Daily

CNA operations are slowly coming back online as it continues recovering from the cyber attack it reportedly discovered on March 21. On April 1 the company reported that customers could again communicate with the company via email but that its internal email and other systems were still not fully operational.

After disclosing a breach in early March that it said disrupted operations and shipments, Molson announced last week in a disclosure to the SEC that the breach along with the winter storm in Texas could cost the company upwards of $140 million in short-term EBITDA. According to the company, “the cybersecurity incident and the February winter storms in Texas will shift between 1.8 and 2.0 million hectoliters of production and shipments from the first quarter 2021 to the balance of fiscal year 2021 and will also shift between $120 million to $140 million of underlying EBITDA from the first quarter 2021 to the balance of fiscal year 2021.”

A survey of workers in the US by PC Matic taken in March 2021 shows little change in companies cyber security support for those working remotely, compared to findings in an identical survey taken in May 2020.

In the latest move in a turnaround effort that started ten years ago, Hitachi’s $9.5bn acquisition of GlobalLogic, a digital product engineering company, is the latest evidence of its transformation from traditional industrial conglomerate to digital technology company.

UK insurer Aviva, has joined the race to provide solutions to help SMEs deal with rising cyber risks as it rolled out new products this week. According to the company’s head of cyber insurance: “Cyber insurance has quickly moved from an add-on to an absolute must-have to protect businesses against an attack and to ensure they have fast access to expert specialists if a breach does occur so they can return to normal as quickly as possible....cyber attacks can take many forms and can have a devastating effect on a business.”

CNA Financial, one of the largest insurance companies in the US, was hit with a business disruption breach on March 21st. CNA offers a range of insurance products and is one of the leading providers of cyber insurance. Reports have suggested insurance companies that focus on cyber products have become increasing targets for hackers not just because of their own status as valuable individual targets, but also because of the very valuable data they possess on their clients, the insureds purchasing cyber insurance products.

Three weeks after reporting that its Exchange server software contained a major bug, Microsoft reports that approximately 8% of the 400,000 servers located on client premises have still not been patched and therefore remain vulnerable to attack. While 10,000 of these vulnerable servers are in the US, this is a global problem as 70% of the servers are in non-US locations.

44% of small businesses surveyed by Appalachian State University and insurer Selective were concerned about cybersecurity and technology issues, but only 20% of them report having cyber insurance coverage, despite the fact that 28% of data breaches impact small businesses.

As consumer product companies accelerate IoT across product lines, IT and R&D are working more closely together. It is IoT and machine learning that puts data and sensors at the center of what these companies now do. Simply put, as companies see how digital technology is driving more and more of the value of companies, IT can’t function as a separate entity. According to the article, 70% of CIOs surveyed indicated that business leaders are asking their teams to work on more strategic projects in the wake of the pandemic.

Analysis of ransomware attacks on US healthcare organizations by Comparitech shows a dramatic increase in downtime caused by the attacks, resulting in enormous financial damage to the organizations. The study is comprised of 92 publicly reported individual ransomware attacks in 2020, a 60% increase from 2019, affecting more than 600 separate hospitals, clinics and other organizations. The true numbers are likely much higher as Comparitech points out that only publicly disclosed cases are included in their study.

US Deputy National Security Advisor Anne Neuberger advocated for software ‘cleanliness ratings’ to give customers better information about the cyber riskiness of new products and shed light on a forthcoming executive order aiming to improve security in the wake of the SolarWinds breach, which will impose new standards for software. Neuberger also referenced the importance of ‘rapid visibility’ following a breach to limit damage, as the recent breach of the Oldsmar water treatment facility made clear.

‘The State of Cyber-Risk Disclosures of Public Companies’ reports that US companies do a poor job of disclosing cyber risks to investors, as they generally use undifferentiated, boilerplate legal language that does not sufficiently inform investors of the real risks that they face, or give investors insight into the degree of seriousness and resources companies take combatting these threats. Former SEC Commissioner Robert J. Jackson Jr says that increasing cyber threats are “the most pressing issue in corporate governance today”.

Campari announced a 34% YoY decline in net profit and a 24% YoY decline in adjusted EBITDA for FY2020. This follows a significant ransomware breach in November that disrupted operations and COVID‑19 closures across all markets that pushed sales from bars and restaurants to online.

Identity security company Okta’s Digital Trust Index reveals that 57% of Australian respondents report being more cautious about online personal data than before the COVID-19 pandemic; 49% would stop using the services of a company that suffers a cyber breach and 40% report already having a trust-losing incident with a company.

United Health Services, one of the largest healthcare providers in the US, admitted that its September 2020 ransomware breach negatively impacted operating results in Q4. According to the company, “although we can provide no assurance or estimation related to the amount of the ultimate insurance proceeds that we may receive in connection with this incident, we believe we are entitled to recovery of the majority of the unfavorable economic impact of the cyberattack pursuant to a commercial insurance policy… Any costs that we incur as a result of a data security incident or breach, including costs to update our security protocols to mitigate such an incident or breach could be significant”.

Wendy’s new CIO Kevin Vasconi is planning to make the new digital features introduced during the pandemic as stopgap measures to be permanent. Why? Because he sees shifting consumer behaviors likely to stick around.

IBM signed a deal with Delta Air Lines to provide Cloud services for most of the airline’s data and applications. The move will impact ‘hundreds’ of software applications across Delta’s business lines, including its mobile app, its contact software, baggage tracking system and others. Delta was already in the process of shifting to Cloud based services but had expected this to be done over a 10-year time period that began in 2018. With this deal, Delta now plans to have more than 90% of this move to the Cloud done in the next three years.

The shift to work-from-home (WFH) over the past year has prompted a logical shift in hackers vulnerability exploit targets, including Citrix’s Application Delivery Controller (ADC) reportedly for the first time. Though the data point is important, Recorded Future points out that often less than 1% of vulnerabilities have been weaponized within the past month or year. According to the report, “As such, it is imperative that security professionals know which vulnerabilities that impact a company’s technology stack are included in exploit kits, used to distribute ransomware, a remote access trojan (RAT), or are currently being used in phishing attacks”.

Recent publicly released details of the Oldsmar breach paint a picture of poor cyber hygiene and governance. The breach vector was reportedly TeamViewer remote access software that was no longer in active use by the utility, and for which there was a single access password shared by all users. The utility was also using an old Windows 7 operating system. In response, the Cybersecurity & Infrastructure Security Agency (CISA), FBI and EPA issued a joint press release urging utilities to upgrade from this system due to the lack of security updates. Furthermore, the Wall Street Journal reports that in contrast to electric utilities which have strong national standards that they must meet, that community water utilities in the US do not have any national standards for cybersecurity.

Digital Shadows Intelligence analyzed ransomware attack data for 2020 and found that while every business sector was impacted, that Industrial Goods & Services was the subject of 29% of attacks, by far the most of any industry. No other industry accounted for more than 9% of the total. In addition, the most targeted region was North America, accounting for 66% of ransomware alerts, followed by Europe at 23% and Asia at 6%.

WestRock provided an update in the past week on the January 25 ransomware incident. Per the statement, “The company is also executing measures like manual processes in response to customers’ requirements. WestRock is now steadily bringing its information systems back online in a controlled and phased manner”. Production at its mills has been adversely impacted.

The Claroty 2H20 ICS Risk & Vulnerability Report details publicly disclosed ICS vulnerabilities found in this increasingly critical risk area. Key findings include:

A water-treatment plant in Oldsmar, Fla., was breached, and the hacker briefly increased the amount of lye used to treat water to a dangerous level, according to Pinellas County Sheriff Bob Gualtieri.

The SolarWinds attack which affected as many as 18,000 enterprises brings new challenges to the cyber insurance industry. Capgemini notes that the ‘supply chain attack’ aspect brings particular challenges to insurance as instead of distinct events, many enterprises are hit at once, and the SolarWinds breach lays down a roadmap for commercially minded hackers to follow. The long time period between exploit and detection means that other similar breaches may already be ongoing.

The global computer chip shortage continues to upend the auto industry this year as Ford indicated that total quarterly output would be down 20% because of it. This includes a hit to the company’s and country’s top selling vehicle, the F‑150. Separately, GM announced this week that it would pause production at three plants in North America because of the shortage.

Cisco’s ‘2020 Small Business Digital Transformation’ report examined the state and impact of Digital Transformations on SMEs in the US, UK, Germany, France, Canada, Brazil, Mexico and Chile and found the same type of divergence between enterprise ‘winners’ and ‘losers’ due to the state and success of their digital transformation strategies that Cyberhedge finds in larger companies.

The Cyber Solarium Commission issued a white paper that is intended to provide a guide for the incoming Biden-Harris administration on key cybersecurity challenges and opportunities. The paper builds on the commission report issued last year and identifies possible early policy achievements and possible priorities for action over the coming months and years.

Satya Nadella highlighted how a new wave of Digital Transformations is occurring over the past year across companies and industries and is driving Microsoft earnings, which beat analyst expectations in 4Q20. Microsoft’s Cloud segment saw 23% revenue growth, led by a 50% increase in revenue attributed to the Azure cloud platform. This was higher than the company’s other two divisions, Personal Computing (+14%) and Productivity and Business Processes (+13%). Notably, Microsoft’s security revenue increased 40% in 2020 over 2019 to more than $10b.

The Financial Times notes that the ‘time’ element in Private Equity investing brings challenges when implementing Digital Transformations at portfolio companies, as they rush to implement changes that deliver material results as quickly as possible. They note that in the case of companies that are not traditionally ‘digital’—which effective digital transformation can often bring particularly large financial gains to—this type of quick transformation can be difficult due to the significant companywide cultural and operational changes necessary.

A January 22nd Lawfare piece points out that most of the coverage of SolarWinds has focused on the impact on IT systems while equally damaging, but as yet not visible impacts on operational technology (OT) have not received adequate attention.

SolarWinds fallout continues as the US Senate Intelligence Committee Chairman Mark Warner says that Congress will revisit the issue over whether to require companies to disclose cyber breaches. Previous attempts by the government to require notification were reportedly blocked by private sector lobbying. But the scale and damage of the SolarWinds hack—and the fact that had FireEye not disclosed the breach, the damage would likely have continued to increase much further—means that it will be far more difficult for opponents of disclosure to continue to successfully block this type of legislation.

The five year-long and $50bn investment in electric vehicles by Volkswagen (VW) and led by CEO Herbert Diess hit a significant speed bump last year when it launched its answer to Tesla, the ID.3. The software didn’t work as advertised, and the German car giant learned how the future of the auto industry will increasingly hinge on an ability to execute well on software, not hardware.

93% of 700 CIO’s globally (US, UK, France, Germany, Australia, Singapore, Brazil, Mexico) surveyed by software company Dynatrace said their ability to implement successful Digital Transformation strategies is hindered by challenges including IT and business teams working in separate silos, which is also preventing them from effectively keeping up with cloud-based architectures. The lack of seamless integration between these functions means that much time and resources are wasted reacting to system gaps and manually integrating data from different parts of the organization. Resources spent in this manner are resources that cannot be devoted to profitability enhancing initiatives such as increased sales or lowered costs.

The new rule proposed by the US Comptroller of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation expands the current requirements banking organizations and bank service providers have to follow when a security incident rises to the level of a “notification incident”. A security incident refers to any event that violates security policies, procedures, or acceptable use policies, or results in actual or potential harm to the confidentiality, integrity, or availability of an information system.

Cybersecurity vendor Netwrix’ ‘2021 Netwrix Cloud Data Security Report’ which surveyed 937 IT professionals globally reports that 54% of respondents who store customer data in the cloud had a security incident in 2020, 24% of which were ransomware or other malware. 35% of impacted companies report that these data theft incidents led to ‘customer churn and loss of competitive edge’.

British Airways (BA) is now on the receiving end of the largest privacy class action lawsuit in UK history stemming from the airline’s massive 2018 data breach. The carrier admitted to the breach of personal and financial data for 400,000 customers.

Consulting firm Accordion argues that Digital Transformation strategies should be led by CFO’s, as they are best positioned to coordinate the efforts of the many disparate business functions necessary for a successful strategy–IT, HR, Marketing, Strategy, Sales. In addition, the CFO office is typically the most skilled in the key factors that drive a successful DT strategy, such as data analysis, risk/reward calculations, Return on Investment (ROI) and other financial metrics. Finally, having the CFO lead the strategy will demonstrate the importance attached to the project to the rest of the organization.

Three key findings in a recent McKinsey survey of nearly 900 executives help define the nature of the digital acceleration in the corporate world since COVID‑19.

A survey by Constellation Research conducted between September and October revealed that the top budget priorities for CIO’s in 2021 are Digital Transformation and Cybersecurity, with those two categories significantly ahead of other areas of focus. Close to 1/3 of respondents report that their IT spending had declined during Covid-19, many by more than 10%, while only 7% saw their IT budget increase during the pandemic despite the universal increase in IT dependence amid the shift to remote work.

T‑Mobile announced its fourth data breach within the last three years. T‑Mobile, which completed a merger with Sprint in April 2020, also disclosed incidents that occurred in March 2020, November 2019 and August 2018.

An IBM survey of CIO’s and CTO’s in the US and UK conducted at the end of November revealed that while the importance of digital transformations is nearly universally accepted, most companies self-report that they are still lagging in implementation, with 60% reporting that their IT modernization is not yet ready, and 24% reporting that they are just starting—or have not yet begun—their IT modernization.

After a banner 2020, Ransomware is set to get worse in 2021, according to Sentinel One. “First, attackers have grown to understand the profile of an easy target, which has proved for now to be municipalities and local government organizations.” The note rightly points to a lack of resources as one reason for the persistent vulnerabilities.

Former Facebook CISO Alex Stamos proposed building a cyberspace equivalent of the National Transportation Safety Board (NTSB). He said, “such an agency would track attacks, conduct investigations into the root causes of vulnerabilities and issue recommendations on how to prevent them in the future.” Stamos points how the public accounting of hacks like SolarWind do not yield the vital lessons learned that can be applied to minimize the likelihood of a similar event in future.

Sotheby’s reports a 5x increase in digital sales to $150.5m in 2020 vs 2019, Christie’s reports a 3x increase in the number of online sales events (and 4x increase in revenue for those events) in November and December vs the corresponding period in 2019. Christie’s is also seeing a new willingness by customers to purchase very high priced goods online. Prior to 2020, the highest price it had sold an item for online was $80,000, but it has already sold 25 items for over $100,000 each this year. Other luxury goods retailers are seeing similar dynamics. David Rosenblatt, the CEO of online luxury goods marketplace 1stDibs, reports that “buyer behavior has changed dramatically overnight” during the pandemic, resulting in “10 years of digital adoption over the last 10 months”.

Some of the world’s largest shippers are facing increasing difficulties in global supply chains amid a disruption in trade caused by the pandemic. A number of factors, including staff illness, quarantining and social distancing coupled with a spike in consumer demand and disruption to factory production has resulted in increasing delays for shippers and in turn their customers.

On the eve of Starbucks biennial investor day CEO Kevin Johnson highlighted the central importance of digital technology in its rebound effort. The company is predicting traffic in stores to exceed pre-pandemic levels as Starbucks reorients its operating model towards more ‘walk thru’ and seeks to leverage what COO Roz Brewer referred to as extraordinary data analytics to inform a better allocation of resources.

The COVID‑19 pandemic has spurred a dramatic digital revolution in the healthcare sector in the way patients interact with doctors and other service providers. Pre-pandemic, the sector’s service model was arguably the least changed by the technology revolution, as in-person interactions were the rule. But the need for social distancing, as well as coordination in COVID‑19 response has forced the industry to make radical changes to this model, to everything from digitizing and sharing health records, to remote patient analysis, diagnosis and treatment delivery. McKinsey estimates that revenues from digital health will increase to $600b in 2024 from $350b in 2019 as this revolution takes hold.

A recent McAfee report on the hidden $1 trillion USD cost of cybercrime include the following key findings: 96% reported experiencing some kind of cyber incident; Two thirds of the companies surveyed experienced some kind of cyber incident in 2019; Average interruption to operations was 18 hours; Almost all affected companies said the costs went beyond the monetary loss—the biggest non-monetary loss was in productivity and lost work hours.

The Aspen Cybersecurity Group’s whitepaper ‘A National Cybersecurity Agenda for Resilient Digital Infrastructure’ calls for a systematic prioritization of improving cybersecurity, citing deep structural shortcomings at all levels of digital infrastructure. Improving cybersecurity is described to be as fundamentally important to society as bringing sewer systems was to 1800’s cities to deal with sanitation caused health crises, and deserves at least as much attention, priority and resources as those the US government committed to confronting terrorist organizations in the wake of 9/11.

The University of Vermont Medical Center was the victim of a ransomware attack that has disrupted its cancer center for a month since the attack. It took one month for electronic medical records to be restored while many patients were adversely impacted as the center was unable to process the normal volume of patients with IT systems not fully restored. Healthcare systems across the country are suffering ransomware attacks with increased frequency across the United States in 2020.

The President of the Tokyo Stock Exchange, Koichiro Miyahara, is stepping down following a systems outage on October 1st which halted trading for the full day, the first time this had happened since the TSE’s shift in 1999 to a fully electronic trading system. The trading outage has been partially blamed on Fujitsu which developed the trading system in 2010 and issued an update in 2015.

Amazon’s AWS Cloud computing infrastructure had an hours long outage Wednesday beginning around 12:00pm EST that impacted many companies, websites, apps and services. Services were fully restored Thursday morning.

A CrowdStrike survey conducted in August and September of 2,200 companies across the US, UK, Germany, Japan, Australia, Italy, India, Netherlands, Spain, Singapore, France and the Middle East, and across different sectors found that 56% of responding organizations were hit by at least one ransomware attack in the last year. Indian and Australian companies reported the highest breach incidence, and 22% of US companies reported being hit by more than 1 attack during that period. 27% of victims admitted paying the demanded ransom, which averaged $1.1m.

Business interruption losses accounted for 60% of cyber insurance claims in the past five years, according to a recent report by Allianz Global Corporate & Specialty SE. According to the report, losses resulting from external incidents, such as DDoS attacks or phishing and malware/ransomware campaigns, account for 85% of the value of claims analyzed.

Goldman Sachs spotlighted 50 companies in the S&P 500 that it expects to benefit the most from ESG selection criteria. Focus was put on evaluating Environmental and Social metrics, with Goldman pointing out that the top quintile companies based on ‘E&S’ factors in the MSCI ACW Index generated 11% annual returns since 2012, vs 8% returns for companies in the bottom quintile.

After being the dominate theme in the hundreds of portfolio managers, ESG has been downgraded as a priority this year by portfolio managers surveyed by Edelman. ‘Social’ in ESG saw the biggest jump among investor priorities, especially in the US where it saw a 15% jump from last year among respondents.

Home Depot (HD) 3Q20 results beat expectations with sales increasing 23% year-on-year to $33.54b and net income rising 24% to $3.43b as the consequences of the pandemic continued to be positive for the home improvement giant. Work from home and lockdowns translated into a big increase in demand for many HD products, including DIY related projects, home offices, and garden and outdoor goods. Digital sales increased 80% year-over-year, with 60% of those orders being picked up by customers in the stores. HD shares are up 28% year to date, vs 12% for the S&P500.

A recently released World Economic Forum (WEF) report on cyber information sharing calls attention to how “The COVID‑19 pandemic has led to rapid digital transformation in many workforces and sectors, further increasing the dependency of our global economy on digital infrastructure.” According to WEF: “Trusted, secure and scalable cyber information sharing needs to be a foundational platform on which all participants of the digital ecosystem can rely.”

Microsoft calls cyberattacks on health care organizations ‘unconscionable’ and urges governments to act against them. The company highlights three nation state actors—one Russian, and two from North Korea—that have targeted pharmaceutical companies and vaccine researchers in the US, Canada, France, India and South Korea in recent months, but also notes the long list of other cyber attacks this year targeting hospitals in a handful of countries globally. Microsoft’s President Brad Smith is calling on multinational organizations and governments to pressure other governments and law enforcement to take action in these cases, and notes that international law specifically protects medical treatment and research facilities.

A recently released Gartner survey of 2,000 CIOs indicates a prioritization of cybersecurity over all other IT areas, including cloud and data analytics. According to the report, “With the opening of new attack surfaces due to the shift to remote work, cybersecurity spending continues to increase. 61% of respondents are increasing investment in cyber/information security, followed closely by business intelligence and data analytics (58%) and cloud services and solutions (53%).”

McKinsey surveyed 23 financial services firms about how their Board of Directors are engaging on cybersecurity. The survey focused on three areas: Oversight, Structure, and Awareness and understanding.

Davide Campari-Milano NV disclosed on Monday that following a ransomware attack on Sunday November 1, “selected services have been progressively resumed following their successful sanitization and the installation of extra security measures.”

Cybersecurity company Coveware’s 3Q20 Ransomware report highlights an increasing trend of attackers failing to follow through on promises to delete stolen data when breached companies pay the demanded ransom. Ransomware groups including Sodinokibi, Maze/Sehhmet/Egregor, Netwalker and Mespinoza have leaked data following company payments, or demanded a second payment from companies even after they complied with the initial demand.

5G will expand the attack surface for industrial IoT (IIOT) applications, according to a new report on 2021 cyber trends from Booz Allen Hamilton. According to the report: “Organizations need to reconsider the structure of IIOT network setups, and vendors need to present secure, actionable solutions to organizations using their ICS/OT products.”

In an interview with CNBC, SEC Chairman Jay Clayton said that cybersecurity risks are foremost on his mind, cyber risks are on the rise and greater than ever, and that basic cyber hygiene such as strong patching strategy and cadences were very important.

Honeywell beat estimates in Q3 despite a 14% YoY drop in revenue and a 25% decrease in earnings. Aerospace (-25%), building technologies (-8%) and performance materials and technologies (-16%) got hit the hardest, while the company saw an increase defense and space, warehouse automation and personal protective equipment.

Perimeter scanning of 3,514 corporate networks in the finance, manufacturing, IT, retail, government, telecoms and advertising sectors conducted by Positive Technologies found high-risk vulnerabilities at 84% of the organizations. 47% of the detected vulnerabilities can be eliminated by making sure recommended updates have been installed in the software, and the causes of the vulnerabilities — absence of recent software updates, outdated algorithms and protocols, configuration flaws, mistakes in web application code, and accounts with weak and default passwords — are in general easy fixes.

SAP and Microsoft both announced quarterly results this week. SAP’s results were largely down across the board—overall revenue, operating profit and even cloud. Its forecast was also revised downward. The German giant’s shares fell significantly since the announcement as a result.

Home Depot (HD) Chief Information Officer Matt Carey detailed to the Wall Street Journal how the company’s Digital Transformation strategy enabled it to successfully meet the unprecedented shift in customer demand and business operations caused by the COVID‑19 shutdown. HD’s cloud-based IT infrastructure supported the huge increase in online sales while competitors struggled to adapt as smoothly to the new environment. HD’s cloud back-end meant these initiatives could be launched much more quickly than if they managed their own IT hardware infrastructure.

Cyberhedge 5-Star rated Union Pacific (UNP) Q3 results announced last week saw year-on-year a drop in net income of $1.4 billion (from $1.6 bn in Q3 19’), and operating revenue of $4.9 billion was down 11% in third quarter 2020 compared to third quarter 2019. But YTD free cashflows (FCF) were up to ~$1.93bn (compared to $1.83bn in 19’) due in part to a 58.7% operating ratio, an all-time quarterly record for the company. This included +11% increase in locomotive productivity and +13% increase in worker productivity — both key metrics for the company’s Unified 2020 Plan.

Following Tesco’s recent quarterly results, FT Alphaville makes the case for evolution not revolution in the British retail giant’s battle for revenue and margin growth. As the traditional bricks-and-mortar retailer battles much smaller digitally native competition like Ocado, some investors are warning the company to not fixate too much on driving more digital sales as the way forward.

Top cyber security experts highlight the difficulty in assessing the quality and capabilities of cybersecurity products has led to a broken market. In this market, customers have low confidence in their ability to properly analyze, assess and manage products on the market, as well as their own organizations overall cyber security posture.

A KPMG survey reveals that 90% of Canadians are ‘leery’ of sharing their personal data with an organization that has suffered a cyberattack or data breach, and 84% would consider moving their business to a competitor following a breach. A quarter of respondents report having had their login credentials stolen from a trusted site that experienced a breach, and 38% are not confident that their personal information can be kept safe.

Microsoft recently announced a Zero Trust Deployment Center as an offshoot of its Zero Trust Security Model. This center is intended to provide support to customers wrestling with the myriad challenges that have arisen from the accelerated digital transformations of the past several months.

Log in credentials for customers of online brokerages are for sale on the dark web and have led to a spate of accounts being drained of funds. Affected customers of Robinhood complain that the company has been slow to react to complaints that unauthorized transactions are taking place and note that the company cannot be contacted by phone. The difficulty reaching the company has frustrated users who are attempting to regain control of their accounts.

CMA-CGA announced online services are now functional again, two weeks after the world’s fourth largest shipper suffered a ransomware attack that paralyzed web-based services and prompted a shutdown of parts of the internal corporate network.

While the cyber insurance market has been growing rapidly with estimated annual premiums of more than $5B, structural issues may slow or stall growth in the near term if losses begin to exceed premiums. Around 50 companies are reported to have cyber insurance in excess of $500m, and to collectively pay an estimated $250m in premiums. Approximately 200 companies are reported to have cyber insurance policies covering between $200m—$499m, and collectively pay an estimated $900m in premium.

Two security flaws in Microsoft’s Azure App Services could have enabled a hacker to exploit two vulnerabilities—including taking over the administration server—according to a new report by Interzer. The flaws were reported to Microsoft in June and subsequently addressed by the company.

The Europol ‘Internet Organized Crime Threat Assessment (IOCTA) 2020’ report calls Ransomware the most dominant cyber threat facing organizations, and points out that the reluctance of many victims to report attacks due to a desire to avoid reputational damage is causing difficulty for authorities to both accurately measure the scale of the threat, as well as to identify, investigate and respond effectively to breaches. Europol also highlights the significant vulnerabilities posed to supply chains by attacks on third-party service providers, and that these companies feel under particular pressure to avoid operational disruptions that would ripple across their customer network.

A recent survey from Claroty, a global leader in operational technology (OT) security, sums up the current situation with the continued merging of OT and IT: “Legacy OT devices—never designed for Internet connectivity—are now connected, the attack surface has expanded, and opportunistic adversaries are stepping up attacks. It’s become extremely clear that security is a foundational component of digital transformation.” Two statistics from the survey released this week of IT and OT security professionals at large enterprises stand out: Greater convergence of OT/IT since pandemic: 67% believe OT and IT have become more connected since the pandemic Not a question of ‘if’ but ‘how much’: 51.27% of respondents indicated their OT and IT are completely interconnected versus 2.55% that indicated ‘not at all/siloed"

Microsoft’s ‘Digital Defense Report September 2020’-some of which we discussed last week, provides many insights into the state of cybersecurity which Cyberhedge will continue to highlight in the coming weeks. One key finding: most breaches are successful due to poor basic cyber hygiene within the organization.

French shipping giant CMA CGM, the world’s fourth largest shipping company, announced it was hit by a ransomware attack on September 28th. The attack reportedly paralyzed much of its global IT infrastructure. Although the company has indicated that operations have not been adversely impacted, as of today the company’s e-commerce website is still not fully operational.

Technology and the COVID‑19 pandemic are combining to rapidly transform the beauty industry. Artificial Intelligence (AI) and Augmented Reality (AR) allow a degree of personalization that is helping offset the loss of in-person product sampling that has long been a cornerstone of the cosmetics industry. Imaging and analysis technologies can detect issues such as skin oiliness, wrinkles and dark spots in a way that previously could only be done face to face.

The lack of basic security hygiene is a key reason companies (and governments) continue to experience breaches, according to the annual Microsoft Digital Defense Report. In practical terms, “over 70% of human-operated ransomware attacks in the past year originated with Remote Desktop Protocol (RDP) brute force.” In other words, most ransomware attacks conducted by people (rather than machines) are targeting technology that is essential in this work-from-home era.

A Tessian survey of 250 IT leaders and 2,000 working professionals in the US and UK conducted in August revealed that 1/3 of employees will not consider working for a company that does not offer remote working, and only 11% replied that they want to work exclusively in an office post-pandemic. 75% of IT leaders agree that permanent remote or ‘hybrid’ work will become the norm post-pandemic, and 85% report that this will increase pressure on their and their team’s abilities to secure IT systems.

Billion-dollar eyewear giant EssilorLuxottica (EL) has reportedly suffered a ransomware attack that led to the shutdown of operations in Italy and China last week. It appears to have disrupted web-based commerce sites like Ray-ban and LensCrafters.

A cyber risk security assessment of Fortune 100 Company executives conducted by PiiQ Media found a significant amount of exposed Personal Identifying Information (PII) including email, relationship and password information on social media platforms. This information gives attackers valuable intelligence that they can use to craft sophisticated spear phishing attacks, which account for more than 80% of reported breach incidents.

Credit card affiliations at airline loyalty programs provide a significant revenue contribution to the airlines and have grown sharply during the COVID‑19 disruptions. Delta Air Lines received $4.1B in 2019 (approx. 9% of Group revenue) from their co-branded credit card program with American Express, up from $1.7B in 2012. Revenue from this program has been relatively stable in 1H20 (down only 5% from 1H19) as consumer spending using Delta-branded AmEx cards has been uncorrelated with the collapse in air travel. As a result of this stable credit card related revenue while airline ticket sales have collapsed, credit card affiliation revenue was well over 50% of Group revenue in 2Q20. United Airlines recent disclosures reveal that its credit card loyalty program is also a significant source of revenue.

The Big Four released a set of metrics today for companies to use for environmental, social and governance reporting internationally. It includes 21 core and 34 expanded metrics and disclosures ranging from climate change and nature loss to dignity and equality.

With the continued growth of ransomware in 2020, we revisit a ransomware article from Sentinel One. The piece outlines 6 key ways ransomware inflicts economic pain on companies in pointing out that the payment is often the headline but not the full cost: The payment; Indirect costs: costs of business interruption associated with a ransomware attack; Reputational loss; Liability: clients impacted by attacks seek compensation from breached company; Collateral damage; Data loss.

As retail has been disrupted nearly as much as any sector in the wake of COVID‑19, there are some clear lessons learned on how the landscape has dramatically shifted. Companies that were executing well on digital strategies have outperformed while those that weren’t have not only underperformed but many are no longer in business.

The US Department of Energy is expected to release detailed proposals by the end of September limiting the use of foreign equipment in the US power grid. These follow a May 1, 2020 Executive Order by President Trump ordering a ban on the use of utility infrastructure manufactured by ‘foreign adversaries’ due to the risk they pose to the power grid’s cybersecurity. Complying with the order will be complex due to the current reliance on foreign suppliers as well as global supply chains which stretch across many countries. In addition, vendor lists for utilities often number in the hundreds or even thousands and ensuring each one is in compliance will be a time consuming—and expensive—task.

Despite investing hundreds of millions of dollars in the years leading up to the pandemic, a WSJ piece posits that the largest grocer in America still wasn’t prepared to fully capitalize on the dramatic digital shift as well as some competitors. Despite investments in things ranging from remote fulfillment centers and self-driving robot delivery, Kroger wasn’t able to meet the spike in online grocery demands from customers.

A pre-COVID-19 global survey of CEOs and CISOs conducted by WSJ Intelligence found large differences in focus, strategy and planning between more cybersecurity focused executives—labeled ‘Leaders’—and those less focused on cyber. ‘Leaders’ are much more likely to report (88%) that cybersecurity is the top priority risk factor facing the organization. 76% of the ‘Leaders’ review and update their cybersecurity strategy on an ongoing basis, compared with only 46% of other executives. Unsurprisingly, 82% of these ‘Leaders’ report that their BoD’s recognize that ‘Cybersecurity is critical and are fully engaged with it as part of a key business strategy’. This is compared to only 39% of the ‘non-Leaders’ who say the same about their BoD. And 88% of ‘Leaders’ report deriving excellent value from cybersecurity spending. Another critical difference is that ‘non-Leader’ CEOs and CISOs highest concern over the next 3-5 years is identity theft, while ‘Leaders’ are far more concerned with malware-type breaches like ransomware.

$67bn data center giant Equinix was hit by a ransomware attack last week, the latest example of the vulnerabilities facing critical digital infrastructure in 2020. Per a company statement on 13 September: “At this time, our investigation is centered on information related to our internal business. The incident continues to have no impact on our customers’ operations or the data on their equipment at Equinix.”

Cybersecurity insurer Coalition’s 1H20 Cyber Insurance Claims Report details a dramatic increase in the cost of cyber breaches in 2020, driven by a big increase in the costs of Ransomware attacks. Coalition reports that Ransomware claims were on average 2.5x as costly as other breaches, and that the average ransom demand increased by 100% in 1Q20 from 2019, and another 47% from Q1 to Q2 2020 to an average $338,669.

Researchers have found 6 critical vulnerabilities in a third-party provider to leading industrial control systems (ICS) providers including Rockwell Automation and Siemens.

For the third consecutive year, EY analyzed cybersecurity-related disclosures by companies by examining proxy statements and 10-K filings. This year’s study of 76 Fortune 100 companies over the time period from 2018 through May 31,2010 found modest increases in disclosures — most significantly in the area of BoD oversight — but a continued lack of disclosures related to cyber-readiness simulations and the use of independent third-party advisors. Only 7% of companies disclose engaging in cyber-readiness simulations, and only 16% disclosed using external independent advisors.

A new Gartner survey finds that CEOs will be increasingly personally responsible for breaches due to what it refers to as the growing “Cyber-Physical System (CPS)” attacks anticipated by 2024. This refers to the risks emerging from the fast merging of operational technology (OT) and IT.

Cloud security organization Bitglass released the 2020 Insider Threat Report, a survey of IT and security professionals about the challenges facing organizations from this ‘inside’ vector.

A newly released report on the cloud security from the Carnegie Endowment for International Peace includes some notable findings on the thing now underpinning how companies operate: By 2020, the overall cloud services market is expected to be $266.4 billion, a 17 percent increase compared to 2019 (Gartner). In reference to a number of breach cases impacting market leaders like Azure, AWS and Google Cloud, “cloud security thus far is a series of potential catastrophes narrowly averted”.

A cyber threat report by network security company Sonicwall that analyzed threat intelligence data from 1.1m sensors in 215 countries found that ransomware attacks have increased by 20% globally in the 1H2020 over 1H2019 (121.4m attack events) and by 109% in the US (79.9m attacks). Malware attacks fell by 24% over the same time period. Phishing scams based around COVID-19 themes, and exploits targeting the remote work environment were a notable feature. For example, there was a 176% increase in malware attacks disguised as Microsoft Office files, and a 50% increase in IoT malware attacks, as attackers used these ‘smart home’ devices as a vector to penetrate corporate networks.

A Tesla employee prevented an alleged ransomware attack on the company earlier this month, according to an unsealed criminal complaint from the FBI. According to the complaint, the alleged criminal, Egor Igorevich Kriuchkov, attempted to recruit the Tesla employee outside Reno where the “Gigafactory” manufacturing facility is located. CEO Elon Musk referred to the attack as “serious” on Twitter.

The New Zealand stock exchange (NZX) halted trading operations for the final hour of trading on Tuesday, and then most of the trading day Wednesday, Thursday and again Friday morning due to distributed denial of service (DDoS) attacks which ‘impacted network connectivity’. The exchange reported that the attacks came ‘from offshore via its network service provider’, and it is unclear when trading operations will return to normal. An alert had been issued last November by New Zealand based cybersecurity firm CertNZ that financial firms had received emails threatening them with DDoS attacks if they did not pay a ransom.

A recent Microsoft survey of business leaders from India, Germany, the UK and US provided a picture of how corporates anticipate the pandemic could impact cyber security over the long term. While a majority of leaders (58%) are increasing security budgets, with some of the largest increases on a regional basis seen in the US and Germany, 81% felt pressure to reduce overall security costs. The additional spend is being put towards additional security staff first and foremost, and increased outsourcing. There is also clear evidence of a shift in the security mentality of organizations as 94% of respondents indicated they are accelerating adoption of ‘Zero Trust’ — the security concept and architecture that dictates that anything inside or outside a corporate IT network cannot be trusted and must be verified.

Publisher Pearson announced that Andy Bird, the former head of Walt Disney’s international business, will be its new CEO. Pearson has been struggling with the transition from the shrinking traditional media and textbook market to the new era of digital products and services, and its share price has fallen by more than half during the 7-year tenure of outgoing CEO John Fallon. In its hiring process, Pearson specifically focused on finding a candidate with strong digital transformation credentials, in addition to the ability to lead the company’s shift from B2B to B2C. Pearson Chairman Sidney Taurel highlighted Mr. Bird’s advocacy and experience moving Disney to streaming—a successful digital transformation which is driving Disney today—as a key reason for this choice.

A study by the CFA Institute examining the integration of ESG issues into investment portfolios found that while investors believe that ESG impacts share prices, only 19% of equity analysts ‘often or always’ include material ESG issues into their analysis, while a further 52% ‘sometimes’ do.

US wines and spirits company Brown-Forman suffered a ransomware attack this week. Though unconfirmed, REvil is believed to be responsible, a criminal enterprise which is also responsible for the Travelex attack that sent that company into administration. Per a company statement, “our quick actions upon discovering the attack prevented our systems from being encrypted.”

The Harvard Business Review study of research into the impact of data breach incidences on stock prices highlights ‘two key pieces of advice: 1) Lead with what you did right to prepare for this eventuality, and 2) then pivot to how you’re going to improve even more.’ They conclude that these measures limit the damage to the breached company’s stock price.

A Forrester report of mid-to-large size companies taken in April 2020 illustrates that C-suites continue to grapple with cyber security, both the threat environment as well as how to properly measure and align their cyber security strategies with business risk.

A new report from Trend Micro concludes based on years of analysis that fundamental design flaws have created serious cyber vulnerabilities in many widely used industrial products.

A survey by AT&T of 800 cybersecurity professionals in the UK, France and Germany (ostensibly about how the pandemic is affecting corporates cybersecurity posture) indicated that 48% of large businesses (more than 5,000 employees) will change their technology partners in the next year.

Two recent pieces of consumer goods companies—Kuerig Dr. Pepper and Target—outline how digital transformation is changing the way they operate and seek to expand margins and make profit.

Studies by Verizon and IT security providers Accurics and Orca all argue that Cloud misconfigurations are the greatest threat to organizations, with Accurics finding that misconfigurations exist in 93% of the cloud deployments that it analyzed. Orca found that greater than 80% of organizations ‘have at least one public-facing workload running on an unsupported operating system or one that hasn’t been patched for at least 180 days’, which was a key factor in the 2017 Equifax breach. Orca also found that 25% of the companies it studied did not use multi-factor authentication to protect cloud accounts with root or super administrative access.

Rubrik, a leading data center backup and recovery provider, recently released a report analyzing the best approaches to managing the financial cost of ransomware. It contends that one reason the financial cost of operational disruptions is so high is because most of the focus and resources are placed on prevention rather than recovery. The report claims that a ‘belt and braces’ approach—one that ensures back-ups cannot also be easily compromised when core IT infrastructure is impacted—helps limit data loss and operational damage. Yet in 23% of cases, backup data was affected prior to the ransomware attack being identified. 30% of those who had experienced a ransomware attack said that it took days to recover.

UK fast fashion retailer Boohoo saw its share price fall by 1/3 following allegations that workers in its UK supply chain were being paid 3.50 GBP per hour. The Financial Times notes that 20 ‘sustainable funds’ hold Boohoo shares, and that it was recently the largest holding in the Aberdeen Standard Investment employment opportunities fund, ‘which invests in companies with good employment opportunities and practices’.

Following a reported 62% drop in revenue in Q2, Levi’s is outlining the steps it is taking to accelerate its own digital transformation amid COVID‑19. Steps include investing in online sales growth and direct-to-consumer sales in addition to scaling down physical store growth from the planned 100 this year to 70. CEO Chip Bergh’s comments during the company’s recent earnings call captured this strategy well.

92% of business leaders say digital transformation requires a dual-track approach, according to a report released Wednesday from Harvard Business Review Analytical Services and Quick Base. The primary goals of digital transformation include 1. Increased productivity/efficiency, 2. Enhancing customer satisfaction, 3. Increased revenues/profitability

Garmin confirmed yesterday that a cyberattack that caused widespread disruptions over the past 5 days across its IT network — to website functions, customer support, company communications and customer facing applications — was a ransomware attack. Services are starting to be restored, but questions remain about the extent of the penetration into Garmin’s network, and how the attack was resolved. Garmin is due to report 2Q20 earnings tomorrow (Wednesday, July 29).

Now into the third year of GDPR, questions are being asked about what change it has brought about. This article notes there have been around 340 GDPR fines totaling approximately $180 million over the last two years. However, two of the largest fines amounting to a combined $350 million are still to be confirmed in the coming weeks — British Airways ($229mn) and Marriott ($123mn).

The ‘Psychology of Human Error’ report by Tessian aims to help companies better train employees to prevent mistakes from happening before they turn into breaches.

In the words of one commentator, COVID‑19 has been the final blow for several retailers that were considered ‘the walking wounded’ prior to the pandemic. The two dozen Chapter 11 filings this year have exceeded 2019’s total and show no signs of slowing down as the disruption and uncertainty continues into the second half of the year.

IBM 2Q 2020 earnings are a tale of two business models. Revenue from its cloud-related businesses surged 30% to $6.3b, while overall group revenue declined 5.4% to $18.12b. 2Q net income was $1.36b. Services and Consulting businesses were weak spots as client companies look for cost savings and postpone spending in the wake of COVID‑19, with CFO Kavanaugh noting that “many clients continued to delay projects, defer purchases, and favor opex over capex spending.”

Coverage of last week’s Twitter hack has now shifted towards longstanding security concerns, including internal controls and employee access issues. The company is now under scrutiny from several directions, including the FTC, Congress and the FBI.

The SEC’s Office of Compliance Inspections and Examinations (OCIE) warned of a recent increase in the sophistication of ransomware targeting financial service providers. The OCIE issued guidance on tactics and techniques organizations can use to guard against these attacks, broken down into six key areas: Incident response and resiliency policies, procedures and plans, Operational resiliency, Awareness and training programs, Vulnerability scanning and patch management, Access management, Perimeter Security.

The Honeywell USB Threat Report 2020 called attention to the rising threat facing industrial control systems (operational technology) amid the continued digitization of industrial processes. According to the report, “as the second most prevalent attack vector into industrial control and automation systems, USB devices continue to play an important role in these types of targeted attacks.”

IBM and Ponemon Institute’s fifth annual Cyber Resilient Organization Report surveyed more than 3,400 IT and security professionals globally and found that companies’ ability to contain cyber attacks has declined by 13% over the past several years, due to deficiencies in planning and preparing breach ‘playbooks’, as well as having IT security systems that are too complex.

Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products. This is the third in a series of ‘must patch’ vulnerabilities in recent months for Citrix, and it comes on the heels of a public breach the company announced in March of 2019.

The Financial Times reports that over the first 4 months of 2020, the S&P 500 ESG Index outperformed the normal index by 0.6%, and the MSCI Emerging Markets ESG Index and Asia-focused Asia ESG leaders index outperformed their parent indices by 0.5% and 3.83% respectively. Blackrock also reports outperformance by most ESG indices globally over their non-ESG peers.

Many companies that experience ransomware attacks do not disclose details of the breach to affected parties. IT media company Bleeping Computer reports being contacted by employees of companies that experience a breach seeking information about the event as C-suites keep tight lipped.

DXC Technology, an already struggling IT services provider, was hit by a ransomware attack that has paralyzed part of its business. According to the company, the part of its business impacted was Xchanging, “primarily an insurance managed services business that operates on a standalone basis.” As of July 5th, DXC indicated it was confident the damage was confined to this part of the business.

Research by data recovery specialist Ontrack of 484 organizations reveals that 39% either do not have a ransomware strategy, or are unaware if they have one, and 29% report they would not be able to access any working backups after an attack.

US Cyber Command is warning companies to immediately implement a critical patch for a potentially devastating security vulnerability in a number of Palo Alto Network products. Affected products include its firewall and VPN application, in wider use since the onset of work from home in March. According to the alert, the vulnerability is related to the company’s Security Assertion Markup Language. If exploited under certain conditions, it could allow a hacker access to a corporate network with administrator-level access without requiring the administrator’s login information.

The Thales 2020 Access Management Index Survey of 300 IT security professionals in the US and Brazil found a huge shift in how ‘easy’ or ‘difficult’ it is for IT departments to sell company Boards on the need for increased IT security resources. In last year’s survey, 44% reported that this was an ‘easy’ sell, while 33% reported it was ‘difficult’. This year, 65% report that it is an ‘easy’ sell, while only 16% report that it is ‘difficult’. 20% report that it is ‘Neither easy nor difficult’.

Swiss Re, the world’s second largest reinsurer, has called for companies to release ‘cyber resilience’ reports, saying there needs to be more transparency into how prepared they are to defend against attacks. The company indicates that in the wake of COVID‑19, there will be greater pressure on companies to demonstrate how resilient they are in the face of increasing risks.

IBM Security Work from Home survey of more than 2,000 newly remote work employees in the US reveals unpreparedness for remote work, and also provides a picture of companies slow to implement new training in response to this increased threat environment.

GDPR, billed as landmark regulation two years ago when it was first passed, has placed an undue burden on small and medium-sized businesses, while some rules have proven difficult to implement according to an official report released today. Although there were nearly 800 administrative fines imposed between May 2018 and November 2019, the only significant fine levied against a large technology company (and by far the largest) was the €50m fine against Google in France in 2019.

Insurer Hiscox’s Cyber Readiness Report 2020 surveyed 5,569 cyber security professionals from the US, UK, Belgium, France, Germany, the Netherlands, Spain and Ireland.

Cognizant, one of the world’s largest IT outsourcing companies, disclosed this spring that cybercriminals “exfiltrated” data related to employees’ corporate credit cards among other personal data including Social Security numbers, tax IDs, financial account information, and driver’s license and passport details.

The US Cyber Solarium Commission’s recently released white paper, Cybersecurity Lessons from the Pandemic draws parallels between the disruptions of the pandemic and the disruptions the US would experience during a significant cyber attack.

L’Oreal, the largest cosmetics company in the world, has seen a huge increase in digital engagement and online sales during the COVID-19 shutdowns, and expects these trends to stick and even increase in the coming years. Echoing other companies that have seen a similar acceleration due to the pandemic on their digital initiatives, Chief Digital Officer Lubomira Rochet remarked: “In ecommerce, we achieved in eight weeks what it would have otherwise taken us three years to do.”

Australia and New Zealand’s largest drinks manufacturer, Lion, was hit by a ransomware attack on June 9th. As of Monday June 15th, systems were still ‘partially down’. Per Lion: “Our investigations have shown that a partial IT system outage at Lion is a result of a ransomware attack. In response, we immediately shut down key systems as a precaution. We have made good progress, however there is still some way to go before we can resume our normal manufacturing operations and customer service.”

Zara owner Inditex reported that it will permanently close 16% of its global outlets (1,200 stores) by the end of 2021 and shift towards a strategy more focused on online sales. This trend of increasing online sales was already growing pre-COVID‑19, but has accelerated due to the pandemic. Inditex’ online sales increased 95% in April, and the company estimates that online sales will account for more than 25% of total sales by 2022, up from 14% in 2019. Inditex will spend 1b euros on digital investments over the next three years to support its online sales efforts. Most of the store closures will take place in Europe and Asia.

A ransomware attack disrupted Honda’s global operations on Monday, and is suspected to have penetrated the company’s corporate network. This comes at a time when Honda was just getting operations back to fuller capacity after the Covid-19 driven complete suspension at major facilities, and while it is struggling with a drop in auto and motorcycle sales in every major market. Honda staff were advised not to access their work computers on Monday, and to take paid leave on Tuesday if possible.

An April survey commissioned by CyberArk of 3,000 remote office workers and IT professionals in the United States, UK, France and Germany found that 77 percent of remote employees are using unmanaged, insecure devices to access corporate systems, and 29 percent are letting other household members use their corporate devices for personal activities such as gaming, shopping and schoolwork. 40 percent of IT teams have not increased security protocols despite the massive transition to remote work, but despite this 94 percent of these IT teams are confident that they can secure their new remote workforce.

ECB President Christine Lagarde’s comments to the Committee on Economic and Monetary Affairs of the European Parliament positioned digital transformation as an important priority for Europe’s economic recovery effort. Lagarde: “Another key dimension is the digital transformation. Here, the recent lockdowns have accelerated the adoption of digital technologies on a broader basis. Now is the time to expedite the digital transformation on a more permanent basis and bring the EU to the frontier of the digital economy.”

Industrial companies are greatly increasing their use of data management tools both as a response to Covid-19 workforce reduction issues, and due to the productivity improvements good data monitoring, analysis and control can provide. Annual spending on these tools is forecast to increase from $5b/year today to $20b/year by 2026. Meanwhile, Kaspersky detailed a series of attacks in Japan, Italy, Germany and the UK which targeted suppliers of equipment and software for industrial companies.

The EU is planning to unveil the Digital Services Act at the end of the year, a major piece of legislation to overhaul rules surrounding data and digital services. The EU has invited interested parties to submit comments by September 8, and the European Commission is targeting a December deadline for the draft law.

The Norwegian Investment Fund, the world’s largest sovereign with over $1 trillion in assets, was the victim of a months-long cyber breach that resulted in a reported $10mn in losses. According to Norges, the breach was the result of a business email compromise.

Chairman Clayton warned that combining environmental, social and governance metrics into a single ESG rating is an imprecise way of rating companies, and that asset managers should think carefully about how they use these metrics. There are 307 ‘Sustainable funds’ in the US with $119.3 billion assets under management as of the end of March 2020.

Macy’s announced a $1.1 billion bond sale to help shore-up the struggling retailers balance sheet as it navigates the COVID‑19 shutdown. The fresh injection of capital is needed to pay down short term debt maturing in January 2021 and fund operations in the immediate term.

Data from 30m McAfee MVISION Cloud users worldwide between January and April 2020 show external attacks by hackers on companies’ cloud-based systems have increased 630 percent following the mass migration to work from home. Overall enterprise use of cloud services has increased by 50 percent over the same time period. Use of Cisco Webex has increased 600 percent, Zoom by 350 percent, Microsoft Teams by 300 percent and Slack by 200 percent. Attacks by ‘insider threat’ categories (i. e. employees working from home) have remained the same, indicating that employees do not ‘attempt to steal more data because they are working from home’.

A WSJ article chronicled how HTZ was struggling long before COVID‑19, including reference to its belated digital shift relative to peers and repeated missteps with regard to its digital strategy. This reportedly included adverse impacts on fleet management while it cycled through four CEOs in less than 10 years.

A survey of 2,000 consumers in North America, UK, France and Germany reported that 37 percent will switch to a competitor company if systems are not back online within 24 hours of a ransomware attack operational disruption, and 66 percent will turn to a competitor if systems are not restored within 3 days. 59 percent would ‘likely avoid doing business with an organization that had experienced a cyberattack in the past year’, and more than 80 percent reported sharing their negative ransomware-related experience with family, friends and colleagues.

British low-cost carrier EasyJet (EZJ) disclosed a customer data breach that the company says impacted 9 million customers. A majority of the data stolen was reportedly email and physical addresses, but a smaller percentage of customers reportedly had credit card details stolen. EZJ first became aware of the breach in January.

Companies are struggling with increasing compliance burdens that are taking up significant portions of corporate IT budgets and time. 51 percent of respondents report that compliance requirements take up 20,000 hours of resources annually. In addition, 58 percent of companies report that compliance requirements are a barrier to entering new markets. 70 percent say they must manage at least five different compliance projects at any given time, while 7 percent work on 50 or more projects at any given time.

A NYT Times story explains how the fall of two retail giants—J. Crew and Neiman Marcus stemmed not only from the pandemic but also from the involvement of private equity firms and the financial over-engineering they deployed. The longstanding weaknesses of some traditional bricks and mortar retailers which include belated or poorly executed digital strategies are also directly related to an inability to make big investments due to being overleveraged. These weaknesses were further exposed by the pandemic, resulting in the recent bankruptcy filings.

Vulnerabilities in SaltStack software were used as a vector to infect cloud servers with malware or other exploits, with over 6,000 master servers reportedly infected and directly exposed to the internet according to the company, allowing them to be breached. The vulnerabilities were discovered about two weeks ago, and several networks have already reported that they have been breached and had cryptocurrency mining malware deployed onto their servers. More damaging attacks such as data theft and ransomware are possible. A patch is now available for the vulnerability.

Pitney Bowes Inc. (PBI) experienced a second ransomware attack in seven months on May 4th. The ransomware gang Maze claimed to have breached and encrypted the company’s network. The incident was confirmed by PBI in a statement: “Recently, we detected a security incident related to a ransomware attack. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.” PBI is working with its security partner IBM Iris to complete forensic analysis on the attack.

Citing a recent report by market research firm Canalys, the WSJ depicts a mixed picture on market-wide digital transformation prospects. Though Microsoft’s year-on-year enterprise cloud growth grabbed headlines, also included in results was the company’s admission that multi-year licensing deals were slow to complete in the final weeks of the quarter —just as the COVID‑19-induced slowdown was taking hold. Some analysts see a positive long-term trend towards digital being brought forward by the pandemic. Others see a slowdown in IT spend and longer-term licensing commitments and investment in cloud initiatives like further AI adoption in the short term as companies scramble to cut costs.

A survey by Barracuda of over 1,000 business decision makers in the UK, US, France and Germany reveals significant cyber security deterioration from the recent sudden shift to remote working. 51 percent have seen an increase in email fishing attacks, 51 percent say their workforce is not proficient or properly trained in the cyber risks associated with remote working, 46 percent are not confident that their web applications are secure, 50 percent allow employees to use personal email addresses and personal devices to conduct company work, 49 percent fully expect to see a data breach or cybersecurity incident in the next month due to remote working. Despite this clear increase in the threat surface, 40 percent of the companies have cut their cybersecurity budgets as part of COVID‑19 cost saving measures.

Tarkett reports that a cyber attack ‘has affected part of its operations since April 29 despite the IT security measures implemented by the group’, and that it has shut down its IT systems and implemented ‘necessary preventive measures to protect its operations as well as the data of its employees, customers and partners.’

Fitch expects COVID‑19 related economic impacts to test the growing cyber insurance market due to risks around cloud-related breaches and other operational disruptions that could result in capital constraints and impact ratings.

“We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything,” said Satya Nadella, chief executive officer of Microsoft on the announcement of strong Q3 results today.

Travelex announced that it is seeking offers and that interested parties should contact PricewaterhouseCoopers. Travelex’s business was severely impacted by its December 2019 cyber breach, which put the company in a very difficult financial position even before COVID‑19 disruptions hit.

A WSJ report outlined how increased cyber risks amid COVID‑19 are posing increased challenges for M&A transactions globally.

A survey of 2,000 remote workers in the UK reveals that two-thirds have not received cybersecurity training over the past year, and 61 percent said they were using personal devices to work remotely instead of corporate-issued devices. Despite these shortcomings, 77 percent reported that they are not worried about security while working from home.

A recently published Trustwave report looking at cybercrime globally found that far and away the most common environment breached is corporate and internal IT networks (54%), followed by ecommerce (22%) and the cloud (20%). In the thousands of incidents studied, the report found that 50% of breaches across all environments stemmed from phishing and social engineering.

Data stolen from Italy’s Unicredit allegedly came via a cyber breach into a company contracted by Unicredit to provide HR services. The data went on sale April 19, and reportedly includes employee names, email addresses, phone numbers and encrypted passwords. Telecom Italia unit Telsy reported that “the database appears to be genuine and the potential result of a SQL injection attack”.

Leading managed IT service provider Cognizant announced a Maze ransomware attack on Friday. Per Cognizant: “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack. Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.”

This bipartisan, blue-ribbon commission, which is composed of top officials from across the US government and private sector, was established to create a comprehensive top-levelframework for cyber security and better prepare both the public and private sector to deal with cyber threats.

Zurich Insurance outlined how companies can defend against ransomware at a time when cyber vulnerabilities have increased amidst the COVID‑19-induced shift to remote work. The approach leverages the NIST framework, widely seen as the global standard for improving cyber defense.

MSC reported Friday that a network outage is affecting systems at its Geneva headquarters, and that a cyber attack might be responsible. As of Tuesday 16:00 GMT, the MSC website is still down and the company has released very little new information. General operations appear not to be widely impacted yet, but precedent shows that an operational disruption can be extremely value destructive to a company like MSC.

According to a Wall Street Journal piece, 5G will transform supply chains, in part by cutting waste, better predicting consumer demand, and being able to adjust to market and operational shifts in real time. The gamechanger between 4G and 5G lies in the number of devices that can live on a single connection. By some estimates, 5G is 10 times faster than 4G. This enables more data to be analyzed more quickly and in much greater detail than was possible before.

At a hearing on March 4 before the U. S. Senate Judiciary Committee, Department of Justice (DoJ) Deputy Assistant Attorney General for National Asset Protection in the National Security Division Adam Hickey called upon Congress to enact legislation that would create a uniform nationwide data breach disclosure law and include a requirement that companies report breaches not just to customers but also to law enforcement.

Ransomware attacks on the healthcare industry continue at the same frequency as before COVID‑19, despite recent promises by some hacker groups to avoid targeting the industry during the current crisis.

A Wall Street Journal article outlined the accelerated pace of corporate bond downgrades amidst the COVID‑19 pandemic and economic crisis. It has been the swiftest pace of downgrades on record over the last two weeks. Ford was the latest big name to be downgraded to junk, while approximately $90bn of debt was downgraded in March, and some estimate the number to reach $200bn this year.

VPN Mentor’s research team discovered a breached database at Cloud backup provider SOS Online Backup that contained more than 135m records. While this information apparently did not fall into malevolent hands, the incident highlights cybersecurity risks posed by the use of third-party service providers.

As Zoom’s popularity has exponentially increased in recent weeks due to the mass migration to remote work, reports on security flaws continue to trickle out. Former NSA hacker Patrick Wardle shared with TechCruch two new security flaws that can be exploited to grant hackers physical control of a victim’s computer. Malicious code can be injected into a computer via a Zoom installer to gain root access—the highest level of user privileges.

Enterprise use of VPNs has increased by 33 percent, and use of Remote Desktop Protocols (RDP) has increased by about 40 percent over the past month as companies respond to COVID‑19 by having employees work from home. These systems increase the risk of a breach of company IT systems as they are inherently less protected than onsite systems and as employees use external access systems that they are less familiar with.

Macy’s announced it is furloughing a majority of its 130,000 staff globally in the midst of the COVID‑19 crisis that has ground brick-and-mortar retail to a halt. Staff that remain will maintain e-commerce, distribution, and call centers operations.

Specialty insurer Beazley reports that ransomware attacks are rapidly increasing and that the dollar value of individual ransom demands is also increasing. Beazley’s analysis and key findings are in line with Cyberhedge findings that most breaches are relatively unsophisticated and the result of poor cyber governance and hygiene by employees. Strengthening employee training is both relatively low-cost and the most effective step that most companies can take to improve their cybersecurity. Beazley also highlights two additional key Cyberhedge findings: 1. that vendors are increasingly becoming a breach vector into companies and 2. that the dramatic increase in COVID‑19‑related remote access into company IT networks has increased companies’ cyber threat surfaces.

Cybersecurity company FireEye outlined successful attacks by a Chinese group called APT 41 against Citrix and Cisco equipment in the first two months of 2020, targeting more than 75 FireEye customers, including manufacturers, media companies, and healthcare organizations. It appears that APT 41 accelerated efforts by exploiting software vulnerabilities in both companies, issues both Citrix and Cisco indicated they fixed.

GE disclosed that personal information for a number of current and former employees was exposed in a security breach that took place between February 3-14 at Canon Business Process Services, one of its service providers. While the breach did not occur in GE’s systems, according to the legal filing, the case highlights a common supply chain risk: cyber governance extends beyond company networks and includes regimes of counterparties.

A recent article in the Financial Times highlighted the continued emergence of ransomware and the targeting of large financial institutions, an issue illustrated by the devastating attack on Travelex and the growth of cyber insurance as a mitigation measure for companies. Large insurers point to the significant increase in the sums attackers are demanding and disputing the claim that having cyber insurance to cover such incidents makes companies more of a target.

The unprecedented challenges posed by the COVID‑19 outbreak extend to securing companies’ IT networks, and this event may be the biggest cybersecurity threat ever. Threat surfaces are also increasing dramatically as large numbers of workers are forced to work from home, often with systems and procedures that are different from those they are trained on and familiar with in their workplace.

A new EY Board Survey has identified “technology disruption” as the number one strategic opportunity for organizations. The survey reveals that 48 percent of boards believe data breaches and cyber attacks will “more than moderately” impact the business in the next 12 months. However, only 36 percent of respondents in the survey indicated cybersecurity is a priority in the planning phase of any new business initiative.

A recent study claims that ransomware attacks have increased 350 percent in the past year. This mirrors other reports, including one by Blackberry Cylance, outlining a similar upsurge in such attacks against the healthcare sector across the U. S. and Europe. In December 2019, Cylance disclosed findings related to Zeppelin Ransomware-as-a-Service (RaaS), which targeted IT vendors and healthcare providers.

UK-based Informa (INF), the world’s largest events and exhibitions business, reported generally positive FY19 results in terms of revenue, earnings, and growth, including what Informa leadership describes as a “secure balance sheet”. But, more important is the storm brought about by coronavirus that is facing the events-focused business and the impact this may have on the company’s already-poor cyber governance. In its earnings call, the company described strong headwinds from coronavirus and possible uncertainties around the larger disruption over the course of 2020. Indeed, INF has already taken a £450mn revenue hit as a result of postponing and cancelling 100 events.

Walgreens notified customers last month of a personal data breach that occurred in January stemming from its mobile app. The company indicated that it took steps to remedy the problem once discovered, but that health information for a “small percentage of the total users who were affected” was leaked.

In a mandatory filing with the California attorney general this week, J. Crew Group, Inc. disclosed a breach of customer accounts dating back to April 2019.

Key findings from a study on smart factories by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) include: 25 percent of manufacturers surveyed have not performed a cyber risk assessment in the past year, meaning these manufacturers likely do not have visibility into the impact of a cyber-related operational disruption; 48 percent of manufacturers surveyed identified operational risks, which include cybersecurity, as the greatest danger to smart factory initiatives; 40 percent of manufacturers surveyed indicated that their operations were affected by a cyber incident in the past 12 months; Management of information technology (IT) is often out of sync with operational technology (OT) management, creating additional vulnerabilities many companies are unaware of; OT is typically managed by engineering, automation, and operations rather than IT; There is generally no single team responsible for all OT systems and underlying security; Traditional application of security controls, such as patching or vulnerability scanning, needs to be adapted to new environment.

Visser Precision, a parts supplier to automotive, defense, and aeronautics companies, reported a data theft incident, according to a Tech Crunch article.

ISS World, a Danish workplace experience and facility management company, was hit by a malware attack on February 17, 2020. As a precautionary measure, they immediately disabled access to shared IT services across company sites and countries.

Macy’s Inc.’s (M’s) Q4 and FY19 results marked a continued slide for the brick-and-mortar retailer amidst an attempted turnaround.

Hertz (HTZ) announced Q419 and FY19 results on February 24, reporting quarterly sales of $2.326 billion, which missed the analyst consensus estimate of $2.34 billion. The company ended the fourth quarter with cash and cash equivalents of $865 million, compared to $1.13 billion at the end of 2018. Total debt as of year-end amounted to $17.09 billion, compared to $16.32 billion as of Dec 31, 2018. As of February 25, the stock was down approximately 15 percent post-earnings.

Citrix—one of the world’s largest networking and remote access technology companies—announced malicious hackers inside its networks for five months between 2018 and 2019. This comes almost a year after the breach of its network was announced following an FBI alert.

The personal details of more than 10.6 million MGM Resorts International (MGM) guests were published on a hacking forum last week.

This month, the Department of the Navy (DON) released a report, Information Superiority Vision, that outlines an acceleration of the military branch’s digital transformation. The report highlights the need for a comprehensive overhaul of the department’s systems and cyber posture to better defend against attacks.

More than 41.4 million patient records were compromised by 572 healthcare data breaches in 2019, according to a study of data provided by the U. S. Department of Health and Human Services, the media, or other sources. This excludes two breaches of IT vendors servicing dental offices across the country in August and December 2019.

Two stories point to the upside and downside of digital transformation in the energy sector. On the negative side, this week, the U. S. Government Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about its response to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. According to the alert, “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators.” The victim’s emergency response plan did not specifically consider cyberattacks, and the decision was made to implement a deliberate and controlled shutdown to operations that lasted two days, resulting in a loss of revenue and productivity, after which normal operations resumed.

On Tuesday, S&P lowered its rating for Macy’s from BBB- to BB+—one notch below investment grade—saying it viewed the company’s turnaround plan as necessary, but also a sign that the department-store chain’s “competitive advantage has diminished more than we expected.”

In October 2019, Bayer’s digital agriculture division, The Climate Corporation (Climate Corp), announced a partnership between its FieldView™ digital farming platform and Tillable, a self-described first-of-its-kind digital marketplace connecting farmers and landowners. According to Tillable, it was “created to help landowners receive fair rent and get the insights they need about their farm’s performance, while also helping great farmers build their reputations and expand operations.”

UK-based cyber company Nominet released its CISO Stress Report, attempting to shed light on the burden carried by the person responsible for protecting corporate networks in 2020. The U. S./UK study serves as a follow-on to Nominet’s first couple of reports looking at the role of the CISO, including one on the perspectives of boards. Some well-known facts are confirmed, as well as important current data points on CISO-C-suite dynamics: 88% of CISOs remain moderately or tremendously stressed, 90% of CISOs said they’d take a pay cut if it improved their work-life balance. Most CISOs still lack strong support from rest of C-suite.

U. S. Senator Kirsten Gillibrand (D-NY) introduced legislation to create a Data Protection Agency to, in her words, “bring the protection of your privacy and freedom into the digital age.

$76-billion-dollar retail giant Estée Lauder (EL) suffered a breach of a reported 440 million records, including customer data. The breach resulted from a non-password-protected cloud server. Importantly, it does not appear that any payment information was part of the breach.

According to IBM, cybercrime continues to grow at a significant pace year-over-year (4x increase in 2019 vs. 2018) despite increasing resources and attention placed on security by companies and governments.

European Central Bank (ECB) President Christine Lagarde, citing a report by the European Systemic Risk Board (ESRB), outlined how a successful attack on a major financial institution could quickly create financial instability.

Security researchers at Dragos and Sentinel One believe they have identified a new strain of ransomware designed specifically for industrial control systems (ICS)—systems most commonly associated with being at the core of utility infrastructure. ICS environments are also among the highest-value targets for cybercriminals and nation-state hackers.

A key finding from Cisco’s recently released CISO survey indicated that reducing network complexity is a top priority. CISOs are electing to embark on vendor consolidation, with 86 percent now using 20 vendors or less.

More than 160,000 data breach notifications have been reported across the EU since the GDPR came into force on 25 May 2018, according to a DLA Piper survey. The fines, however, have not proven to have a material impact on large companies as some predicted when the law was enacted.

As of Q319, leading experts like McAfee observed over 100% growth in ransomware attacks globally. FireEye recently identified how threat actors are collaborating in efforts to launch ransomware attacks, a trend that will grow in 2020.

Salesforce. com, Inc. and children’s clothing company Hanna Andersson are facing a federal court lawsuit that is among the first to cite the new California Consumer Data Privacy Act that went into effect in January.

In its preliminary 4Q and full-year 2019 sales results this week, Macy’s (M) announced the closure of 125 stores—about 20% of its physical footprint—over the next three years, as well as 2,000 job cuts. These moves come as the retailer continues to grapple with the rising dominance of e-commerce and shifting preferences of shoppers.

The Pentagon has finalized the long-anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense (DoD), a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0, according to Fifth Domain.

An FAA inspector general report outlined how Southwest Airlines failed to prioritize safety, and the Federal Aviation Administration (FAA) did not properly conduct oversight of the airline. The criticizes the agency’s oversight of the carrier as lax, ineffective, and inconsistent, according to a WSJ article.

Boeing (BA) reported its first annual loss since 1997 as 737 MAX costs approach $19 billion. However, shareholder value losses have been far greater, losing about 25% of value since the March 2019 Ethiopian Airlines crash. The company is now in the midst of complicated and potentially costly compensation talks with airline customers like American Airlines. These customers have felt the direct effects of the MAX grounding and believe that BA, not their shareholders, should be on the hook for the crisis.

On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued examination observations. The document outlines a series of approaches taken by market participants in areas including governance and risk management, access rights and controls, data loss prevention, resiliency, vendor management, and training and awareness.

A WSJ profile of Target CIO Michael McNamara outlined the retail giant’s shift in IT strategy following the damaging 2014 data breach—from outsourcing functions like software development to hiring more in-house technologists, or what the industry refers to as “in-sourcing.”

Citrix—one of the world’s largest networking and remote access technology companies—announced patches for a known vulnerability more than one month after it was announced. It is a $15BN company that more than 400,000 companies, including many of the Fortune 500, rely upon to keep their data safe and networks secure.

In the lead-up to its Annual Meeting a World Economic Forum (WEF) note outlines in some detail the steps that boards and C-suites should take to better tackle cybersecurity risk—a top-five risk in its 2020 Global Risks Report. The report poses the question, beyond the rising damage caused by cyber breaches, what incentives for investment and improved approaches exist? Though an increasing number of market players such as insurers and ratings firms are getting in the fray, “coherence, however, is still missing,” according to WEF.