Security threats are getting more sophisticated – and expensive – and this trajectory will continue. Digital footprints and technology usage will only keep expanding, adding to vulnerability and presenting more opportunities for compromises to occur. This complexity puts all companies in the path of a breach.

According to a report released in summer 2023, federal data breach class action filings have risen 154% in a year’s time. The 2022 FBI Internet Crime Report shockingly reported that there were 800,944 cybercrime complaints in 2022.

New technology drives excitement and innovation but also introduces new risk. Chat GPT is a fitting example. It is one of the most heralded and discussed technologies in the world but has just as quickly been the victim of breach already in 2023.

What is worse than a breach and attack? The resulting class action lawsuit or other liability for failing to prepare and respond well. This increases costs and can damage reputations. To control liability and litigation exposure as well as minimize business disruption, we’ll discuss the top areas for cyber risk exposure and key cyber preparedness strategies and practices insureds should implement.

Areas of Cyber Risk Exposure

To prevent having to file a claim against a cyber liability insurance policy (or fund the remediation yourself), it’s important to perform regular and specific cyber risk analysis.

Since the cyber threat landscape is dynamic, it is crucial to keep informed on current threats and trending attack methods. It is also critical to determine how these trends fit in with the company’s specific risk profiles, security controls, and priorities. Top areas of attacks include the following:

Cyberattacks. The top attack vector. For cyberattacks, phishing and ransomware were the top methods used by cybercriminals. Malware came in third, with a stunning 89% increase from the first half of 2022.

Deepfakes. Deepfakes are videos, pictures or audio that have been convincingly manipulated to misrepresent a person saying something they never said or doing something they never did. Cybercriminals can access public company data and make changes or synthesize new content via a deepfake. Sixty six percent of participants in a 2022 VMware survey reported that their organization experienced a deepfake incident. The advent and adoption of technologies such as ChatGPT only increase this risk and the realism of deepfakes.

M&A activity. Threat actors watch for talk of M&A activity and view this as an opportunity to attack. There are a lot of moving parts and data transfers, which can lead to diminished security awareness and more vulnerability. This increases the likelihood of ransomware attacks, phishing and other attempts to access sensitive or proprietary information.

Supply chain attacks. Supply chain attacks can exploit vulnerabilities in the physical flow of assets – including processing, packaging and distribution processes. These attacks can take many forms, such as malicious code injections into legitimate software, hijacking software updates, and attacks on IT and operational technologies. They involve creating or taking advantage of security weaknesses in solutions companies trust.

Everyday activities (system and human error). Example: An employee sending out the wrong file or losing their laptop could lead to a data compromise.

Risk Strategies

Insurance carriers now require cyber preparedness plans before they provide new or renewed cyber coverage, and there is an ever-increasing web of privacy and security laws and regulations globally that companies must be prepared to comply with. Classic examples include GDPR and California’s Consumer Privacy Act, and more recent examples include the SEC’s recently adopted rules and India’s recently passed Digital Personal Data Protection Act.

While cyber preparedness practices are plentiful and flexible, it is critical not to discount legal’s involvement. While incident response heavily relies on technical and forensic actions, legal implications are just as important and will come into play at every phase. Breach notification, impact assessment, privacy law compliance, and regulatory reporting are a few areas where the legal team will have an integral role in response efforts.

Building a deep culture of cyber preparedness is essential in today’s landscape. There are several best practices recommended for organizations to invest in to help implement preventative measures and reduce the risk associated with cyber events. Some of these include:

Collaborative training and planning. Organized response plans with a playbook outlining roles for key stakeholders (including the cyber insurance carrier) build an internal culture of cyber awareness. This often includes training on detection and reporting procedures for employees, and mock breach tabletop exercises for employees, outside vendors and legal counsel. In these exercises, key stakeholders can discuss assessments, determine risk tolerance, and consider alternative approaches that lessen risk while still advancing goals. Documentation should be reviewed and updated at least annually and anytime there is a material change in technology or key stakeholders.

Information governance. An outside consultant can help mitigate the risk of cyber incidents by reducing the volume of data stored in a legally defensible manner, data mapping and categorizing files, and advising best practices to follow from both a compliance and security perspective. Employ people to deploy processes that will enable the benefits your technology can provide.

Threat detection software and services. Specific software that analyzes your entire security infrastructure can identify malicious activity that could compromise the ecosystem. The use of software can be enhanced by establishing or hiring experts for a security operations center. These experts can monitor activity in your environment and assess threats to it with 24/7 eyes on glass and retainer programs to ensure they are prepared to respond to any threat or suspicious action immediately. These can be deployed and utilized for both compliance and security purposes.

M&A cyber playbook. Create a playbook outlining roles for key stakeholders and outlining a separate category of due diligence review into cyber risk. Develop strategy with “security by design” to align expectations and ensure that cyber risks are at the forefront of due diligence investigations so teams can identify gaps and react accordingly. As with training and planning, documentation should be reviewed and updated at least annually and anytime there is a material change in technology or key stakeholders.

Regulatory monitoring. Current and future legislation around the globe will continue to influence the level of cybersecurity needed to protect sensitive information and dictate response obligations should there be an event. Discounting this step and similar obligations such as contractual mandates can result in legal exposure and failure to meet your obligations during and after a breach event.

Retain cyber counsel. Organizations should consider retaining outside counsel specializing in cybersecurity and breach response or hiring a staff attorney practicing in this area. This can serve a dual purpose by also helping meet compliance obligations. Some global data privacy regulations obligate organizations to have a designated data privacy officer on staff or engage cyber counsel.

Retain incident response vendors. Vet and contract with your response vendors before you are in an actual event. No one wants to rush through contracting processes, and the last thing you will want to be doing while in a breach situation is a procurement exercise. By taking care of these steps ahead of any breach you can ensure you pick a competent provider for these services, which is critical when avoiding the risk of your event turning into a class action event.

While cyber awareness seems to be improving, the sophistication of cyber attacks is matching that process. The technology landscape can be a treacherous one to navigate, but by monitoring cyberattack trends and implementing these strategies, organizations will be better equipped to anticipate and respond to cyber incidents before a devastating breach occurs. This will diminish the chance of class action activity, compliance violations, lost business and exorbitant costs.

Brandon D. Hollinder, Esq.

Hollinder is Epiq's vice president of eDiscovery and Cyber Solutions.