New Cybersecurity Incidents, Deepfake Risks and Targeted Backup Data: April Cyber News Bytes

Top Privacy and Cybersecurity Issues to Track In 2024

In this article, Baker Donelson discusses the pressing privacy and cybersecurity issues for 2024. New state privacy laws are taking effect alongside a changing cyber threat landscape. Social engineering and AI-driven phishing attacks are on the rise, pushing threat actors to devise new ransomware coercion tactics. The use of deepfakes and AI in financial fraud is growing, while the SEC’s cybersecurity disclosure rules, implemented in December 2023, impact public and private companies alike. Class action lawsuits and regulatory enforcement related to cyber incidents are increasing. Vendor and supply chain attacks persist, emphasizing the need for robust vendor management controls. Baker Donelson suggests key practices to help companies prepare and respond to cyber threats this year.

100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned

The SEC’s new cybersecurity incident disclosure rule, effective since December 18, 2023, has posed challenges for publicly traded organizations regarding the determination of materiality and the 96-hour disclosure deadline. In this article, legal professionals from Debevoise & Plimpton analyzed the first 100 days after the rule’s enactment. By March 28th, 2024, 11 companies had filed Forms 8-K under the new rule, with eight disclosing incidents within four business days of detection. Among these, two reported material impacts on operations and only one disclosed a financial impact on earnings. While companies are disclosing incidents quickly, they’re also amending filings with more details as they emerge, balancing the urgency of disclosure with the risk of premature disclosure. Given the complexities, companies are advised to consult securities attorneys before disclosing incidents under the new rule, with further insights expected as 2024 progresses.

Real Insurance Coverage for Increasing AI Deepfake Risks

Deepfake scams, leveraging artificial intelligence to fabricate convincing scenarios, pose a significant cyber threat to organizations. This Reuters article delineates various forms of deepfakes, including face reenactment, generation, swapping, and speech synthesis. A CNN report cites a notable instance in Hong Kong where a highly sophisticated deepfake duped an employee into authorizing fraudulent payments exceeding $25 million. As deepfake sophistication rises, companies must establish robust policies to educate employees about these risks and emphasize the importance of verifying requests before sharing information or transferring funds. The article notes the evolving landscape of cyber insurance, with insurers adapting policies and underwriting practices to address emerging threats. Insurers are developing endorsements to clarify coverage related to artificial intelligence and deepfake technology, with some potentially broadening coverage while others may narrow it to mitigate risk. This trend is likely to persist as new cyber threats emerge, necessitating ongoing adjustments in insurance coverage and risk management strategies.

Sophos Study: 94% of Ransomware Victims Have Their Backups Targeted

This article highlights the dire consequences of ransomware attacks on organizations’ backup data, stressing the importance of robust protective measures. According to Sophos’ study, 94% of companies hit by ransomware had their backups targeted, leading to increased ransom demands and recovery costs. Sectors such as state and local governments, media, entertainment, transportation, energy, education and IT are particularly vulnerable. Implementing preventive strategies like the 3-2-1 backup approach, offline backups, immutable storage, regular testing, access controls, backup encryption, and real-time monitoring is crucial for safeguarding data and ensuring swift recovery in the face of ransomware threats.