It’s one of the truly unfortunate gifts that keeps on giving, thanks to hackers showing no sign of letting up or dwindling in number. This state of affairs is partially driven by state funding from US adversaries (so, geopolitical reasons) and common criminals who continue to obtain better tools, gain experience and whose attacks become more sophisticated as a result. The relatively low risk and high reward ratio also makes cybercrime more attractive when compared to traditional criminal activities.
The WSJ said last week that the year ahead will feature many of the same headaches as 2023 in this arena: rising cybersecurity threats, more regulation to track (at the state and even more local levels), rising costs of insurance coverage, and new malware strains emerging as quickly as new ones fade.
Cyber trends
Some of the trends the article notes are:
- Chief information security officers (CISOs) are increasingly responding to attacks by working with the chief risk officer, general counsel, and chief financial officer to establish cyber-risk policies and processes. “That collaboration is vital as the Big Four cyber adversaries of the US – China, Iran, North Korea and Russia – show no signs of slowing attacks,” the WSJ notes.
- Cyber spending as a percentage of overall information technology spending increased in 2023 and is expected to continue on that path. The retail and healthcare sectors continue to be favorite hacker targets, with the latter sector suffering a record number of cyberattacks, mainly against hospitals. CISOs can get some financial and tactical relief in 2024 from Biden administration programs targeting that sector, though.
- Incident response costs eat up a big chunk of cyber-incident spending and are often underestimated. The WSJ notes that healthcare, financial services and pharmaceutical companies rack up the largest incident-response costs. A big part of the cost in the incident-response phase is determining exactly what precisely was stolen rather than communication with stakeholders (like customers) about the incident. Forensic review of a breach can involve bringing in external experts, employing expensive tools, and taking up a significant amount of internal resource time and energy. (But finding current and accurate contact details for all potentially affected customers is not exactly fun and cheap either.)
- The good news in the cyber-insurance area is that more businesses are buying cyber insurance to help cover business disruptions and other expenses in responding to cyberattacks. That is helping bring down the cost of such insurance. The bad news is that the time and effort required to obtain cyber insurance is increasing significantly for US organizations, with the number of companies requiring six months or more to obtain coverage rising year over year, according to Delinea’s 2023 State of Cyber Insurance report, which is based on a survey of 300+ organizations. And three-quarters (70%) of enterprises with cyber coverage said their insurance carrier required them to select from their panel of providers, according to research by Forrester.
Recent rules in the cyber sphere
Recent legal and regulatory developments in cybersecurity include the CFTC proposing a rule last month that would require futures commission merchants (FCMs), swap dealers and major swap participants to establish an “operational resilience framework”. It is the CFTC’s first proposed cyber and operational resilience rule that would apply to swap dealers (including banks) and FCMs.
New York regulators announced plans to issue cybersecurity regulations for hospitals, after a series of attacks crippled operations at medical facilities.
The top financial watchdog for New York updated its cybersecurity regulations in November, adding strict internal controls and risk assessment requirements, plus notification obligations around ransom payments, that go further than recent federal rules. (The federal cybersecurity rules — issued by the SEC — just went into effect in December.)
In the area of artificial intelligence (AI) safety and security, President Biden issued an Executive Order in October that the White House said is designed to manage the risks of AI, establish new standards for AI safety and security, enhance privacy safeguards, and protect consumers and workers, while still promoting innovation and competition.