critical vulnerabilities in a third-party provider to leading industrial control systems (ICS) providers including Rockwell Automation and Siemens.

Read full article
Daily |

Organizations: Fortune 100 executive compensation rarely linked to cybersecurity performance. Problematic — but not surprising.

For the third consecutive year, EY analyzed cybersecurity-related disclosures by companies by examining proxy statements and 10-K filings. This year’s study of 76 Fortune 100 companies over the time period from 2018 through May 31,2010 found modest increases in disclosures — most significantly in the area of BoD oversight — but a continued lack of disclosures related to cyber-readiness simulations and the use of independent third-party advisors. Only 7% of companies disclose engaging in cyber-readiness simulations, and only 16% disclosed using external independent advisors.

Read full article
Daily |

Organizations: Vast majority of CEOs will be personally liable for breaches by 2024: Gartner

A new Gartner survey finds that CEOs will be increasingly personally responsible for breaches due to what it refers to as the growing “Cyber-Physical System (CPS)” attacks anticipated by 2024. This refers to the risks emerging from the fast merging of operational technology (OT) and IT.

Read full article
Daily |

Organizations: Bitglass report details ‘Insider Threat’ cyber breach vector facing enterprises

Cloud security organization Bitglass released the 2020 Insider Threat Report, a survey of IT and security professionals about the challenges facing organizations from this ‘inside’ vector.

Read full article
Daily |

Economy: Cloud Computing: “A fancy name for someone else’s computer”

A newly released report on the cloud security from the Carnegie Endowment for International Peace includes some notable findings on the thing now underpinning how companies operate: By 2020, the overall cloud services market is expected to be $266.4 billion, a 17 percent increase compared to 2019 (Gartner). In reference to a number of breach cases impacting market leaders like Azure, AWS and Google Cloud, “cloud security thus far is a series of potential catastrophes narrowly averted”.

Read full article
Daily |

Economy: Sonicwall study: Ransomware attacks increased 20% globally, 109% in the US in 1H2020

A cyber threat report by network security company Sonicwall that analyzed threat intelligence data from 1.1m sensors in 215 countries found that ransomware attacks have increased by 20% globally in the 1H2020 over 1H2019 (121.4m attack events) and by 109% in the US (79.9m attacks). Malware attacks fell by 24% over the same time period. Phishing scams based around COVID-19 themes, and exploits targeting the remote work environment were a notable feature. For example, there was a 176% increase in malware attacks disguised as Microsoft Office files, and a 50% increase in IoT malware attacks, as attackers used these ‘smart home’ devices as a vector to penetrate corporate networks.

Read full article
Daily |

Organizations: Questions investors should be asking after Tesla’s recent cyber incident: What would the financial impact have been if it was successful, and how well positioned is the company to minimize the risk?

A Tesla employee prevented an alleged ransomware attack on the company earlier this month, according to an unsealed criminal complaint from the FBI. According to the complaint, the alleged criminal, Egor Igorevich Kriuchkov, attempted to recruit the Tesla employee outside Reno where the “Gigafactory” manufacturing facility is located. CEO Elon Musk referred to the attack as “serious” on Twitter.

Read full article
Daily |

Organizations: New Zealand Stock Exchange cyber disruption enters fourth day

The New Zealand stock exchange (NZX) halted trading operations for the final hour of trading on Tuesday, and then most of the trading day Wednesday, Thursday and again Friday morning due to distributed denial of service (DDoS) attacks which ‘impacted network connectivity’. The exchange reported that the attacks came ‘from offshore via its network service provider’, and it is unclear when trading operations will return to normal. An alert had been issued last November by New Zealand based cybersecurity firm CertNZ that financial firms had received emails threatening them with DDoS attacks if they did not pay a ransom.

Read full article
Daily |

Economy: Microsoft: Cyber resilience is fundamental to business operations

A recent Microsoft survey of business leaders from India, Germany, the UK and US provided a picture of how corporates anticipate the pandemic could impact cyber security over the long term. While a majority of leaders (58%) are increasing security budgets, with some of the largest increases on a regional basis seen in the US and Germany, 81% felt pressure to reduce overall security costs. The additional spend is being put towards additional security staff first and foremost, and increased outsourcing. There is also clear evidence of a shift in the security mentality of organizations as 94% of respondents indicated they are accelerating adoption of ‘Zero Trust’ — the security concept and architecture that dictates that anything inside or outside a corporate IT network cannot be trusted and must be verified.

Read full article
Daily |

Organizations: Pearson CEO hiring process focused on successful experience with digital transformation

Publisher Pearson announced that Andy Bird, the former head of Walt Disney’s international business, will be its new CEO. Pearson has been struggling with the transition from the shrinking traditional media and textbook market to the new era of digital products and services, and its share price has fallen by more than half during the 7-year tenure of outgoing CEO John Fallon. In its hiring process, Pearson specifically focused on finding a candidate with strong digital transformation credentials, in addition to the ability to lead the company’s shift from B2B to B2C. Pearson Chairman Sidney Taurel highlighted Mr. Bird’s advocacy and experience moving Disney to streaming—a successful digital transformation which is driving Disney today—as a key reason for this choice.

Read full article
Daily |

Economics: CFA Institute survey reveals most investment managers recognize ‘Governance’ impact on share price, but few incorporate this into their analysis

A study by the CFA Institute examining the integration of ESG issues into investment portfolios found that while investors believe that ESG impacts share prices, only 19% of equity analysts ‘often or always’ include material ESG issues into their analysis, while a further 52% ‘sometimes’ do.

Read full article
Daily |

Organizations: Ransomware attacks on Brown-Forman and Carnival will hit their financials in coming months

US wines and spirits company Brown-Forman suffered a ransomware attack this week. Though unconfirmed, REvil is believed to be responsible, a criminal enterprise which is also responsible for the Travelex attack that sent that company into administration. Per a company statement, “our quick actions upon discovering the attack prevented our systems from being encrypted.”

Read full article
Daily |

Organizations: ‘A cyberattack doesn’t have to sink your stock price’ — Harvard Business Review

The Harvard Business Review study of research into the impact of data breach incidences on stock prices highlights ‘two key pieces of advice: 1) Lead with what you did right to prepare for this eventuality, and 2) then pivot to how you’re going to improve even more.’ They conclude that these measures limit the damage to the breached company’s stock price.

Read full article
Daily |

Organizations: Companies with business aligned security leaders have significantly greater visibility into cyber risk

A Forrester report of mid-to-large size companies taken in April 2020 illustrates that C-suites continue to grapple with cyber security, both the threat environment as well as how to properly measure and align their cyber security strategies with business risk.

Read full article
Daily |

Economics: Shift needed to solving difficult issues impacting fast-digitizing industrial sector, rather than just finding and fixing security vulnerabilities

A new report from Trend Micro concludes based on years of analysis that fundamental design flaws have created serious cyber vulnerabilities in many widely used industrial products.

Read full article
Daily |

Organizations: AT&T Survey finds half of large European businesses plan to change their technology partners in the next year

A survey by AT&T of 800 cybersecurity professionals in the UK, France and Germany (ostensibly about how the pandemic is affecting corporates cybersecurity posture) indicated that 48% of large businesses (more than 5,000 employees) will change their technology partners in the next year.

Read full article
Daily |

Organizations: Kuerig Dr. Pepper and Target both examples of what good digital transformation looks like

Two recent pieces of consumer goods companies—Kuerig Dr. Pepper and Target—outline how digital transformation is changing the way they operate and seek to expand margins and make profit.

Read full article
Daily |

Organizations: Studies show that Cloud misconfigurations and employee error are the greatest security threats

Studies by Verizon and IT security providers Accurics and Orca all argue that Cloud misconfigurations are the greatest threat to organizations, with Accurics finding that misconfigurations exist in 93% of the cloud deployments that it analyzed. Orca found that greater than 80% of organizations ‘have at least one public-facing workload running on an unsupported operating system or one that hasn’t been patched for at least 180 days’, which was a key factor in the 2017 Equifax breach. Orca also found that 25% of the companies it studied did not use multi-factor authentication to protect cloud accounts with root or super administrative access.

Read full article
Daily |

Organizations: Report makes the case that when it comes to the financial impact of ransomware, remediation is critical

Rubrik, a leading data center backup and recovery provider, recently released a report analyzing the best approaches to managing the financial cost of ransomware. It contends that one reason the financial cost of operational disruptions is so high is because most of the focus and resources are placed on prevention rather than recovery. The report claims that a ‘belt and braces’ approach—one that ensures back-ups cannot also be easily compromised when core IT infrastructure is impacted—helps limit data loss and operational damage. Yet in 23% of cases, backup data was affected prior to the ransomware attack being identified. 30% of those who had experienced a ransomware attack said that it took days to recover.

Read full article
Daily |

Organizations: Boohoo highlights shortcomings with ESG products reliance on self-reported data

UK fast fashion retailer Boohoo saw its share price fall by 1/3 following allegations that workers in its UK supply chain were being paid 3.50 GBP per hour. The Financial Times notes that 20 ‘sustainable funds’ hold Boohoo shares, and that it was recently the largest holding in the Aberdeen Standard Investment employment opportunities fund, ‘which invests in companies with good employment opportunities and practices’.

Read full article
Daily |

Organizations: Levi’s is accelerating digital transformation in face of declining revenues

Following a reported 62% drop in revenue in Q2, Levi’s is outlining the steps it is taking to accelerate its own digital transformation amid COVID‑19. Steps include investing in online sales growth and direct-to-consumer sales in addition to scaling down physical store growth from the planned 100 this year to 70. CEO Chip Bergh’s comments during the company’s recent earnings call captured this strategy well.

Read full article
Daily |

Economics: Security deserves more focus within dual-track approach to digital transformation

92% of business leaders say digital transformation requires a dual-track approach, according to a report released Wednesday from Harvard Business Review Analytical Services and Quick Base. The primary goals of digital transformation include 1. Increased productivity/efficiency, 2. Enhancing customer satisfaction, 3. Increased revenues/profitability

Read full article
Daily |

Organizations: Garmin confirms that a ransomware attack was responsible for service disruption

Garmin confirmed yesterday that a cyberattack that caused widespread disruptions over the past 5 days across its IT network — to website functions, customer support, company communications and customer facing applications — was a ransomware attack. Services are starting to be restored, but questions remain about the extent of the penetration into Garmin’s network, and how the attack was resolved. Garmin is due to report 2Q20 earnings tomorrow (Wednesday, July 29).

Read full article
Daily |

Policy: Despite progress of GDPR, digital transformation still lacks a regulatory pillar

Now into the third year of GDPR, questions are being asked about what change it has brought about. This article notes there have been around 340 GDPR fines totaling approximately $180 million over the last two years. However, two of the largest fines amounting to a combined $350 million are still to be confirmed in the coming weeks — British Airways ($229mn) and Marriott ($123mn).

Read full article
Daily |

Organizations: Role of the psychology of human error in cyber breaches suggests more tailored approach to training required

The ‘Psychology of Human Error’ report by Tessian aims to help companies better train employees to prevent mistakes from happening before they turn into breaches.

Read full article
Daily |

Organizations: As retail bankruptcies continue, a look at how well or poorly companies are executing digital transformation strategies can tell investors who might be next

In the words of one commentator, COVID‑19 has been the final blow for several retailers that were considered ‘the walking wounded’ prior to the pandemic. The two dozen Chapter 11 filings this year have exceeded 2019’s total and show no signs of slowing down as the disruption and uncertainty continues into the second half of the year.

Read full article
Daily |

Organizations: IBM Cloud revenues surge 30% amidst overall company revenue decline of 5.4% in 2Q20

IBM 2Q 2020 earnings are a tale of two business models. Revenue from its cloud-related businesses surged 30% to $6.3b, while overall group revenue declined 5.4% to $18.12b. 2Q net income was $1.36b. Services and Consulting businesses were weak spots as client companies look for cost savings and postpone spending in the wake of COVID‑19, with CFO Kavanaugh noting that “many clients continued to delay projects, defer purchases, and favor opex over capex spending.”

Read full article
Daily |

Organizations: 2-Star Twitter was on downward slide in Cyberhedge ratings in the months prior to the breach

Coverage of last week’s Twitter hack has now shifted towards longstanding security concerns, including internal controls and employee access issues. The company is now under scrutiny from several directions, including the FTC, Congress and the FBI.

Read full article
Daily |

Economics: SEC issues warning on increasing ransomware threat to financial services firms

The SEC’s Office of Compliance Inspections and Examinations (OCIE) warned of a recent increase in the sophistication of ransomware targeting financial service providers. The OCIE issued guidance on tactics and techniques organizations can use to guard against these attacks, broken down into six key areas: Incident response and resiliency policies, procedures and plans, Operational resiliency, Awareness and training programs, Vulnerability scanning and patch management, Access management, Perimeter Security.

Read full article
Daily |

Organizations: Operational disruption risks on the rise for industrial companies, putting a further premium on strong cyber governance

The Honeywell USB Threat Report 2020 called attention to the rising threat facing industrial control systems (operational technology) amid the continued digitization of industrial processes. According to the report, “as the second most prevalent attack vector into industrial control and automation systems, USB devices continue to play an important role in these types of targeted attacks.”

Read full article
Daily |

Organizations: IBM reports that companies still poorly prepared to respond to cyber breaches despite increased awareness of risks

IBM and Ponemon Institute’s fifth annual Cyber Resilient Organization Report surveyed more than 3,400 IT and security professionals globally and found that companies’ ability to contain cyber attacks has declined by 13% over the past several years, due to deficiencies in planning and preparing breach ‘playbooks’, as well as having IT security systems that are too complex.

Read full article
Daily |

Organizations: Latest Citrix patches another reminder of operational risks facing companies today

Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products. This is the third in a series of ‘must patch’ vulnerabilities in recent months for Citrix, and it comes on the heels of a public breach the company announced in March of 2019.

Read full article
Daily |

Organizations: Most ESG Indices outperforming non-ESG peers in 2020

The Financial Times reports that over the first 4 months of 2020, the S&P 500 ESG Index outperformed the normal index by 0.6%, and the MSCI Emerging Markets ESG Index and Asia-focused Asia ESG leaders index outperformed their parent indices by 0.5% and 3.83% respectively. Blackrock also reports outperformance by most ESG indices globally over their non-ESG peers.

Read full article
Daily |

Organizations: Lack of ransomware disclosures by companies is only part of the problem

Many companies that experience ransomware attacks do not disclose details of the breach to affected parties. IT media company Bleeping Computer reports being contacted by employees of companies that experience a breach seeking information about the event as C-suites keep tight lipped.

Read full article
Daily |

Organizations: DXC Technology breach the latest example of how cyber governance of a service provider can create financial risks for clients

DXC Technology, an already struggling IT services provider, was hit by a ransomware attack that has paralyzed part of its business. According to the company, the part of its business impacted was Xchanging, “primarily an insurance managed services business that operates on a standalone basis.” As of July 5th, DXC indicated it was confident the damage was confined to this part of the business.

Read full article
Daily |

Organizations: Three years after the NotPetya attacks, many companies still unprepared to respond to a ransomware attack

Research by data recovery specialist Ontrack of 484 organizations reveals that 39% either do not have a ransomware strategy, or are unaware if they have one, and 29% report they would not be able to access any working backups after an attack.

Read full article
Daily |

Organizations: Palo Alto vulnerability highlights importance of technology management

US Cyber Command is warning companies to immediately implement a critical patch for a potentially devastating security vulnerability in a number of Palo Alto Network products. Affected products include its firewall and VPN application, in wider use since the onset of work from home in March. According to the alert, the vulnerability is related to the company’s Security Assertion Markup Language. If exploited under certain conditions, it could allow a hacker access to a corporate network with administrator-level access without requiring the administrator’s login information.

Read full article
Daily |

Organizations: Thales survey finds company Boards much more willing to invest in IT security, but insecure access to IT networks still a big problem

The Thales 2020 Access Management Index Survey of 300 IT security professionals in the US and Brazil found a huge shift in how ‘easy’ or ‘difficult’ it is for IT departments to sell company Boards on the need for increased IT security resources. In last year’s survey, 44% reported that this was an ‘easy’ sell, while 33% reported it was ‘difficult’. This year, 65% report that it is an ‘easy’ sell, while only 16% report that it is ‘difficult’. 20% report that it is ‘Neither easy nor difficult’.

Read full article
Daily |

Economy: Swiss Re calls for more transparency on cyber risk

Swiss Re, the world’s second largest reinsurer, has called for companies to release ‘cyber resilience’ reports, saying there needs to be more transparency into how prepared they are to defend against attacks. The company indicates that in the wake of COVID‑19, there will be greater pressure on companies to demonstrate how resilient they are in the face of increasing risks.

Read full article
Daily |

Organizations: IBM survey of remote workers shows companies slow to respond to new challenges

IBM Security Work from Home survey of more than 2,000 newly remote work employees in the US reveals unpreparedness for remote work, and also provides a picture of companies slow to implement new training in response to this increased threat environment.

Read full article
Daily |

Policy: Two years on, GDPR shortcomings are apparent but strong regulation is still needed

GDPR, billed as landmark regulation two years ago when it was first passed, has placed an undue burden on small and medium-sized businesses, while some rules have proven difficult to implement according to an official report released today. Although there were nearly 800 administrative fines imposed between May 2018 and November 2019, the only significant fine levied against a large technology company (and by far the largest) was the €50m fine against Google in France in 2019.

Read full article
Daily |

Organizations: Hiscox Cyber Readiness report reveals companies increasing cyber spend in response to increasing threats

Insurer Hiscox’s Cyber Readiness Report 2020 surveyed 5,569 cyber security professionals from the US, UK, Belgium, France, Germany, the Netherlands, Spain and Ireland.

Read full article
Daily |

Organizations: Cognizant hit by attack that raises future risks both for itself and its clients

Cognizant, one of the world’s largest IT outsourcing companies, disclosed this spring that cybercriminals “exfiltrated” data related to employees’ corporate credit cards among other personal data including Social Security numbers, tax IDs, financial account information, and driver’s license and passport details.

Read full article
Daily |

Policy: Solarium Commission correct to draw parallels between the pandemic and significant cyber attack

The US Cyber Solarium Commission’s recently released white paper, Cybersecurity Lessons from the Pandemic draws parallels between the disruptions of the pandemic and the disruptions the US would experience during a significant cyber attack.

Read full article
Daily |

Organizations: Accelerated by COVID‑19, L’Oreal’s digital shift helped stem sales losses and positions company well for future if it can effectively secure online assets

L’Oreal, the largest cosmetics company in the world, has seen a huge increase in digital engagement and online sales during the COVID-19 shutdowns, and expects these trends to stick and even increase in the coming years. Echoing other companies that have seen a similar acceleration due to the pandemic on their digital initiatives, Chief Digital Officer Lubomira Rochet remarked: “In ecommerce, we achieved in eight weeks what it would have otherwise taken us three years to do.”

Read full article
Daily |

Organizations: Ransomware attack on Lion shows how technology governance matters more today than ever for every company, even a brewer

Australia and New Zealand’s largest drinks manufacturer, Lion, was hit by a ransomware attack on June 9th. As of Monday June 15th, systems were still ‘partially down’. Per Lion: “Our investigations have shown that a partial IT system outage at Lion is a result of a ransomware attack. In response, we immediately shut down key systems as a precaution. We have made good progress, however there is still some way to go before we can resume our normal manufacturing operations and customer service.”

Read full article
Daily |

Organizations: Zara owner Inditex to close 1,200 stores as part of its digital transformation strategy

Zara owner Inditex reported that it will permanently close 16% of its global outlets (1,200 stores) by the end of 2021 and shift towards a strategy more focused on online sales. This trend of increasing online sales was already growing pre-COVID‑19, but has accelerated due to the pandemic. Inditex’ online sales increased 95% in April, and the company estimates that online sales will account for more than 25% of total sales by 2022, up from 14% in 2019. Inditex will spend 1b euros on digital investments over the next three years to support its online sales efforts. Most of the store closures will take place in Europe and Asia.

Read full article
Daily |

Organizations: Ransomware hits cyber governance underperformer Honda at an already difficult time

A ransomware attack disrupted Honda’s global operations on Monday, and is suspected to have penetrated the company’s corporate network. This comes at a time when Honda was just getting operations back to fuller capacity after the Covid-19 driven complete suspension at major facilities, and while it is struggling with a drop in auto and motorcycle sales in every major market. Honda staff were advised not to access their work computers on Monday, and to take paid leave on Tuesday if possible.

Read full article
Daily |

Organizations: Survey: 94 percent of corporate IT teams are confident of their ability to secure their remote workforce, despite poor cyber hygiene by employees

An April survey commissioned by CyberArk of 3,000 remote office workers and IT professionals in the United States, UK, France and Germany found that 77 percent of remote employees are using unmanaged, insecure devices to access corporate systems, and 29 percent are letting other household members use their corporate devices for personal activities such as gaming, shopping and schoolwork. 40 percent of IT teams have not increased security protocols despite the massive transition to remote work, but despite this 94 percent of these IT teams are confident that they can secure their new remote workforce.

Read full article
Daily |

Policy: “Now is the time to expedite digital transformation”—ECB President Lagarde

ECB President Christine Lagarde’s comments to the Committee on Economic and Monetary Affairs of the European Parliament positioned digital transformation as an important priority for Europe’s economic recovery effort. Lagarde: “Another key dimension is the digital transformation. Here, the recent lockdowns have accelerated the adoption of digital technologies on a broader basis. Now is the time to expedite the digital transformation on a more permanent basis and bring the EU to the frontier of the digital economy.”

Read full article
Daily |

Organizations: Manufacturers digitizing at a faster pace as Kaspersky warns of targeted attacks on industrial systems

Industrial companies are greatly increasing their use of data management tools both as a response to Covid-19 workforce reduction issues, and due to the productivity improvements good data monitoring, analysis and control can provide. Annual spending on these tools is forecast to increase from $5b/year today to $20b/year by 2026. Meanwhile, Kaspersky detailed a series of attacks in Japan, Italy, Germany and the UK which targeted suppliers of equipment and software for industrial companies.

Read full article
Daily |

Policy: EU overhauling data and cyber rules

The EU is planning to unveil the Digital Services Act at the end of the year, a major piece of legislation to overhaul rules surrounding data and digital services. The EU has invited interested parties to submit comments by September 8, and the European Commission is targeting a December deadline for the draft law.

Read full article
Daily |

Organizations: Norges breach

The Norwegian Investment Fund, the world’s largest sovereign with over $1 trillion in assets, was the victim of a months-long cyber breach that resulted in a reported $10mn in losses. According to Norges, the breach was the result of a business email compromise.

Read full article
Daily |

Policy, Organizations: SEC Chairman Jay Clayton warns of risks of improper use of ‘imprecise’ ESG ratings

Chairman Clayton warned that combining environmental, social and governance metrics into a single ESG rating is an imprecise way of rating companies, and that asset managers should think carefully about how they use these metrics. There are 307 ‘Sustainable funds’ in the US with $119.3 billion assets under management as of the end of March 2020.

Read full article
Daily |

Organizations: Macy’s $1.1 billion bond sale a reminder of financial constraints

Macy’s announced a $1.1 billion bond sale to help shore-up the struggling retailers balance sheet as it navigates the COVID‑19 shutdown. The fresh injection of capital is needed to pay down short term debt maturing in January 2021 and fund operations in the immediate term.

Read full article
Daily |

Organizations: McAfee reports 630 percent increase in external attacks on Cloud based services

Data from 30m McAfee MVISION Cloud users worldwide between January and April 2020 show external attacks by hackers on companies’ cloud-based systems have increased 630 percent following the mass migration to work from home. Overall enterprise use of cloud services has increased by 50 percent over the same time period. Use of Cisco Webex has increased 600 percent, Zoom by 350 percent, Microsoft Teams by 300 percent and Slack by 200 percent. Attacks by ‘insider threat’ categories (i. e. employees working from home) have remained the same, indicating that employees do not ‘attempt to steal more data because they are working from home’.

Read full article
Daily |

Organizations: HTZ the latest example of the COVID‑19 acceleration of outperformers and underperformers. One difference maker? Digital technology.

A WSJ article chronicled how HTZ was struggling long before COVID‑19, including reference to its belated digital shift relative to peers and repeated missteps with regard to its digital strategy. This reportedly included adverse impacts on fleet management while it cycled through four CEOs in less than 10 years.

Read full article
Daily |

Organizations: Survey quantifies willingness of customers to move their business following ransomware attacks

A survey of 2,000 consumers in North America, UK, France and Germany reported that 37 percent will switch to a competitor company if systems are not back online within 24 hours of a ransomware attack operational disruption, and 66 percent will turn to a competitor if systems are not restored within 3 days. 59 percent would ‘likely avoid doing business with an organization that had experienced a cyberattack in the past year’, and more than 80 percent reported sharing their negative ransomware-related experience with family, friends and colleagues.

Read full article
Daily |

Organizations: EasyJet breach a one-off or evidence of a larger problem? The answer will tell investors how well or poorly the carrier is positioned to weather the COVID‑19 crisis

British low-cost carrier EasyJet (EZJ) disclosed a customer data breach that the company says impacted 9 million customers. A majority of the data stolen was reportedly email and physical addresses, but a smaller percentage of customers reportedly had credit card details stolen. EZJ first became aware of the breach in January.

Read full article
Daily |

Organizations, Policy: UK survey reports 51 percent of companies spend at least 40 percent of their IT security budget on compliance

Companies are struggling with increasing compliance burdens that are taking up significant portions of corporate IT budgets and time. 51 percent of respondents report that compliance requirements take up 20,000 hours of resources annually. In addition, 58 percent of companies report that compliance requirements are a barrier to entering new markets. 70 percent say they must manage at least five different compliance projects at any given time, while 7 percent work on 50 or more projects at any given time.

Read full article
Daily |

Economics: The failures of J. Crew and Neiman Marcus highlight the importance of applying a Cy-Fi lens in today’s market

A NYT Times story explains how the fall of two retail giants—J. Crew and Neiman Marcus stemmed not only from the pandemic but also from the involvement of private equity firms and the financial over-engineering they deployed. The longstanding weaknesses of some traditional bricks and mortar retailers which include belated or poorly executed digital strategies are also directly related to an inability to make big investments due to being overleveraged. These weaknesses were further exposed by the pandemic, resulting in the recent bankruptcy filings.

Read full article
Daily |

Organizations: Vulnerability in Cloud server infrastructure software SaltStack infects servers, leaving them vulnerable to breach

Vulnerabilities in SaltStack software were used as a vector to infect cloud servers with malware or other exploits, with over 6,000 master servers reportedly infected and directly exposed to the internet according to the company, allowing them to be breached. The vulnerabilities were discovered about two weeks ago, and several networks have already reported that they have been breached and had cryptocurrency mining malware deployed onto their servers. More damaging attacks such as data theft and ransomware are possible. A patch is now available for the vulnerability.

Read full article
Daily |

Organizations: Pitney Bowes latest ransomware breach further evidence of persistently poor cyber governance

Pitney Bowes Inc. (PBI) experienced a second ransomware attack in seven months on May 4th. The ransomware gang Maze claimed to have breached and encrypted the company’s network. The incident was confirmed by PBI in a statement: “Recently, we detected a security incident related to a ransomware attack. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.” PBI is working with its security partner IBM Iris to complete forensic analysis on the attack.

Read full article
Daily |

Economics: Some companies slow spend on digital transformation but larger trend is still clear

Citing a recent report by market research firm Canalys, the WSJ depicts a mixed picture on market-wide digital transformation prospects. Though Microsoft’s year-on-year enterprise cloud growth grabbed headlines, also included in results was the company’s admission that multi-year licensing deals were slow to complete in the final weeks of the quarter —just as the COVID‑19-induced slowdown was taking hold. Some analysts see a positive long-term trend towards digital being brought forward by the pandemic. Others see a slowdown in IT spend and longer-term licensing commitments and investment in cloud initiatives like further AI adoption in the short term as companies scramble to cut costs.

Read full article
Daily |

Organizations: Survey reveals significant deterioration in corporate cyber governance amidst transition to COVID‑19 remote work

A survey by Barracuda of over 1,000 business decision makers in the UK, US, France and Germany reveals significant cyber security deterioration from the recent sudden shift to remote working. 51 percent have seen an increase in email fishing attacks, 51 percent say their workforce is not proficient or properly trained in the cyber risks associated with remote working, 46 percent are not confident that their web applications are secure, 50 percent allow employees to use personal email addresses and personal devices to conduct company work, 49 percent fully expect to see a data breach or cybersecurity incident in the next month due to remote working. Despite this clear increase in the threat surface, 40 percent of the companies have cut their cybersecurity budgets as part of COVID‑19 cost saving measures.

Read full article
Daily |

Organizations: French flooring company Tarkett reports cyber breach

Tarkett reports that a cyber attack ‘has affected part of its operations since April 29 despite the IT security measures implemented by the group’, and that it has shut down its IT systems and implemented ‘necessary preventive measures to protect its operations as well as the data of its employees, customers and partners.’

Read full article
Daily |

Economics: Virus-related impacts testing cyber insurance market: Fitch

Fitch expects COVID‑19 related economic impacts to test the growing cyber insurance market due to risks around cloud-related breaches and other operational disruptions that could result in capital constraints and impact ratings.

Read full article
Daily |

Economics: “Two years’ worth of digital transformation in two months”

“We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything,” said Satya Nadella, chief executive officer of Microsoft on the announcement of strong Q3 results today.

Read full article
Daily |

Organizations: Less than four months after cyber breach, Travelex puts itself up for sale

Travelex announced that it is seeking offers and that interested parties should contact PricewaterhouseCoopers. Travelex’s business was severely impacted by its December 2019 cyber breach, which put the company in a very difficult financial position even before COVID‑19 disruptions hit.

Read full article
Daily |

Economics: Heightened cyber risks intensify longstanding challenge for M&A, especially among companies that do a poor job managing technology

A WSJ report outlined how increased cyber risks amid COVID‑19 are posing increased challenges for M&A transactions globally.

Read full article
Daily |

Organizations: Underprepared employees increase cyber risk, and are one reason some companies are less resilient in face of COVID‑19 disruptions

A survey of 2,000 remote workers in the UK reveals that two-thirds have not received cybersecurity training over the past year, and 61 percent said they were using personal devices to work remotely instead of corporate-issued devices. Despite these shortcomings, 77 percent reported that they are not worried about security while working from home.

Read full article
Daily |

Organizations: Corporate and internal IT networks primary source of breaches

A recently published Trustwave report looking at cybercrime globally found that far and away the most common environment breached is corporate and internal IT networks (54%), followed by ecommerce (22%) and the cloud (20%). In the thousands of incidents studied, the report found that 50% of breaches across all environments stemmed from phishing and social engineering.

Read full article
Daily |

Organizations: Unicredit—a persistent underperformer on cyber governance—suffers another breach

Data stolen from Italy’s Unicredit allegedly came via a cyber breach into a company contracted by Unicredit to provide HR services. The data went on sale April 19, and reportedly includes employee names, email addresses, phone numbers and encrypted passwords. Telecom Italia unit Telsy reported that “the database appears to be genuine and the potential result of a SQL injection attack”.

Read full article
Daily |

Organizations: Ransomware attack on Cognizant adds further strain to corporate networks that depend on this service provider to function

Leading managed IT service provider Cognizant announced a Maze ransomware attack on Friday. Per Cognizant: “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack. Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.”

Read full article
Daily |

Policy: Cyberspace Solarium Commission report recommendations could have implications for corporate cyber risk disclosure

Zurich Insurance outlined how companies can defend against ransomware at a time when cyber vulnerabilities have increased amidst the COVID‑19-induced shift to remote work. The approach leverages the NIST framework, widely seen as the global standard for improving cyber defense.

Read full article
Daily |

Economics: Exponential rise in ransomware attacks is not just a cyber risk, it’s also a primary financial risk

Zurich Insurance outlined how companies can defend against ransomware at a time when cyber vulnerabilities have increased amidst the COVID‑19-induced shift to remote work. The approach leverages the NIST framework, widely seen as the global standard for improving cyber defense.

Read full article
Daily |

Organizations: World’s second largest container shipping company MSC suffers a network outage, possibly due to a cyber attack

MSC reported Friday that a network outage is affecting systems at its Geneva headquarters, and that a cyber attack might be responsible. As of Tuesday 16:00 GMT, the MSC website is still down and the company has released very little new information. General operations appear not to be widely impacted yet, but precedent shows that an operational disruption can be extremely value destructive to a company like MSC.

Read full article
Daily |

Economics: Advent of 5G makes digital technology even more integral to success or failure of business

According to a Wall Street Journal piece, 5G will transform supply chains, in part by cutting waste, better predicting consumer demand, and being able to adjust to market and operational shifts in real time. The gamechanger between 4G and 5G lies in the number of devices that can live on a single connection. By some estimates, 5G is 10 times faster than 4G. This enables more data to be analyzed more quickly and in much greater detail than was possible before.

Read full article
Daily |

Policy: US Department of Justice calls for mandatory data breach reporting

At a hearing on March 4 before the U. S. Senate Judiciary Committee, Department of Justice (DoJ) Deputy Assistant Attorney General for National Asset Protection in the National Security Division Adam Hickey called upon Congress to enact legislation that would create a uniform nationwide data breach disclosure law and include a requirement that companies report breaches not just to customers but also to law enforcement.

Read full article
Daily |

Organizations: Absence of ceasefire by ransomware hackers towards the healthcare industry means providers still need to maintain focus on cyber to reduce risk of additional shocks

Ransomware attacks on the healthcare industry continue at the same frequency as before COVID‑19, despite recent promises by some hacker groups to avoid targeting the industry during the current crisis.

Read full article
Daily |

Organizations: Corporate bond downgrades increase financial constraints on companies needing to improve cyber governance

A Wall Street Journal article outlined the accelerated pace of corporate bond downgrades amidst the COVID‑19 pandemic and economic crisis. It has been the swiftest pace of downgrades on record over the last two weeks. Ford was the latest big name to be downgraded to junk, while approximately $90bn of debt was downgraded in March, and some estimate the number to reach $200bn this year.

Read full article
Daily |

Economics: 135m records maintained by cloud backup provider SOS Online Backup exposed

VPN Mentor’s research team discovered a breached database at Cloud backup provider SOS Online Backup that contained more than 135m records. While this information apparently did not fall into malevolent hands, the incident highlights cybersecurity risks posed by the use of third-party service providers.

Read full article
Daily |

Organizations: Benefits of company digital tools like Zoom come with cyber and financial risks

As Zoom’s popularity has exponentially increased in recent weeks due to the mass migration to remote work, reports on security flaws continue to trickle out. Former NSA hacker Patrick Wardle shared with TechCruch two new security flaws that can be exploited to grant hackers physical control of a victim’s computer. Malicious code can be injected into a computer via a Zoom installer to gain root access—the highest level of user privileges.

Read full article
Daily |

Economics: Enterprise VPN and RDP use soars as COVID‑19‑driven remote work increases breach risks

Enterprise use of VPNs has increased by 33 percent, and use of Remote Desktop Protocols (RDP) has increased by about 40 percent over the past month as companies respond to COVID‑19 by having employees work from home. These systems increase the risk of a breach of company IT systems as they are inherently less protected than onsite systems and as employees use external access systems that they are less familiar with.

Read full article
Daily |

Organizations: Macy’s e-commerce business has gone from rare nice growth story to a lifeline for a company fighting to survive in face of COVID‑19

Macy’s announced it is furloughing a majority of its 130,000 staff globally in the midst of the COVID‑19 crisis that has ground brick-and-mortar retail to a halt. Staff that remain will maintain e-commerce, distribution, and call centers operations.

Read full article
Daily |

Economics: Report: Ransomware attacks increasing and increasingly paired with data breaches

Specialty insurer Beazley reports that ransomware attacks are rapidly increasing and that the dollar value of individual ransom demands is also increasing. Beazley’s analysis and key findings are in line with Cyberhedge findings that most breaches are relatively unsophisticated and the result of poor cyber governance and hygiene by employees. Strengthening employee training is both relatively low-cost and the most effective step that most companies can take to improve their cybersecurity. Beazley also highlights two additional key Cyberhedge findings: 1. that vendors are increasingly becoming a breach vector into companies and 2. that the dramatic increase in COVID‑19‑related remote access into company IT networks has increased companies’ cyber threat surfaces.

Read full article
Daily |

Organizations: Chinese group APT 41 seen to be exploiting Citrix and Cisco

Cybersecurity company FireEye outlined successful attacks by a Chinese group called APT 41 against Citrix and Cisco equipment in the first two months of 2020, targeting more than 75 FireEye customers, including manufacturers, media companies, and healthcare organizations. It appears that APT 41 accelerated efforts by exploiting software vulnerabilities in both companies, issues both Citrix and Cisco indicated they fixed.

Read full article
Daily |

Organizations: GE employee data leaked in a breach of service provider Canon

GE disclosed that personal information for a number of current and former employees was exposed in a security breach that took place between February 3-14 at Canon Business Process Services, one of its service providers. While the breach did not occur in GE’s systems, according to the legal filing, the case highlights a common supply chain risk: cyber governance extends beyond company networks and includes regimes of counterparties.

Read full article
Daily |

Economics: Most critical cyber insurance issue is not growth of ransomware

A recent article in the Financial Times highlighted the continued emergence of ransomware and the targeting of large financial institutions, an issue illustrated by the devastating attack on Travelex and the growth of cyber insurance as a mitigation measure for companies. Large insurers point to the significant increase in the sums attackers are demanding and disputing the claim that having cyber insurance to cover such incidents makes companies more of a target.

Read full article
Daily |

Economics: Companies face increased IT threats from targeted COVID‑19‑themed phishing attacks

The unprecedented challenges posed by the COVID‑19 outbreak extend to securing companies’ IT networks, and this event may be the biggest cybersecurity threat ever. Threat surfaces are also increasing dramatically as large numbers of workers are forced to work from home, often with systems and procedures that are different from those they are trained on and familiar with in their workplace.

Read full article
Daily |

Economics: New EY Board Survey: Technology a business priority, though security still an afterthought for many

A new EY Board Survey has identified “technology disruption” as the number one strategic opportunity for organizations. The survey reveals that 48 percent of boards believe data breaches and cyber attacks will “more than moderately” impact the business in the next 12 months. However, only 36 percent of respondents in the survey indicated cybersecurity is a priority in the planning phase of any new business initiative.

Read full article
Daily |

Economics: Surge in Ransomware-as-a-Service attacks in healthcare sector partly byproduct of choices made in C-suite

A recent study claims that ransomware attacks have increased 350 percent in the past year. This mirrors other reports, including one by Blackberry Cylance, outlining a similar upsurge in such attacks against the healthcare sector across the U. S. and Europe. In December 2019, Cylance disclosed findings related to Zeppelin Ransomware-as-a-Service (RaaS), which targeted IT vendors and healthcare providers.

Read full article
Daily |

Organizations: For Informa, a company hampered by coronavirus, improved cyber governance can help better guard against another downside risk

UK-based Informa (INF), the world’s largest events and exhibitions business, reported generally positive FY19 results in terms of revenue, earnings, and growth, including what Informa leadership describes as a “secure balance sheet”. But, more important is the storm brought about by coronavirus that is facing the events-focused business and the impact this may have on the company’s already-poor cyber governance. In its earnings call, the company described strong headwinds from coronavirus and possible uncertainties around the larger disruption over the course of 2020. Indeed, INF has already taken a £450mn revenue hit as a result of postponing and cancelling 100 events.

Read full article
Daily |

Organizations: Walgreens breach stemmed from digital push

Walgreens notified customers last month of a personal data breach that occurred in January stemming from its mobile app. The company indicated that it took steps to remedy the problem once discovered, but that health information for a “small percentage of the total users who were affected” was leaked.

Read full article
Daily |

Organizations: Role of digital puts J. Crew breach into financial focus

In a mandatory filing with the California attorney general this week, J. Crew Group, Inc. disclosed a breach of customer accounts dating back to April 2019.

Read full article
Daily |

Economics: Deloitte study on smart factories—concerns about merging of OT and IT clearer. But understanding of resulting financial risk? Less so

Key findings from a study on smart factories by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) include: 25 percent of manufacturers surveyed have not performed a cyber risk assessment in the past year, meaning these manufacturers likely do not have visibility into the impact of a cyber-related operational disruption; 48 percent of manufacturers surveyed identified operational risks, which include cybersecurity, as the greatest danger to smart factory initiatives; 40 percent of manufacturers surveyed indicated that their operations were affected by a cyber incident in the past 12 months; Management of information technology (IT) is often out of sync with operational technology (OT) management, creating additional vulnerabilities many companies are unaware of; OT is typically managed by engineering, automation, and operations rather than IT; There is generally no single team responsible for all OT systems and underlying security; Traditional application of security controls, such as patching or vulnerability scanning, needs to be adapted to new environment.

Read full article
Daily |

Organizations: Fortune 500 parts supplier breached

Visser Precision, a parts supplier to automotive, defense, and aeronautics companies, reported a data theft incident, according to a Tech Crunch article.

Read full article
Daily |

Organizations: ISS reports ransomware attack, incurs losses from business disruption

ISS World, a Danish workplace experience and facility management company, was hit by a malware attack on February 17, 2020. As a precautionary measure, they immediately disabled access to shared IT services across company sites and countries.

Read full article
Daily |

Organizations: Macy’s results point to further financial constraints that weigh on cyber governance

Macy’s Inc.’s (M’s) Q4 and FY19 results marked a continued slide for the brick-and-mortar retailer amidst an attempted turnaround.

Read full article
Daily |

Organizations: Disappointing Hertz results viewed through Cyber-Financial (CyFi) lens

Hertz (HTZ) announced Q419 and FY19 results on February 24, reporting quarterly sales of $2.326 billion, which missed the analyst consensus estimate of $2.34 billion. The company ended the fourth quarter with cash and cash equivalents of $865 million, compared to $1.13 billion at the end of 2018. Total debt as of year-end amounted to $17.09 billion, compared to $16.32 billion as of Dec 31, 2018. As of February 25, the stock was down approximately 15 percent post-earnings.

Read full article
Daily |

Company: Citrix breach demonstrates that security and transparency still matter

Citrix—one of the world’s largest networking and remote access technology companies—announced malicious hackers inside its networks for five months between 2018 and 2019. This comes almost a year after the breach of its network was announced following an FBI alert.

Read full article
Daily |

Company: MGM customer data breach should be warning sign to management

The personal details of more than 10.6 million MGM Resorts International (MGM) guests were published on a hacking forum last week.

Read full article
Daily |

Organizations: U. S. Navy’s much-needed modernization plan also increases vulnerabilities

This month, the Department of the Navy (DON) released a report, Information Superiority Vision, that outlines an acceleration of the military branch’s digital transformation. The report highlights the need for a comprehensive overhaul of the department’s systems and cyber posture to better defend against attacks.

Read full article
Daily |

Economy: Healthcare sector’s poor cyber governance performance continues—and business strategy helps explain why

More than 41.4 million patient records were compromised by 572 healthcare data breaches in 2019, according to a study of data provided by the U. S. Department of Health and Human Services, the media, or other sources. This excludes two breaches of IT vendors servicing dental offices across the country in August and December 2019.

Read full article
Daily |

Organizations, Economics: Digitization of energy sector brings both benefits and risks

Two stories point to the upside and downside of digital transformation in the energy sector. On the negative side, this week, the U. S. Government Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about its response to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. According to the alert, “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators.” The victim’s emergency response plan did not specifically consider cyberattacks, and the decision was made to implement a deliberate and controlled shutdown to operations that lasted two days, resulting in a loss of revenue and productivity, after which normal operations resumed.

Read full article
Daily |

Organizations: Poor cyber governance was warning of Macy’s downgrade

On Tuesday, S&P lowered its rating for Macy’s from BBB- to BB+—one notch below investment grade—saying it viewed the company’s turnaround plan as necessary, but also a sign that the department-store chain’s “competitive advantage has diminished more than we expected.”

Read full article
Daily |

Organizations: Digital transformation comes to the farmland

In October 2019, Bayer’s digital agriculture division, The Climate Corporation (Climate Corp), announced a partnership between its FieldView™ digital farming platform and Tillable, a self-described first-of-its-kind digital marketplace connecting farmers and landowners. According to Tillable, it was “created to help landowners receive fair rent and get the insights they need about their farm’s performance, while also helping great farmers build their reputations and expand operations.”

Read full article
Daily |

Economics: CISO Strain: The human embodiment of the cyber challenge

UK-based cyber company Nominet released its CISO Stress Report, attempting to shed light on the burden carried by the person responsible for protecting corporate networks in 2020. The U. S./UK study serves as a follow-on to Nominet’s first couple of reports looking at the role of the CISO, including one on the perspectives of boards. Some well-known facts are confirmed, as well as important current data points on CISO-C-suite dynamics: 88% of CISOs remain moderately or tremendously stressed, 90% of CISOs said they’d take a pay cut if it improved their work-life balance. Most CISOs still lack strong support from rest of C-suite.

Read full article
Daily |

Policy: New privacy bill demonstrates need for better data governance

U. S. Senator Kirsten Gillibrand (D-NY) introduced legislation to create a Data Protection Agency to, in her words, “bring the protection of your privacy and freedom into the digital age.

Read full article
Daily |

Organizations: 440 million records sounds significant, but Estée Lauder breach unlikely to cause material financial impact

$76-billion-dollar retail giant Estée Lauder (EL) suffered a breach of a reported 440 million records, including customer data. The breach resulted from a non-password-protected cloud server. Importantly, it does not appear that any payment information was part of the breach.

Read full article
Daily |

Economics: Mismanaged technology largest contributor to breaches globally in 2019

According to IBM, cybercrime continues to grow at a significant pace year-over-year (4x increase in 2019 vs. 2018) despite increasing resources and attention placed on security by companies and governments.

Read full article
Daily |

Economics: Lagarde: Cyber could create a financial crisis

European Central Bank (ECB) President Christine Lagarde, citing a report by the European Systemic Risk Board (ESRB), outlined how a successful attack on a major financial institution could quickly create financial instability.

Read full article
Daily |

Economics: New ransomware targets critical infrastructure

Security researchers at Dragos and Sentinel One believe they have identified a new strain of ransomware designed specifically for industrial control systems (ICS)—systems most commonly associated with being at the core of utility infrastructure. ICS environments are also among the highest-value targets for cybercriminals and nation-state hackers.

Read full article
Daily |

Company: Cisco survey: CISOs trying to reduce network complexity

A key finding from Cisco’s recently released CISO survey indicated that reducing network complexity is a top priority. CISOs are electing to embark on vendor consolidation, with 86 percent now using 20 vendors or less.

Read full article
Daily |

Economics: Survey: 160,000 Data Breach Notifications Since GDPR

More than 160,000 data breach notifications have been reported across the EU since the GDPR came into force on 25 May 2018, according to a DLA Piper survey. The fines, however, have not proven to have a material impact on large companies as some predicted when the law was enacted.

Read full article
Daily |

Economics: The rise of ransomware puts business disruption risk in focus

As of Q319, leading experts like McAfee observed over 100% growth in ransomware attacks globally. FireEye recently identified how threat actors are collaborating in efforts to launch ransomware attacks, a trend that will grow in 2020.

Read full article
Daily |

Organizations: Salesforce, Hanna Andersson suit reminder of third-party risk in digital transformation era

Salesforce. com, Inc. and children’s clothing company Hanna Andersson are facing a federal court lawsuit that is among the first to cite the new California Consumer Data Privacy Act that went into effect in January.

Read full article
Daily |

Policy: Macy’s, Inc.’s New, Three-Year Polaris Strategy Latest Effort to Stay Competitive in Age of Digital Commerce

In its preliminary 4Q and full-year 2019 sales results this week, Macy’s (M) announced the closure of 125 stores—about 20% of its physical footprint—over the next three years, as well as 2,000 job cuts. These moves come as the retailer continues to grapple with the rising dominance of e-commerce and shifting preferences of shoppers.

Read full article
Daily |

Policy: Department of Defense leads the way with new cyber transparency metrics

The Pentagon has finalized the long-anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense (DoD), a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0, according to Fifth Domain.

Read full article
Daily |

Organizations: Disclosure of reported safety shortcomings at Southwest a reminder of what has helped make aviation sector safer and more prosperous

An FAA inspector general report outlined how Southwest Airlines failed to prioritize safety, and the Federal Aviation Administration (FAA) did not properly conduct oversight of the airline. The criticizes the agency’s oversight of the carrier as lax, ineffective, and inconsistent, according to a WSJ article.

Read full article
Daily |

Organizations: Cyber governance a key factor in Boeing’s first annual loss in over 20 years

Boeing (BA) reported its first annual loss since 1997 as 737 MAX costs approach $19 billion. However, shareholder value losses have been far greater, losing about 25% of value since the March 2019 Ethiopian Airlines crash. The company is now in the midst of complicated and potentially costly compensation talks with airline customers like American Airlines. These customers have felt the direct effects of the MAX grounding and believe that BA, not their shareholders, should be on the hook for the crisis.

Read full article
Daily |

Policy: Data systems are critical to the functioning of markets and cybersecurity: SEC

On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued examination observations. The document outlines a series of approaches taken by market participants in areas including governance and risk management, access rights and controls, data loss prevention, resiliency, vendor management, and training and awareness.

Read full article
Daily |

Organizations: Target strategy illustrative of rapid digital shift in retail

A WSJ profile of Target CIO Michael McNamara outlined the retail giant’s shift in IT strategy following the damaging 2014 data breach—from outsourcing functions like software development to hiring more in-house technologists, or what the industry refers to as “in-sourcing.”

Read full article
Daily |

Economics: Citrix breach illustrates common weakness in the digital infrastructure of companies

Citrix—one of the world’s largest networking and remote access technology companies—announced patches for a known vulnerability more than one month after it was announced. It is a $15BN company that more than 400,000 companies, including many of the Fortune 500, rely upon to keep their data safe and networks secure.

Read full article
Daily |

Economics: A missing piece of the cyber picture: Economic incentives to be good at it

In the lead-up to its Annual Meeting a World Economic Forum (WEF) note outlines in some detail the steps that boards and C-suites should take to better tackle cybersecurity risk—a top-five risk in its 2020 Global Risks Report. The report poses the question, beyond the rising damage caused by cyber breaches, what incentives for investment and improved approaches exist? Though an increasing number of market players such as insurers and ratings firms are getting in the fray, “coherence, however, is still missing,” according to WEF.

Read full article
Close

Instantly download research in our library and be the first to get access to new content

Denis Bolshakov

Log out

We use cookies to make our website more user-friendly and effective

The Cyberhedge Indices Cookie Policy

What are the Cyberhedge Cyber Governance Indices?

These first ever benchmarks prove good cyber governance matters to shareholder value. They measure stock market performance of companies with good and with bad cyber governance scores. Scores are based on Cyberhedge’s proprietary cyber governance rating methodology. Market performance is tracked by an independent firm. The results show that companies with good cyber governance outperform their peers in US, UK, and EU markets.

Information that we collect

Here you can see and customize the information that we collect about you. To learn more, please read our privacy policy

Continue on website