Understanding Cyber Risk: Unpacking and Responding to Cyber Threats Facing the Public and Private Sectors
78 Pages Posted: 3 Nov 2022 Last revised: 13 May 2024
Date Written: October 31, 2022
Abstract
Cyber-attacks, particularly ransomware campaigns, continue to pose major threats to businesses, sovereigns, state and local government, health and educational institutions, and individuals worldwide. Ongoing successful instances of cybercrime often involve sophisticated attacks from diverse sources such as organized crime syndicates as seen in the rise of zero-day exploits in such operations, actors engaged in industrial espionage, nation states, and even lone wolf actors possessing relatively few resources. Technological innovation continues to outpace the ability of law to keep pace. By mid-2022: nation-state and international criminal group ransomware attacks continue; serious server software Log4j exploits become evident; U.S. embassy phones are hacked; cyberwarfare is deployed by Russia in their invasion of Ukraine; and theft of valuable intellectual property due to cybersecurity breaches are reported. This Article argues that an all-of-the-above approach to enhancing cybersecurity is needed to address these multi-faceted cyber risks.
Our Article proceeds in nine parts. First, we provide an overview of the cyberthreat environment. Second, we discuss the current cybersecurity legal landscape. Third, we discuss thoughts regarding teaching and conceptualizing the role of cybersecurity in business and society. Fourth, we introduce cybersecurity and corporate governance. Fifth, is a discussion about how corporate directors govern cybersecurity. Sixth, we explore the emerging cyber threat from nation-states and the impact of geopolitics on business. Seventh, we focus on issues involved in identifying and responding to digital attacks. Eighth, we look at the Securities and Exchange Commission (SEC) and the regulation of cyber risk. And last, we conclude. We believe our paper adds to the important body of cybersecurity literature that explores the roles of government and business, particularly corporate directors, in the governance of data security.
Keywords: Audit Committee, Board Structure, Corporate Governance, Crime, Cyber, Data Breach, DHS, Directors, Enterprise Risk Management, Hackers, Incentives, Information Technology, Internal Controls, Market Failure, National Security, NCCIC, NIST, Ormerod-Trautman Cybersecurity Efficiency Model, OWASP
Suggested Citation: Suggested Citation