Daily

With the continued growth of ransomware in 2020, we revisit a ransomware article from Sentinel One. The piece outlines 6 key ways ransomware inflicts economic pain on companies in pointing out that the payment is often the headline but not the full cost: The payment; Indirect costs: costs of business interruption associated with a ransomware attack; Reputational loss; Liability: clients impacted by attacks seek compensation from breached company; Collateral damage; Data loss.

As retail has been disrupted nearly as much as any sector in the wake of COVID‑19, there are some clear lessons learned on how the landscape has dramatically shifted. Companies that were executing well on digital strategies have outperformed while those that weren’t have not only underperformed but many are no longer in business.

The US Department of Energy is expected to release detailed proposals by the end of September limiting the use of foreign equipment in the US power grid. These follow a May 1, 2020 Executive Order by President Trump ordering a ban on the use of utility infrastructure manufactured by ‘foreign adversaries’ due to the risk they pose to the power grid’s cybersecurity. Complying with the order will be complex due to the current reliance on foreign suppliers as well as global supply chains which stretch across many countries. In addition, vendor lists for utilities often number in the hundreds or even thousands and ensuring each one is in compliance will be a time consuming—and expensive—task.

Despite investing hundreds of millions of dollars in the years leading up to the pandemic, a WSJ piece posits that the largest grocer in America still wasn’t prepared to fully capitalize on the dramatic digital shift as well as some competitors. Despite investments in things ranging from remote fulfillment centers and self-driving robot delivery, Kroger wasn’t able to meet the spike in online grocery demands from customers.

A pre-COVID-19 global survey of CEOs and CISOs conducted by WSJ Intelligence found large differences in focus, strategy and planning between more cybersecurity focused executives—labeled ‘Leaders’—and those less focused on cyber. ‘Leaders’ are much more likely to report (88%) that cybersecurity is the top priority risk factor facing the organization. 76% of the ‘Leaders’ review and update their cybersecurity strategy on an ongoing basis, compared with only 46% of other executives. Unsurprisingly, 82% of these ‘Leaders’ report that their BoD’s recognize that ‘Cybersecurity is critical and are fully engaged with it as part of a key business strategy’. This is compared to only 39% of the ‘non-Leaders’ who say the same about their BoD. And 88% of ‘Leaders’ report deriving excellent value from cybersecurity spending. Another critical difference is that ‘non-Leader’ CEOs and CISOs highest concern over the next 3-5 years is identity theft, while ‘Leaders’ are far more concerned with malware-type breaches like ransomware.

$67bn data center giant Equinix was hit by a ransomware attack last week, the latest example of the vulnerabilities facing critical digital infrastructure in 2020. Per a company statement on 13 September: “At this time, our investigation is centered on information related to our internal business. The incident continues to have no impact on our customers’ operations or the data on their equipment at Equinix.”

Cybersecurity insurer Coalition’s 1H20 Cyber Insurance Claims Report details a dramatic increase in the cost of cyber breaches in 2020, driven by a big increase in the costs of Ransomware attacks. Coalition reports that Ransomware claims were on average 2.5x as costly as other breaches, and that the average ransom demand increased by 100% in 1Q20 from 2019, and another 47% from Q1 to Q2 2020 to an average $338,669.

Researchers have found 6 critical vulnerabilities in a third-party provider to leading industrial control systems (ICS) providers including Rockwell Automation and Siemens.

For the third consecutive year, EY analyzed cybersecurity-related disclosures by companies by examining proxy statements and 10-K filings. This year’s study of 76 Fortune 100 companies over the time period from 2018 through May 31,2010 found modest increases in disclosures — most significantly in the area of BoD oversight — but a continued lack of disclosures related to cyber-readiness simulations and the use of independent third-party advisors. Only 7% of companies disclose engaging in cyber-readiness simulations, and only 16% disclosed using external independent advisors.

A new Gartner survey finds that CEOs will be increasingly personally responsible for breaches due to what it refers to as the growing “Cyber-Physical System (CPS)” attacks anticipated by 2024. This refers to the risks emerging from the fast merging of operational technology (OT) and IT.

Cloud security organization Bitglass released the 2020 Insider Threat Report, a survey of IT and security professionals about the challenges facing organizations from this ‘inside’ vector.

A newly released report on the cloud security from the Carnegie Endowment for International Peace includes some notable findings on the thing now underpinning how companies operate: By 2020, the overall cloud services market is expected to be $266.4 billion, a 17 percent increase compared to 2019 (Gartner). In reference to a number of breach cases impacting market leaders like Azure, AWS and Google Cloud, “cloud security thus far is a series of potential catastrophes narrowly averted”.

A cyber threat report by network security company Sonicwall that analyzed threat intelligence data from 1.1m sensors in 215 countries found that ransomware attacks have increased by 20% globally in the 1H2020 over 1H2019 (121.4m attack events) and by 109% in the US (79.9m attacks). Malware attacks fell by 24% over the same time period. Phishing scams based around COVID-19 themes, and exploits targeting the remote work environment were a notable feature. For example, there was a 176% increase in malware attacks disguised as Microsoft Office files, and a 50% increase in IoT malware attacks, as attackers used these ‘smart home’ devices as a vector to penetrate corporate networks.

A Tesla employee prevented an alleged ransomware attack on the company earlier this month, according to an unsealed criminal complaint from the FBI. According to the complaint, the alleged criminal, Egor Igorevich Kriuchkov, attempted to recruit the Tesla employee outside Reno where the “Gigafactory” manufacturing facility is located. CEO Elon Musk referred to the attack as “serious” on Twitter.

The New Zealand stock exchange (NZX) halted trading operations for the final hour of trading on Tuesday, and then most of the trading day Wednesday, Thursday and again Friday morning due to distributed denial of service (DDoS) attacks which ‘impacted network connectivity’. The exchange reported that the attacks came ‘from offshore via its network service provider’, and it is unclear when trading operations will return to normal. An alert had been issued last November by New Zealand based cybersecurity firm CertNZ that financial firms had received emails threatening them with DDoS attacks if they did not pay a ransom.

A recent Microsoft survey of business leaders from India, Germany, the UK and US provided a picture of how corporates anticipate the pandemic could impact cyber security over the long term. While a majority of leaders (58%) are increasing security budgets, with some of the largest increases on a regional basis seen in the US and Germany, 81% felt pressure to reduce overall security costs. The additional spend is being put towards additional security staff first and foremost, and increased outsourcing. There is also clear evidence of a shift in the security mentality of organizations as 94% of respondents indicated they are accelerating adoption of ‘Zero Trust’ — the security concept and architecture that dictates that anything inside or outside a corporate IT network cannot be trusted and must be verified.

Publisher Pearson announced that Andy Bird, the former head of Walt Disney’s international business, will be its new CEO. Pearson has been struggling with the transition from the shrinking traditional media and textbook market to the new era of digital products and services, and its share price has fallen by more than half during the 7-year tenure of outgoing CEO John Fallon. In its hiring process, Pearson specifically focused on finding a candidate with strong digital transformation credentials, in addition to the ability to lead the company’s shift from B2B to B2C. Pearson Chairman Sidney Taurel highlighted Mr. Bird’s advocacy and experience moving Disney to streaming—a successful digital transformation which is driving Disney today—as a key reason for this choice.

A study by the CFA Institute examining the integration of ESG issues into investment portfolios found that while investors believe that ESG impacts share prices, only 19% of equity analysts ‘often or always’ include material ESG issues into their analysis, while a further 52% ‘sometimes’ do.

US wines and spirits company Brown-Forman suffered a ransomware attack this week. Though unconfirmed, REvil is believed to be responsible, a criminal enterprise which is also responsible for the Travelex attack that sent that company into administration. Per a company statement, “our quick actions upon discovering the attack prevented our systems from being encrypted.”

The Harvard Business Review study of research into the impact of data breach incidences on stock prices highlights ‘two key pieces of advice: 1) Lead with what you did right to prepare for this eventuality, and 2) then pivot to how you’re going to improve even more.’ They conclude that these measures limit the damage to the breached company’s stock price.

A Forrester report of mid-to-large size companies taken in April 2020 illustrates that C-suites continue to grapple with cyber security, both the threat environment as well as how to properly measure and align their cyber security strategies with business risk.

A new report from Trend Micro concludes based on years of analysis that fundamental design flaws have created serious cyber vulnerabilities in many widely used industrial products.

A survey by AT&T of 800 cybersecurity professionals in the UK, France and Germany (ostensibly about how the pandemic is affecting corporates cybersecurity posture) indicated that 48% of large businesses (more than 5,000 employees) will change their technology partners in the next year.

Two recent pieces of consumer goods companies—Kuerig Dr. Pepper and Target—outline how digital transformation is changing the way they operate and seek to expand margins and make profit.

Studies by Verizon and IT security providers Accurics and Orca all argue that Cloud misconfigurations are the greatest threat to organizations, with Accurics finding that misconfigurations exist in 93% of the cloud deployments that it analyzed. Orca found that greater than 80% of organizations ‘have at least one public-facing workload running on an unsupported operating system or one that hasn’t been patched for at least 180 days’, which was a key factor in the 2017 Equifax breach. Orca also found that 25% of the companies it studied did not use multi-factor authentication to protect cloud accounts with root or super administrative access.

Rubrik, a leading data center backup and recovery provider, recently released a report analyzing the best approaches to managing the financial cost of ransomware. It contends that one reason the financial cost of operational disruptions is so high is because most of the focus and resources are placed on prevention rather than recovery. The report claims that a ‘belt and braces’ approach—one that ensures back-ups cannot also be easily compromised when core IT infrastructure is impacted—helps limit data loss and operational damage. Yet in 23% of cases, backup data was affected prior to the ransomware attack being identified. 30% of those who had experienced a ransomware attack said that it took days to recover.

UK fast fashion retailer Boohoo saw its share price fall by 1/3 following allegations that workers in its UK supply chain were being paid 3.50 GBP per hour. The Financial Times notes that 20 ‘sustainable funds’ hold Boohoo shares, and that it was recently the largest holding in the Aberdeen Standard Investment employment opportunities fund, ‘which invests in companies with good employment opportunities and practices’.

Following a reported 62% drop in revenue in Q2, Levi’s is outlining the steps it is taking to accelerate its own digital transformation amid COVID‑19. Steps include investing in online sales growth and direct-to-consumer sales in addition to scaling down physical store growth from the planned 100 this year to 70. CEO Chip Bergh’s comments during the company’s recent earnings call captured this strategy well.

92% of business leaders say digital transformation requires a dual-track approach, according to a report released Wednesday from Harvard Business Review Analytical Services and Quick Base. The primary goals of digital transformation include 1. Increased productivity/efficiency, 2. Enhancing customer satisfaction, 3. Increased revenues/profitability

Garmin confirmed yesterday that a cyberattack that caused widespread disruptions over the past 5 days across its IT network — to website functions, customer support, company communications and customer facing applications — was a ransomware attack. Services are starting to be restored, but questions remain about the extent of the penetration into Garmin’s network, and how the attack was resolved. Garmin is due to report 2Q20 earnings tomorrow (Wednesday, July 29).

Now into the third year of GDPR, questions are being asked about what change it has brought about. This article notes there have been around 340 GDPR fines totaling approximately $180 million over the last two years. However, two of the largest fines amounting to a combined $350 million are still to be confirmed in the coming weeks — British Airways ($229mn) and Marriott ($123mn).

The ‘Psychology of Human Error’ report by Tessian aims to help companies better train employees to prevent mistakes from happening before they turn into breaches.

In the words of one commentator, COVID‑19 has been the final blow for several retailers that were considered ‘the walking wounded’ prior to the pandemic. The two dozen Chapter 11 filings this year have exceeded 2019’s total and show no signs of slowing down as the disruption and uncertainty continues into the second half of the year.

IBM 2Q 2020 earnings are a tale of two business models. Revenue from its cloud-related businesses surged 30% to $6.3b, while overall group revenue declined 5.4% to $18.12b. 2Q net income was $1.36b. Services and Consulting businesses were weak spots as client companies look for cost savings and postpone spending in the wake of COVID‑19, with CFO Kavanaugh noting that “many clients continued to delay projects, defer purchases, and favor opex over capex spending.”

Coverage of last week’s Twitter hack has now shifted towards longstanding security concerns, including internal controls and employee access issues. The company is now under scrutiny from several directions, including the FTC, Congress and the FBI.

The SEC’s Office of Compliance Inspections and Examinations (OCIE) warned of a recent increase in the sophistication of ransomware targeting financial service providers. The OCIE issued guidance on tactics and techniques organizations can use to guard against these attacks, broken down into six key areas: Incident response and resiliency policies, procedures and plans, Operational resiliency, Awareness and training programs, Vulnerability scanning and patch management, Access management, Perimeter Security.

The Honeywell USB Threat Report 2020 called attention to the rising threat facing industrial control systems (operational technology) amid the continued digitization of industrial processes. According to the report, “as the second most prevalent attack vector into industrial control and automation systems, USB devices continue to play an important role in these types of targeted attacks.”

IBM and Ponemon Institute’s fifth annual Cyber Resilient Organization Report surveyed more than 3,400 IT and security professionals globally and found that companies’ ability to contain cyber attacks has declined by 13% over the past several years, due to deficiencies in planning and preparing breach ‘playbooks’, as well as having IT security systems that are too complex.

Citrix has issued patches for 11 CVE-listed security vulnerabilities in its various networking products. This is the third in a series of ‘must patch’ vulnerabilities in recent months for Citrix, and it comes on the heels of a public breach the company announced in March of 2019.

The Financial Times reports that over the first 4 months of 2020, the S&P 500 ESG Index outperformed the normal index by 0.6%, and the MSCI Emerging Markets ESG Index and Asia-focused Asia ESG leaders index outperformed their parent indices by 0.5% and 3.83% respectively. Blackrock also reports outperformance by most ESG indices globally over their non-ESG peers.

Many companies that experience ransomware attacks do not disclose details of the breach to affected parties. IT media company Bleeping Computer reports being contacted by employees of companies that experience a breach seeking information about the event as C-suites keep tight lipped.

DXC Technology, an already struggling IT services provider, was hit by a ransomware attack that has paralyzed part of its business. According to the company, the part of its business impacted was Xchanging, “primarily an insurance managed services business that operates on a standalone basis.” As of July 5th, DXC indicated it was confident the damage was confined to this part of the business.

Research by data recovery specialist Ontrack of 484 organizations reveals that 39% either do not have a ransomware strategy, or are unaware if they have one, and 29% report they would not be able to access any working backups after an attack.

US Cyber Command is warning companies to immediately implement a critical patch for a potentially devastating security vulnerability in a number of Palo Alto Network products. Affected products include its firewall and VPN application, in wider use since the onset of work from home in March. According to the alert, the vulnerability is related to the company’s Security Assertion Markup Language. If exploited under certain conditions, it could allow a hacker access to a corporate network with administrator-level access without requiring the administrator’s login information.

The Thales 2020 Access Management Index Survey of 300 IT security professionals in the US and Brazil found a huge shift in how ‘easy’ or ‘difficult’ it is for IT departments to sell company Boards on the need for increased IT security resources. In last year’s survey, 44% reported that this was an ‘easy’ sell, while 33% reported it was ‘difficult’. This year, 65% report that it is an ‘easy’ sell, while only 16% report that it is ‘difficult’. 20% report that it is ‘Neither easy nor difficult’.

Swiss Re, the world’s second largest reinsurer, has called for companies to release ‘cyber resilience’ reports, saying there needs to be more transparency into how prepared they are to defend against attacks. The company indicates that in the wake of COVID‑19, there will be greater pressure on companies to demonstrate how resilient they are in the face of increasing risks.

IBM Security Work from Home survey of more than 2,000 newly remote work employees in the US reveals unpreparedness for remote work, and also provides a picture of companies slow to implement new training in response to this increased threat environment.

GDPR, billed as landmark regulation two years ago when it was first passed, has placed an undue burden on small and medium-sized businesses, while some rules have proven difficult to implement according to an official report released today. Although there were nearly 800 administrative fines imposed between May 2018 and November 2019, the only significant fine levied against a large technology company (and by far the largest) was the €50m fine against Google in France in 2019.

Insurer Hiscox’s Cyber Readiness Report 2020 surveyed 5,569 cyber security professionals from the US, UK, Belgium, France, Germany, the Netherlands, Spain and Ireland.

Cognizant, one of the world’s largest IT outsourcing companies, disclosed this spring that cybercriminals “exfiltrated” data related to employees’ corporate credit cards among other personal data including Social Security numbers, tax IDs, financial account information, and driver’s license and passport details.

The US Cyber Solarium Commission’s recently released white paper, Cybersecurity Lessons from the Pandemic draws parallels between the disruptions of the pandemic and the disruptions the US would experience during a significant cyber attack.

L’Oreal, the largest cosmetics company in the world, has seen a huge increase in digital engagement and online sales during the COVID-19 shutdowns, and expects these trends to stick and even increase in the coming years. Echoing other companies that have seen a similar acceleration due to the pandemic on their digital initiatives, Chief Digital Officer Lubomira Rochet remarked: “In ecommerce, we achieved in eight weeks what it would have otherwise taken us three years to do.”

Australia and New Zealand’s largest drinks manufacturer, Lion, was hit by a ransomware attack on June 9th. As of Monday June 15th, systems were still ‘partially down’. Per Lion: “Our investigations have shown that a partial IT system outage at Lion is a result of a ransomware attack. In response, we immediately shut down key systems as a precaution. We have made good progress, however there is still some way to go before we can resume our normal manufacturing operations and customer service.”

Zara owner Inditex reported that it will permanently close 16% of its global outlets (1,200 stores) by the end of 2021 and shift towards a strategy more focused on online sales. This trend of increasing online sales was already growing pre-COVID‑19, but has accelerated due to the pandemic. Inditex’ online sales increased 95% in April, and the company estimates that online sales will account for more than 25% of total sales by 2022, up from 14% in 2019. Inditex will spend 1b euros on digital investments over the next three years to support its online sales efforts. Most of the store closures will take place in Europe and Asia.

A ransomware attack disrupted Honda’s global operations on Monday, and is suspected to have penetrated the company’s corporate network. This comes at a time when Honda was just getting operations back to fuller capacity after the Covid-19 driven complete suspension at major facilities, and while it is struggling with a drop in auto and motorcycle sales in every major market. Honda staff were advised not to access their work computers on Monday, and to take paid leave on Tuesday if possible.

An April survey commissioned by CyberArk of 3,000 remote office workers and IT professionals in the United States, UK, France and Germany found that 77 percent of remote employees are using unmanaged, insecure devices to access corporate systems, and 29 percent are letting other household members use their corporate devices for personal activities such as gaming, shopping and schoolwork. 40 percent of IT teams have not increased security protocols despite the massive transition to remote work, but despite this 94 percent of these IT teams are confident that they can secure their new remote workforce.

ECB President Christine Lagarde’s comments to the Committee on Economic and Monetary Affairs of the European Parliament positioned digital transformation as an important priority for Europe’s economic recovery effort. Lagarde: “Another key dimension is the digital transformation. Here, the recent lockdowns have accelerated the adoption of digital technologies on a broader basis. Now is the time to expedite the digital transformation on a more permanent basis and bring the EU to the frontier of the digital economy.”

Industrial companies are greatly increasing their use of data management tools both as a response to Covid-19 workforce reduction issues, and due to the productivity improvements good data monitoring, analysis and control can provide. Annual spending on these tools is forecast to increase from $5b/year today to $20b/year by 2026. Meanwhile, Kaspersky detailed a series of attacks in Japan, Italy, Germany and the UK which targeted suppliers of equipment and software for industrial companies.

The EU is planning to unveil the Digital Services Act at the end of the year, a major piece of legislation to overhaul rules surrounding data and digital services. The EU has invited interested parties to submit comments by September 8, and the European Commission is targeting a December deadline for the draft law.

The Norwegian Investment Fund, the world’s largest sovereign with over $1 trillion in assets, was the victim of a months-long cyber breach that resulted in a reported $10mn in losses. According to Norges, the breach was the result of a business email compromise.

Chairman Clayton warned that combining environmental, social and governance metrics into a single ESG rating is an imprecise way of rating companies, and that asset managers should think carefully about how they use these metrics. There are 307 ‘Sustainable funds’ in the US with $119.3 billion assets under management as of the end of March 2020.

Macy’s announced a $1.1 billion bond sale to help shore-up the struggling retailers balance sheet as it navigates the COVID‑19 shutdown. The fresh injection of capital is needed to pay down short term debt maturing in January 2021 and fund operations in the immediate term.

Data from 30m McAfee MVISION Cloud users worldwide between January and April 2020 show external attacks by hackers on companies’ cloud-based systems have increased 630 percent following the mass migration to work from home. Overall enterprise use of cloud services has increased by 50 percent over the same time period. Use of Cisco Webex has increased 600 percent, Zoom by 350 percent, Microsoft Teams by 300 percent and Slack by 200 percent. Attacks by ‘insider threat’ categories (i. e. employees working from home) have remained the same, indicating that employees do not ‘attempt to steal more data because they are working from home’.

A WSJ article chronicled how HTZ was struggling long before COVID‑19, including reference to its belated digital shift relative to peers and repeated missteps with regard to its digital strategy. This reportedly included adverse impacts on fleet management while it cycled through four CEOs in less than 10 years.

A survey of 2,000 consumers in North America, UK, France and Germany reported that 37 percent will switch to a competitor company if systems are not back online within 24 hours of a ransomware attack operational disruption, and 66 percent will turn to a competitor if systems are not restored within 3 days. 59 percent would ‘likely avoid doing business with an organization that had experienced a cyberattack in the past year’, and more than 80 percent reported sharing their negative ransomware-related experience with family, friends and colleagues.

British low-cost carrier EasyJet (EZJ) disclosed a customer data breach that the company says impacted 9 million customers. A majority of the data stolen was reportedly email and physical addresses, but a smaller percentage of customers reportedly had credit card details stolen. EZJ first became aware of the breach in January.

Companies are struggling with increasing compliance burdens that are taking up significant portions of corporate IT budgets and time. 51 percent of respondents report that compliance requirements take up 20,000 hours of resources annually. In addition, 58 percent of companies report that compliance requirements are a barrier to entering new markets. 70 percent say they must manage at least five different compliance projects at any given time, while 7 percent work on 50 or more projects at any given time.

A NYT Times story explains how the fall of two retail giants—J. Crew and Neiman Marcus stemmed not only from the pandemic but also from the involvement of private equity firms and the financial over-engineering they deployed. The longstanding weaknesses of some traditional bricks and mortar retailers which include belated or poorly executed digital strategies are also directly related to an inability to make big investments due to being overleveraged. These weaknesses were further exposed by the pandemic, resulting in the recent bankruptcy filings.

Vulnerabilities in SaltStack software were used as a vector to infect cloud servers with malware or other exploits, with over 6,000 master servers reportedly infected and directly exposed to the internet according to the company, allowing them to be breached. The vulnerabilities were discovered about two weeks ago, and several networks have already reported that they have been breached and had cryptocurrency mining malware deployed onto their servers. More damaging attacks such as data theft and ransomware are possible. A patch is now available for the vulnerability.

Pitney Bowes Inc. (PBI) experienced a second ransomware attack in seven months on May 4th. The ransomware gang Maze claimed to have breached and encrypted the company’s network. The incident was confirmed by PBI in a statement: “Recently, we detected a security incident related to a ransomware attack. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.” PBI is working with its security partner IBM Iris to complete forensic analysis on the attack.

Citing a recent report by market research firm Canalys, the WSJ depicts a mixed picture on market-wide digital transformation prospects. Though Microsoft’s year-on-year enterprise cloud growth grabbed headlines, also included in results was the company’s admission that multi-year licensing deals were slow to complete in the final weeks of the quarter —just as the COVID‑19-induced slowdown was taking hold. Some analysts see a positive long-term trend towards digital being brought forward by the pandemic. Others see a slowdown in IT spend and longer-term licensing commitments and investment in cloud initiatives like further AI adoption in the short term as companies scramble to cut costs.

A survey by Barracuda of over 1,000 business decision makers in the UK, US, France and Germany reveals significant cyber security deterioration from the recent sudden shift to remote working. 51 percent have seen an increase in email fishing attacks, 51 percent say their workforce is not proficient or properly trained in the cyber risks associated with remote working, 46 percent are not confident that their web applications are secure, 50 percent allow employees to use personal email addresses and personal devices to conduct company work, 49 percent fully expect to see a data breach or cybersecurity incident in the next month due to remote working. Despite this clear increase in the threat surface, 40 percent of the companies have cut their cybersecurity budgets as part of COVID‑19 cost saving measures.

Tarkett reports that a cyber attack ‘has affected part of its operations since April 29 despite the IT security measures implemented by the group’, and that it has shut down its IT systems and implemented ‘necessary preventive measures to protect its operations as well as the data of its employees, customers and partners.’

Fitch expects COVID‑19 related economic impacts to test the growing cyber insurance market due to risks around cloud-related breaches and other operational disruptions that could result in capital constraints and impact ratings.

“We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything,” said Satya Nadella, chief executive officer of Microsoft on the announcement of strong Q3 results today.

Travelex announced that it is seeking offers and that interested parties should contact PricewaterhouseCoopers. Travelex’s business was severely impacted by its December 2019 cyber breach, which put the company in a very difficult financial position even before COVID‑19 disruptions hit.

A WSJ report outlined how increased cyber risks amid COVID‑19 are posing increased challenges for M&A transactions globally.

A survey of 2,000 remote workers in the UK reveals that two-thirds have not received cybersecurity training over the past year, and 61 percent said they were using personal devices to work remotely instead of corporate-issued devices. Despite these shortcomings, 77 percent reported that they are not worried about security while working from home.

A recently published Trustwave report looking at cybercrime globally found that far and away the most common environment breached is corporate and internal IT networks (54%), followed by ecommerce (22%) and the cloud (20%). In the thousands of incidents studied, the report found that 50% of breaches across all environments stemmed from phishing and social engineering.

Data stolen from Italy’s Unicredit allegedly came via a cyber breach into a company contracted by Unicredit to provide HR services. The data went on sale April 19, and reportedly includes employee names, email addresses, phone numbers and encrypted passwords. Telecom Italia unit Telsy reported that “the database appears to be genuine and the potential result of a SQL injection attack”.

Leading managed IT service provider Cognizant announced a Maze ransomware attack on Friday. Per Cognizant: “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack. Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities.”

Zurich Insurance outlined how companies can defend against ransomware at a time when cyber vulnerabilities have increased amidst the COVID‑19-induced shift to remote work. The approach leverages the NIST framework, widely seen as the global standard for improving cyber defense.

Zurich Insurance outlined how companies can defend against ransomware at a time when cyber vulnerabilities have increased amidst the COVID‑19-induced shift to remote work. The approach leverages the NIST framework, widely seen as the global standard for improving cyber defense.

MSC reported Friday that a network outage is affecting systems at its Geneva headquarters, and that a cyber attack might be responsible. As of Tuesday 16:00 GMT, the MSC website is still down and the company has released very little new information. General operations appear not to be widely impacted yet, but precedent shows that an operational disruption can be extremely value destructive to a company like MSC.

According to a Wall Street Journal piece, 5G will transform supply chains, in part by cutting waste, better predicting consumer demand, and being able to adjust to market and operational shifts in real time. The gamechanger between 4G and 5G lies in the number of devices that can live on a single connection. By some estimates, 5G is 10 times faster than 4G. This enables more data to be analyzed more quickly and in much greater detail than was possible before.

At a hearing on March 4 before the U. S. Senate Judiciary Committee, Department of Justice (DoJ) Deputy Assistant Attorney General for National Asset Protection in the National Security Division Adam Hickey called upon Congress to enact legislation that would create a uniform nationwide data breach disclosure law and include a requirement that companies report breaches not just to customers but also to law enforcement.

Ransomware attacks on the healthcare industry continue at the same frequency as before COVID‑19, despite recent promises by some hacker groups to avoid targeting the industry during the current crisis.

A Wall Street Journal article outlined the accelerated pace of corporate bond downgrades amidst the COVID‑19 pandemic and economic crisis. It has been the swiftest pace of downgrades on record over the last two weeks. Ford was the latest big name to be downgraded to junk, while approximately $90bn of debt was downgraded in March, and some estimate the number to reach $200bn this year.

VPN Mentor’s research team discovered a breached database at Cloud backup provider SOS Online Backup that contained more than 135m records. While this information apparently did not fall into malevolent hands, the incident highlights cybersecurity risks posed by the use of third-party service providers.

As Zoom’s popularity has exponentially increased in recent weeks due to the mass migration to remote work, reports on security flaws continue to trickle out. Former NSA hacker Patrick Wardle shared with TechCruch two new security flaws that can be exploited to grant hackers physical control of a victim’s computer. Malicious code can be injected into a computer via a Zoom installer to gain root access—the highest level of user privileges.

Enterprise use of VPNs has increased by 33 percent, and use of Remote Desktop Protocols (RDP) has increased by about 40 percent over the past month as companies respond to COVID‑19 by having employees work from home. These systems increase the risk of a breach of company IT systems as they are inherently less protected than onsite systems and as employees use external access systems that they are less familiar with.

Macy’s announced it is furloughing a majority of its 130,000 staff globally in the midst of the COVID‑19 crisis that has ground brick-and-mortar retail to a halt. Staff that remain will maintain e-commerce, distribution, and call centers operations.

Specialty insurer Beazley reports that ransomware attacks are rapidly increasing and that the dollar value of individual ransom demands is also increasing. Beazley’s analysis and key findings are in line with Cyberhedge findings that most breaches are relatively unsophisticated and the result of poor cyber governance and hygiene by employees. Strengthening employee training is both relatively low-cost and the most effective step that most companies can take to improve their cybersecurity. Beazley also highlights two additional key Cyberhedge findings: 1. that vendors are increasingly becoming a breach vector into companies and 2. that the dramatic increase in COVID‑19‑related remote access into company IT networks has increased companies’ cyber threat surfaces.

Cybersecurity company FireEye outlined successful attacks by a Chinese group called APT 41 against Citrix and Cisco equipment in the first two months of 2020, targeting more than 75 FireEye customers, including manufacturers, media companies, and healthcare organizations. It appears that APT 41 accelerated efforts by exploiting software vulnerabilities in both companies, issues both Citrix and Cisco indicated they fixed.

GE disclosed that personal information for a number of current and former employees was exposed in a security breach that took place between February 3-14 at Canon Business Process Services, one of its service providers. While the breach did not occur in GE’s systems, according to the legal filing, the case highlights a common supply chain risk: cyber governance extends beyond company networks and includes regimes of counterparties.

A recent article in the Financial Times highlighted the continued emergence of ransomware and the targeting of large financial institutions, an issue illustrated by the devastating attack on Travelex and the growth of cyber insurance as a mitigation measure for companies. Large insurers point to the significant increase in the sums attackers are demanding and disputing the claim that having cyber insurance to cover such incidents makes companies more of a target.

The unprecedented challenges posed by the COVID‑19 outbreak extend to securing companies’ IT networks, and this event may be the biggest cybersecurity threat ever. Threat surfaces are also increasing dramatically as large numbers of workers are forced to work from home, often with systems and procedures that are different from those they are trained on and familiar with in their workplace.

A new EY Board Survey has identified “technology disruption” as the number one strategic opportunity for organizations. The survey reveals that 48 percent of boards believe data breaches and cyber attacks will “more than moderately” impact the business in the next 12 months. However, only 36 percent of respondents in the survey indicated cybersecurity is a priority in the planning phase of any new business initiative.

A recent study claims that ransomware attacks have increased 350 percent in the past year. This mirrors other reports, including one by Blackberry Cylance, outlining a similar upsurge in such attacks against the healthcare sector across the U. S. and Europe. In December 2019, Cylance disclosed findings related to Zeppelin Ransomware-as-a-Service (RaaS), which targeted IT vendors and healthcare providers.

UK-based Informa (INF), the world’s largest events and exhibitions business, reported generally positive FY19 results in terms of revenue, earnings, and growth, including what Informa leadership describes as a “secure balance sheet”. But, more important is the storm brought about by coronavirus that is facing the events-focused business and the impact this may have on the company’s already-poor cyber governance. In its earnings call, the company described strong headwinds from coronavirus and possible uncertainties around the larger disruption over the course of 2020. Indeed, INF has already taken a £450mn revenue hit as a result of postponing and cancelling 100 events.

Walgreens notified customers last month of a personal data breach that occurred in January stemming from its mobile app. The company indicated that it took steps to remedy the problem once discovered, but that health information for a “small percentage of the total users who were affected” was leaked.

In a mandatory filing with the California attorney general this week, J. Crew Group, Inc. disclosed a breach of customer accounts dating back to April 2019.

Key findings from a study on smart factories by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) include: 25 percent of manufacturers surveyed have not performed a cyber risk assessment in the past year, meaning these manufacturers likely do not have visibility into the impact of a cyber-related operational disruption; 48 percent of manufacturers surveyed identified operational risks, which include cybersecurity, as the greatest danger to smart factory initiatives; 40 percent of manufacturers surveyed indicated that their operations were affected by a cyber incident in the past 12 months; Management of information technology (IT) is often out of sync with operational technology (OT) management, creating additional vulnerabilities many companies are unaware of; OT is typically managed by engineering, automation, and operations rather than IT; There is generally no single team responsible for all OT systems and underlying security; Traditional application of security controls, such as patching or vulnerability scanning, needs to be adapted to new environment.

Visser Precision, a parts supplier to automotive, defense, and aeronautics companies, reported a data theft incident, according to a Tech Crunch article.

ISS World, a Danish workplace experience and facility management company, was hit by a malware attack on February 17, 2020. As a precautionary measure, they immediately disabled access to shared IT services across company sites and countries.

Macy’s Inc.’s (M’s) Q4 and FY19 results marked a continued slide for the brick-and-mortar retailer amidst an attempted turnaround.

Hertz (HTZ) announced Q419 and FY19 results on February 24, reporting quarterly sales of $2.326 billion, which missed the analyst consensus estimate of $2.34 billion. The company ended the fourth quarter with cash and cash equivalents of $865 million, compared to $1.13 billion at the end of 2018. Total debt as of year-end amounted to $17.09 billion, compared to $16.32 billion as of Dec 31, 2018. As of February 25, the stock was down approximately 15 percent post-earnings.

Citrix—one of the world’s largest networking and remote access technology companies—announced malicious hackers inside its networks for five months between 2018 and 2019. This comes almost a year after the breach of its network was announced following an FBI alert.

The personal details of more than 10.6 million MGM Resorts International (MGM) guests were published on a hacking forum last week.

This month, the Department of the Navy (DON) released a report, Information Superiority Vision, that outlines an acceleration of the military branch’s digital transformation. The report highlights the need for a comprehensive overhaul of the department’s systems and cyber posture to better defend against attacks.

More than 41.4 million patient records were compromised by 572 healthcare data breaches in 2019, according to a study of data provided by the U. S. Department of Health and Human Services, the media, or other sources. This excludes two breaches of IT vendors servicing dental offices across the country in August and December 2019.

Two stories point to the upside and downside of digital transformation in the energy sector. On the negative side, this week, the U. S. Government Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about its response to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. According to the alert, “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View for human operators.” The victim’s emergency response plan did not specifically consider cyberattacks, and the decision was made to implement a deliberate and controlled shutdown to operations that lasted two days, resulting in a loss of revenue and productivity, after which normal operations resumed.

On Tuesday, S&P lowered its rating for Macy’s from BBB- to BB+—one notch below investment grade—saying it viewed the company’s turnaround plan as necessary, but also a sign that the department-store chain’s “competitive advantage has diminished more than we expected.”

In October 2019, Bayer’s digital agriculture division, The Climate Corporation (Climate Corp), announced a partnership between its FieldView™ digital farming platform and Tillable, a self-described first-of-its-kind digital marketplace connecting farmers and landowners. According to Tillable, it was “created to help landowners receive fair rent and get the insights they need about their farm’s performance, while also helping great farmers build their reputations and expand operations.”

UK-based cyber company Nominet released its CISO Stress Report, attempting to shed light on the burden carried by the person responsible for protecting corporate networks in 2020. The U. S./UK study serves as a follow-on to Nominet’s first couple of reports looking at the role of the CISO, including one on the perspectives of boards. Some well-known facts are confirmed, as well as important current data points on CISO-C-suite dynamics: 88% of CISOs remain moderately or tremendously stressed, 90% of CISOs said they’d take a pay cut if it improved their work-life balance. Most CISOs still lack strong support from rest of C-suite.

U. S. Senator Kirsten Gillibrand (D-NY) introduced legislation to create a Data Protection Agency to, in her words, “bring the protection of your privacy and freedom into the digital age.

$76-billion-dollar retail giant Estée Lauder (EL) suffered a breach of a reported 440 million records, including customer data. The breach resulted from a non-password-protected cloud server. Importantly, it does not appear that any payment information was part of the breach.

According to IBM, cybercrime continues to grow at a significant pace year-over-year (4x increase in 2019 vs. 2018) despite increasing resources and attention placed on security by companies and governments.

European Central Bank (ECB) President Christine Lagarde, citing a report by the European Systemic Risk Board (ESRB), outlined how a successful attack on a major financial institution could quickly create financial instability.

Security researchers at Dragos and Sentinel One believe they have identified a new strain of ransomware designed specifically for industrial control systems (ICS)—systems most commonly associated with being at the core of utility infrastructure. ICS environments are also among the highest-value targets for cybercriminals and nation-state hackers.

A key finding from Cisco’s recently released CISO survey indicated that reducing network complexity is a top priority. CISOs are electing to embark on vendor consolidation, with 86 percent now using 20 vendors or less.

More than 160,000 data breach notifications have been reported across the EU since the GDPR came into force on 25 May 2018, according to a DLA Piper survey. The fines, however, have not proven to have a material impact on large companies as some predicted when the law was enacted.

As of Q319, leading experts like McAfee observed over 100% growth in ransomware attacks globally. FireEye recently identified how threat actors are collaborating in efforts to launch ransomware attacks, a trend that will grow in 2020.

Salesforce. com, Inc. and children’s clothing company Hanna Andersson are facing a federal court lawsuit that is among the first to cite the new California Consumer Data Privacy Act that went into effect in January.

In its preliminary 4Q and full-year 2019 sales results this week, Macy’s (M) announced the closure of 125 stores—about 20% of its physical footprint—over the next three years, as well as 2,000 job cuts. These moves come as the retailer continues to grapple with the rising dominance of e-commerce and shifting preferences of shoppers.

The Pentagon has finalized the long-anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense (DoD), a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0, according to Fifth Domain.

An FAA inspector general report outlined how Southwest Airlines failed to prioritize safety, and the Federal Aviation Administration (FAA) did not properly conduct oversight of the airline. The criticizes the agency’s oversight of the carrier as lax, ineffective, and inconsistent, according to a WSJ article.

Boeing (BA) reported its first annual loss since 1997 as 737 MAX costs approach $19 billion. However, shareholder value losses have been far greater, losing about 25% of value since the March 2019 Ethiopian Airlines crash. The company is now in the midst of complicated and potentially costly compensation talks with airline customers like American Airlines. These customers have felt the direct effects of the MAX grounding and believe that BA, not their shareholders, should be on the hook for the crisis.

On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued examination observations. The document outlines a series of approaches taken by market participants in areas including governance and risk management, access rights and controls, data loss prevention, resiliency, vendor management, and training and awareness.

A WSJ profile of Target CIO Michael McNamara outlined the retail giant’s shift in IT strategy following the damaging 2014 data breach—from outsourcing functions like software development to hiring more in-house technologists, or what the industry refers to as “in-sourcing.”

Citrix—one of the world’s largest networking and remote access technology companies—announced patches for a known vulnerability more than one month after it was announced. It is a $15BN company that more than 400,000 companies, including many of the Fortune 500, rely upon to keep their data safe and networks secure.

In the lead-up to its Annual Meeting a World Economic Forum (WEF) note outlines in some detail the steps that boards and C-suites should take to better tackle cybersecurity risk—a top-five risk in its 2020 Global Risks Report. The report poses the question, beyond the rising damage caused by cyber breaches, what incentives for investment and improved approaches exist? Though an increasing number of market players such as insurers and ratings firms are getting in the fray, “coherence, however, is still missing,” according to WEF.