rom a Major League Baseball scouting director using a cyberattack to break into a competitor’s records, to an NBA franchise being compromised in a phishing scheme, U.S. professional sports leagues are waking up to the fact that cybersecurity is no longer just a problem for the government or tech firms—it has now reached into the playing field, locker room, and boardroom.
In this ValorrInsight, we breakdown how the four major U.S. professional sports leagues—Major League Baseball, the National Football League, the National Basketball Association, and the National Hockey League—are currently protecting themselves from these cyber risks that threaten the competitive integrity of their games, and detail ways in which the leagues could do more to proactively mitigate their cyber risk.
Unfortunately, the leagues’ efforts to safeguard the competitive integrity of their sporting competition from these threats have been relatively slow to develop. Rather than formulate league-wide cybersecurity standards, U.S. leagues appear to largely defer to their teams to protect themselves from cyber intrusions. Meanwhile, the leagues have also failed to enact specific rules to deter their teams from targeting one another in cyberattacks. At the same time, the existing academic literature has completely overlooked the industry, and failed to analyze the unique cyber risks that these high-visibility leagues and franchises face.
The common themes we see when conducting cyber threat assessments in this space are:
- Data Overload: Players, coaches and equipment are creating and sending gigabytes of data per second and sent back to the front office to make informed decisions. If that data is altered or stolen, the teams reputation and decision making ability could open be at severe risk.
- Connected Everything: From third party vendors at stadiums, to connected lights, to cloud based security systems, credit card machines, and millions of lives in the hands of the venue, everything across the professional sports landscape is connected to the internet today.
- Single Points of Failure: Many teams have that one system that everything important about its players is exchanged within. Whatever that one system is for your team, that is what we call a single-point-of-failure from a cybersecurity standpoint. The system that attackers will be on the lookout and the one that we recommend you protect most.
- Not Enough Focus on Connected Devices: Many of the teams we work with are incredible at physical security but often lack the expertise or resources to tie the two together. We strongly encourage teams to leverage their physical security strategies and converge them with sound cybersecurity practices and capabilities.
The Unique Cyber Threat Landscape Under The Lights
It is no secret that the cost of cyberattacks on both the public and private sectors is mounting. According to a recent National Bureau of Economic Research report, large companies that are victims of a cyberattack in which customers’ personal data are compromised realize an approximately 1.1 percent loss in market value and a 3.4 percentage point drop in sales growth. These statistics are sobering, given the prevalence of the attackers frequent success in penetrating even the most guarded corporate networks. One recent example of this all too familiar phenomenon was the alleged Chinese government hacking of a U.S. Navy contractor charged with developing a top-secret super-sonic missile.
In fact, one leading cybersecurity scholar has reported that “[n]inety-seven percent of Fortune 500 companies have been hacked . . . and likely the other [three] percent have too, they just don’t know it.”
Three trends are making it much more difficult for sports organizations of all sizes to mitigate the array of cyber risks they face:
The evolution of the “Internet of Everything” (IoT): With the explosion of connected devices in our businesses and our homes, we are seeing rapid expansion of the cyber threat surface for organizations and available doors for the attackers to come through. IoT vulnerabilities can cause widespread, supply chain disruptions, such as when they are utilized to spread ransomware attacks. This occurred during the WannaCry and later NotPetya attacks, which impacted more than 7,000 firms globally and cost the shipping giant Maersk more than $200 million. These IoT vulnerabilities can, in turn, help fuel the theft of invaluable trade secrets, which are the lifeblood of major Fortune 500 firms as well as the professional sports industry. Sports teams are increasingly relying on IoT applications to track their players’ movements, training, and dietary regimens.
The difficulty of protecting trade secrets in such an interconnected digital ecosystem: Any potential cyber intrusion against a professional sports team operating in the United States would potentially run afoul of several existing laws. Such as the Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act (EEA) or Uniform Trade Secrets Act (UTSA) and the Defend Trade Secrets Act (DTSA). We often see these attacks being covered up in expert fashion, which makes these post-incident actions difficult to defend against from a legal standpoint.
The proliferation of threats to critical infrastructure, including public facilities: Many critical infrastructure sectors in the U.S. boast an array of federal and state regulations, given their vital status to national life—examples range from the North American Electric Reliability Corporation standards to the Health Insurance Portability and Accountability Act (HIPAA)—but, as we will see below, professional sports leagues have long enjoyed a special status in which policymakers have allowed leeway to self-regulate. The question going forward is whether this should continue in light of the serious cyber risks facing these organizations, their players, staffs, and fans.
Each of these trends is analyzed below in turn to provide context for these debates before focusing in on the specific issues confronting the U.S. professional sports industry.
“Professional sports teams that fail to evolve their cybersecurity practices with the recent threat landscape are at a significant disadvantage, both from an IT and on-the-field standpoint.”
How could Front Offices be better prepared?
The best approach for managing cyber risk is to develop an informed perspective by way of a streamlined and manageable process that treats cyber risk as equally as other types of risk, for example financial risk, vendor risk and legal risk.
Formal practices for managing cyber risk should align with other risk management and security approaches that are in place, where cyber risk is treated as just another risk.
If you are in the professional sports business, we advise that you to take the following actions:
- Document Single Points Of Failure: Document your critical systems, along with processes and manual procedures if your critical system(s) were to go down.
- Understand Cyber Risks to Players and Operations: Identify your teams most critical connected risks and address them with a reasonable plan. Take into account the cyber threats to your players, their reputation can be your most valuable asset.
- Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption, this proactive planning will literally save you millions.
- Back up your data: Back up your data within resilient infrastructure and test those back ups frequently. Not all backup and data storage facilities/services are created equal!
As cyber threats continue to proliferate, anticipating and managing them at all front office levels will remain vital during 2022 and beyond. As recent events have proved, Professional Sports Teams are vulnerable on a variety of fronts, from their vendors and third-party suppliers to their players. Taking steps now to ensure proactive protections and risk management practices can help reduce these risk and help ensure that the player field remains competitive and your advantages stay under your roof.
The Valorr Team looks forward to providing continual insight relevant to your industry. For other tips and tricks in staying cyber informed, please visit our additional Valorr Insights at Insights – Valorr | Cyber Risk Management (valorradvisors.com)