Compèred by Ffion Flockhart, global head of cybersecurity, the day’s panelists included senior representatives from organizations including Marsh, FTI Consulting, S-RM, Mandiant, Fenix24, QBE, as well as a former client.
At this immersive event that walked through a ransomware attack scenario, leading cybersecurity professionals shared best practice on incident response, operational resilience and post-incident recovery and exposures. Cyber attacks remain a major threat with ransomware in particular continuing to have wide-ranging consequences for companies.
Lessons for business
The day’s experts talked guests through recovery, exposure, challenges complying with regulations, and what businesses can do to prepare for an attack.
Key takeaways included:
- Be prepared for an incident, to save time in the event of an attack – the first 24 hours is critical
- Focus on operational resilience, planning, and testing, and understand the back-up position
- Ensure the incident response team has the right support network
- Improve awareness of cyber risk management at executive and board level
Ransomware remains the top cyber threat, with healthcare, IT services and government the most targeted sectors. Ransomware is a type of malware which prevents a data owner from accessing devices and the data stored on it, usually by encrypting files. Typically, a criminal group will demand a ransom in exchange for decryption, coupled with a threat to publish details of the attack and any stolen data.
Last year, victims paid ransoms worth more than a billion dollars to threat actors, while a record number of victim organizations were identified on leak sites.
The cyber threat landscape
Ted Cowell from global intelligence and cybersecurity consultancy S-RM identified four trends:
- Software vulnerabilities present across all major vendor products, with last year’s incident involving MOVEit file transfer software a well-known example.
- Increased frequency of supply chain attacks.
- Increased frequency of adversary-in-the-middle (AiTM) phishing attacks, with a well-documented 48% rise in resulting business email compromise (BEC) in the last year, particularly affecting the legal, manufacturing and consumables sectors.
- Exploitation of new technology, platforms and techniques such as AI, Microsoft Teams, and QR code phishing.
Ted explained that the principal motivations for paying ransom demands are to reduce business interruption losses and protect sensitive data. In some cases where the victim chooses not to pay, the threat actor also does not follow through on its threat to publish – in the past year, 37% of S-RM’s clients who did not pay never appeared on a leak site.
That said, in the same period, leak sites published the names of 4,611 organizations in total, a rise of 42% from the preceding 12 months.
Ted concluded that it is positive news that criminal groups such as Hive, AlphaV and Lockbit have been disrupted or taken down. However, any respite is likely to be temporary as members of those groups carry on as lone wolf actors or start up new ransomware groups.
Building operational resilience and cyber-readiness
While it’s impossible to prevent cyber attacks, there is a lot that organizations can do to mitigate them.
With an increased regulatory emphasis on operation resilience across the globe, David Dunn, (FTI Consulting), David Warr (QBE) and Catharina Glugla (A&O Shearman, Düsseldorf) shared their insights on how organizations can build resilience and prepare for cyber attacks.
Key points that were covered included:
- In the M&A context, FTI Consulting are increasingly seeing cybersecurity issues emerge following acquisitions. To address this issue, buyers should carry out cyber due diligence on target companies during the acquisition process and remediate any issues rapidly, post-deal . Similarly, private equity firms are looking to achieve a uniform, acceptable level of cybersecurity across their portfolio companies – for example through maturity assessments carried out by third parties.
- On the regulatory side, with NIS2 being implemented across the EU for certain sectors, the Digital Operational Resilience Act (DORA) entering into force for financial entities on January 17, 2025 and further EU cyber-related laws on the horizon, in-scope entities should ensure their preparations are now well underway. DORA places burdensome cyber risk management requirements on financial entities, with senior management facing liability for non-compliance.
- The July 2024 global IT outage provided a "perfect case study” in operational resilience. This has prompted companies to test, evaluate and update their incident response plans. The outage also highlighted the potential economic impacts, as well as what cyber insurance policies can or cannot cover.
- When underwriting a cyber insurance policy, insurers will look at the risk profile of the organization. This includes both the organization’s cyber posture (i.e. its technical controls and governance measures) and that of its supply chain.
- To be resilient, all organizations should understand the state of their backup files, as this informs what options are available during an incident. It is also good practice to make a record of how systems are configured, as well as what data is held and where (and why).
Coordinating a rapid and effective response to cyber incidents
Against this backdrop, Ffion Flockhart, Mitchell Clarke (Mandiant), Helen Nuttall (Marsh) and Kate Brader (FTI Consulting) outlined the initial stages of a ransomware attack, underscoring how crucial the first 24 hours are to a successful response. Key to this is knowing who to contact in the event of an incident.
Organizations are often unaware they have access to a panel of cyber vendors (i.e. external lawyers, digital forensic experts, PR specialists and ransom negotiators) under their cyber insurance policy.
Many organizations also have their own preferred vendors, and simple preparatory steps such as lining up preferred vendors in advance, can save precious time during an actual incident. Steps taken at the start of an incident can permanently impact the course of an investigation, particularly when trying to understand what happened and how.
It's also important to acknowledge the personal toll cyber incidents can take on those working on the response. Ensuring those individuals have a strong support network will help them operate effectively during a very stressful experience.
Pre-incident preparation should weigh up the competing priorities that might arise during a cyber attack, and consider how best to manage them. As well as understanding your contractual obligations in the event of an incident, there must be a communications strategy for the core response team, senior executives, the board, and the wider workforce. What’s more, communicating openly and effectively with clients can, in some cases, reduce the risk of post-incident litigation.
Post-incident recovery
One of our guest speakers discussed their experience in the eye of the storm. They explained that the impact of an incident and an organization’s ability to recover from it and restore service can vary significantly depending on the type of attack. If a threat actor is able to access and delete a virtual environment, the business will need to rebuild its environment from the ground up, even if it has back-ups.
They attributed the company’s ability to overcome the attack to its people, processes and pre-incident preparation. This included easily accessible cheat sheets outlining the IT system’s main vulnerabilities, a comprehensive disaster recovery plan, and a chart mapping all data and back-ups.
A service-first, no-blame culture brought together the right team, enabling quick decision making. With the support of shareholders and executives, the incident response team felt able to communicate openly with customers about the attack and the recovery.
David Smith of Fenix24 stated the importance of backups. The impact of a cyber attack and an organization's ability to recover and restore can entirely depend on backups. For example, if a threat actor can access and delete a virtual environment, even if there are back ups, the organization will need to rebuild its environment back up from scratch to be able to create something to restore the back ups to.
Tom Yoxall of S-RM recommended that all organizations should take the time to understand the state of their back ups pre-incident, to help inform what options may be available when a cyber attack happens. It can be difficult for organizations with complex IT environments (or in particular, organizations that have recently acquired another company) to be confident about their back up position. Emphasizing a point made in the resilience session, it is very important to determine your position at the pre-incident stage.
Mitigating future risk, managing disputes and litigation
Our partners Anna Gamvros, Charlie Weston-Simons, counsel Steven Hadwin and consultant Steve Wood (previously Deputy Information Commissioner at the ICO) explained the post-incident exposures organizations might face following a cyber incident.
Anna Gamvros provided an overview of the new cyber security and critical infrastructure laws emerging across the Asia Pacific region. She explained how certain regulators are taking a more interventionist approach while others are only now asking questions about incidents that took place nearly ten years ago.
Charlie Weston-Simons and Steven Hadwin discussed the question of obtaining an injunction to prevent the publication of stolen data. In the U.K., the starting point is that it is generally quite straightforward to remove stolen data from websites by making a takedown request to the ISP (the company which hosts the data).
However, in some cases, takedown requests are not successful, which may justify applying to the courts for an injunction (the recent Synnovis injunction being a good example of this).
Injunctions are also sometimes obtained where the stolen data is very sensitive, or where it contains personal data and the data controller is applying pressure to take this step.
When it comes to post-incident litigation risk, the primary concern in the U.K. is the potential for commercial claims arising from disruption caused by the incident, especially for companies which supply key goods and services. Organizations should therefore review their contracts to understand their liability exclusions and caps in the context of a cyber incident, or whether a force majeure clause would be applicable. Following the Supreme Court decision in Lloyd v Google, the risk of personal data breach claims being brought on a collective basis in the U.K. is no longer a pressing concern, although such actions are still seen from time to time (the current claim against Capita being a good example).
Steve Wood shared insights into the regulator’s investigation process and the enforcement approach of the current Commissioner, John Edwards.
For more on our insights and expertise, including from our global cyber team, visit our cybersecurity expertise page.
