Communications Under Attack: The Important Role of Crisis Communications During a Cyber Event
6–19–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, June 19th, Juneteenth here in the US. While this holiday celebrating the emancipation of enslaved African Americans only became a recognized Federal holiday in 2021, has been celebrated since 1866 (three and a half years after the Emancipation Proclamation in 1863) and one year after Texas became the last state in the Union to proclaim freedom for enslaved people - June 19th, 1865.
This week: communications (or lack thereof) is in the spotlight as the attacks continue. Some we’ve talked about here, and some it seems nobody wants to talk about. So, let’s dig in.
Communications Under Attack
We’ll get to the updates and increased impact being felt from the MOVEit vulnerability here in a bit, but I want to lead the news this week with a small blog post that Microsoft unceremoniously released on Friday (known in the media industry as a “news dump”) admitting that the disruptions to Outlook, SharePoint, Teams, and OneDrive earlier this June were not simply “technical issues” - but rather the result of a Distributed Denial of Service by “Anonymous Sudan” - a Russian-linked group of hackers pretending to be Sudanese Islamic fundamentalists.
The Associated Press noted that Microsoft refused to provide details on the number of customers impacted - and classified Microsoft as being “initially reticent to name the cause.” The aforementioned blog post only came after the AP started sniffing around on this story mid-week, posted it on Friday night, and didn’t link to it on any of their social media or news channels - which brings us to our point about Communications Under Attack.
We spend a lot of time thinking about the threats - ransomware gangs, nation state actors, crypto fraud - but significantly less time thinking about our response, and even less time thinking about our non-technical response
Just like it’s a worthwhile exercise to conduct a tabletop test of your Incident Response Plan, the same is true for your communication plan - internally and externally.
Earlier this week, Karim Toubba, CEO of embattled password vault LastPass, reflected on how his team handled a high profile cyber attack in an interview.
“LastPass should have shared information more quickly, he said, and not waited for complete disclosure until it had all the information stitched together as it did in March when Toubba issued his fifth and most detailed blog post related to the cyberattack to date.”
“That sort of steady drumbeat of information out to the market would show the progress as opposed to going dark for a period of time while we gathered all the information and then publishing it all at the end,” Toubba said.
Requirements from the SEC’s Proposed Cyber Rule have been pushed back until at least October 2023, but the Cybersecurity Working Group of the National Association of Insurance Commissioners is putting together their own Incident Response outline that is likely drive this function at a state level for all insureds - not just public companies.
Whether it’s a regulatory requirement, an insurance mandate, or a best practice, leadership teams at companies need to be making sure the communications channels - what, to whom, and when - are clearly defined for the types of events and incidents they’re likely to face. As the LastPass CEO noted in his interview, more transparency is better - but that’s something he only realized upon reflection.
The stakes are high, and you can’t afford to add to the cost though communications mistakes.
Update: MOVEit Impact Expands, Additional Vulnerabilities Disclosed
The saga around the MOVEit attack is continuing to grow, with parent company Progress Software reporting yet another critical vulnerability on June 15th and a third patch for this appliance.
At the same time, the list of victims has grown to include the Oregon Department of Transportation and Louisiana Office of Motor Vehicles (each losing approximately 3 million records containing PII), plus the Minnesota Department of Education, the US Departments of Agriculture and Energy, and a few other private companies. Patch your MOVEit systems (or take them down) and watch this space.
Fundraising
Slower week from a volume perspective, but the new $16.5B fund from TA Associations really bolstered the total for the week of just over $19B raised.
With one week to go in Q2, our calculations show us sitting at just over $212B, making that quarter trillion number easily within striking distance. Going to take a big week this week to get there, though.
You can find all the links to the stories we covered in the comments section below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://www.cybersecuritydive.com/news/lastpass-ceo-reflects-cyberattack/652818/
https://www.insideprivacy.com/cybersecurity-2/sec-delays-cybersecurity-rules/
https://content.naic.org/cmte_h_cwg.htm
https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability