Corporate reputations are being tested by a wave of cyber-crime, finds Tim Human
In June, Israeli business daily Calcalist reported that Sapiens, a software company, had paid $250,000 in bitcoin to end a ransomware attack. The breach is thought to have happened when employees started working from home due to Covid-19, according to the article. Sapiens has neither confirmed nor denied the story, and did not respond to a request for comment.
The case highlights how the pandemic has greatly increased the risk to companies from cyber-attacks. Amid the shift to remote working, fraudsters now have many new avenues to trick their way into corporate IT systems. It also underlines the difficult communications choices that come with a cyber-incident. In many cases, companies attempt to sort out the problem behind the scenes. There is no guarantee, however, that paying up will end the matter – or even keep it private.
Threat surge Cyber-security firms report a huge surge in attacks against companies and other organizations since the start of the pandemic. The number of ransomware reports climbed 715 percent in the first half of 2020, according to a study by BitDefender. Over the same period, 40 percent of Covid-related emails were tagged as spam, with many of them purporting to come from governments or international bodies such as the World Health Organization.
‘The global pandemic has expanded the potential attack surface of the corporate world, given that we now have millions of employees working from home,’ says Chuck Seets, Americas assurance cyber-security leader at EY. ‘You have folks who may never have worked from home before. They may not be as sensitive to cyber-security risks, or attuned to practicing good cyber-security hygiene.’
BlackFog, a data privacy company, is maintaining a list of publicized ransomware incidents. During the year it has recorded dozens of attacks against public companies, including IT services giant Cognizant, carmaker Honda and Swiss manufacturer Stadler Rail, which released a statement saying it had been targeted with malware. The offenders had tried to ‘extort a large amount of money from Stadler and threatened the company with the potential publication of data,’ reported the firm, although its back-up systems enabled it to keep its production lines in operation.
Ransomware incidents today have a higher likelihood of creating a reporting requirement or public discussion, says Siobhan Gorman, a partner at Brunswick Group and former journalist covering national security and law enforcement. Over the last six months, hackers have increasingly combined ransomware attacks with data theft, which creates additional complications for targeted companies, she explains.
‘You see hackers going in [to your systems], carrying out reconnaissance, stealing data and then, in the final measure, applying ransomware to your systems in order to lock down some part of your operations or business processes,’ Gorman says. ‘Email functions get hit a lot.’
Should you pay? Companies typically ask: if we pay, will the problem go away? Gorman says there are a number of considerations to take into account, but that paying up might not bring the situation to a close.
‘If the hackers are stealing data, you may still have breach-reporting obligations that require you to notify affected individuals,’ she says. ‘You may also have contractual arrangements with customers, clients or business partners that also require you to notify them of a data-breach situation, regardless of whether you pay the ransom.’ She adds that, even if you get a decryption key, it may still take a few weeks to get operations up and running again. ‘You have to weigh up whether it will take you longer to restore from back-up,’ she says.
Another factor to bear in mind is the growing sophistication of hacking organizations. Some now have federated structures and websites where they publish press releases detailing their latest work.
One of the best known is Maze, which steals data and threatens to release it on its website unless a ransom is paid. If the company doesn’t comply, Maze begins sharing extracts of the data at increasing levels of sensitivity.
When negotiating with hackers, firms need to remember that they are dealing with a rival communications operation. ‘We’ve seen examples of negotiations with hackers [where] a company pays up and then the negotiation is provided to a reporter,’ says Gorman.
‘Ensure that whenever you negotiate with a hacker you do it fully mindful that it could become public: you need to think about what that will look like.’
Furthermore, Gorman says to never forget you are dealing with criminals: ‘We’ve seen situations where even when a firm pays the ransom, the company’s data is still sold on the black market. It may be because another hacking group was also in your system and also stole some data, or just that the criminal wasn’t to be trusted.’
In the run-up to the US presidential election, public officials were warned to be on guard against disinformation attacks: misleading information that is designed to trick people. Such attacks can appear in various forms. Common tactics include bots spreading false news on social media and videos where technology has altered what someone appears to be saying, known as deep fakes.
The threat to politicians of disinformation attacks is well known. But should public companies also be worried? ‘It’s a growing concern,’ says Preston Golson, a director at Brunswick Group who formally held a number of national security positions with the US government, including as an analyst with the CIA.
He points to a 2019 survey by Brunswick that found more than two thirds of investors thought corporate disinformation would become more prevalent. ‘The issues they were most concerned about were M&A, IPO news, personal conduct of executives [and] unsafe product stories,’ he says.
The Covid-19 pandemic has further underlined the risks posed to companies from misleading news, adds Golson. ‘If you’re in certain industries, such as pharmaceuticals or telecommunications, your business can be actively thrown into the middle of some of these conspiracies,’ he explains. As an example, he highlights the false rumors about 5G spreading coronavirus that led to phone masts being set alight in the UK.
There are various reasons why someone might conduct a disinformation attack against a company, says Golson. Often, the firm is caught up in a wider conspiracy or political clash. On other occasions, the aim may be to push down a company’s value or boost web traffic via attention-grabbing stories.
Disinformation tactics can also be used to steal directly from companies. Last year, it was reported that the CEO of a UK energy subsidiary was tricked into transferring €220,000 ($261,000) to criminals with the help of deep-fake software. The fraudsters used artificial intelligence technology to mimic the voice of the CEO’s boss – the head of the parent company – and convinced him to transfer the money to a ‘supplier’.
Hacked data and insider trading Normally hackers want data to extort or embarrass companies, but a few are more interested in the trading opportunities. In 2016 Ukrainian hacker Oleksandr Ieremenko gained access to the Edgar filing system and stole corporate announcements before they were made public.
The information was transmitted to traders in the US, Russia and Ukraine who, by going long or short against the companies involved, earned more than $4 mn in profits, according to a complaint filed by the SEC.
How much trading is taking place using hacked data? No one can be certain. But the problem is thought to be far more widespread than the few cases reported in the media. ‘Any statistics that may be available would be based on proven cases, and it’s far more likely there are many more unproven cases,’ Kate Fazzini, journalist and author of Kingdom of lies: Adventures in cybercrime, told IR Magazine earlier this year.
Arguably a bigger concern for companies is how to prevent insider trading by their own employees once a data breach is discovered – anyone with knowledge of the attack might try to sell their shares ahead of a damaging public announcement.
In one very high-profile example, a former senior exployee at Equifax allegedly dumped nearly $1 mn worth of shares after finding out about the credit company's massive 2017 data theft. He was later charged by the SEC with insider trading.
‘Although the jury is still out on the scope of the problem, William Hinman, a senior SEC official, suspects that insider trading after a cyber-security breach is more common than is currently known,’ says Marios Damianides, partner and US-East cyber-security leader at EY. ‘But he hints at a lack of empirical evidence that would determine exactly how widespread [the problem is].’
Damianides says companies are increasingly aware of the insider-trading risks stemming from cyber-attacks and are factoring these into their corporate policies and procedures. ‘Public companies should consider revising their incident response plans to include provisions for issuing trading blackouts – when to issue, to whom, by what process and for how long,’ he advises.
‘Companies should also consider offering additional employee training to address instances in which their employees may obtain – whether directly or indirectly – any non-public information regarding a potential data breach that impacts the company and/or its customers.’
With so many employees now working from home – and the expectation that this could last for a long time – what new measures should companies take to protect themselves? Marios Damianides, partner and US-East cyber-security leader at EY, offers his advice.
Investor considerations When a cyber-incident occurs, Gorman advises companies and their IR teams to think about how their actions will play out over the long term.
‘You may have some short-term pain or costs – in terms of managing customer relationships or notification processes – that ultimately provide a much stronger foundation in the long term,' she says.
'The short-term calculation for a business might be to go ahead and pay, and hope for the best. [But] I think it’s important for investors to be thinking about both short-term and long-term implications. Make sure they’re thinking through those kinds of issues when they’re evaluating businesses and that nobody is being overly short-sighted in a situation like this.'
Thankfully, many companies have spent the last couple of years beefing up their approach to cyber-risks. Over the last three years, the number of Fortune 100 companies disclosing that at least one board-level committee has responsibility for cyber-security climbed from 74 percent to 87 percent, according to a 2020 study by EY.
During the same period, the number of companies mentioning cyber-security in a director’s biography or as a sought-after skill rose from 39 percent to 58 percent.
In response to the pandemic, Seets says he expects companies to disclose more about a range of cyber-security issues, ranging from breach simulations and insurance assessments to board expertise. ‘This is going to be one of the most important topics of the decade,’ he concludes.
