In 2022, we saw a large number of cyber attacks and breaches that affected both companies and countries, driven primarily by accelerating innovation by threat actors and continued diversification of the threat actor economy. While many technical responses have been proposed, the policy responses pose a more challenging issue, as companies will need to comply with public policy decisions despite challenging macroeconomic conditions and a persistent lack of skilled professionals to work on cybersecurity.
2023 will be the year where multiple regulatory bodies in the United States express their mounting frustration with a perceived inability on the part of public and private companies to effectively manage their cyber risk. Instead of relying on self-regulation, these regulatory bodies will now prescribe how companies should manage their risks.
In short, 2023 will be the year of risk.
The Current State of Risk
An unprecedented six regulatory entities all have announced separate plans to enact additional rules in 2023 to instruct companies on how to manage their risks:
- The Department of Defense (DOD)
- The Federal Reserve
- The Federal Trade Commission (FTC)
- The New York Department of Financial Services (NYDFS)
- The Office of the Comptroller of the Currency (OCC, part of Treasury)
- The Securities and Exchange Commission (SEC)
These entities wouldn’t be telling companies how to manage their risks if they believed that there was adequate risk management being conducted today. Instead, the pending regulatory changes are intended to cover perceived systemic shortcomings associated with cyber risk management.
Regulated companies may try to pick apart each new regulatory requirement to achieve the minimum standard of compliance. The challenge of this approach is in denying some good ideas that their competitors may have already adopted based on requirements from other regulatory bodies and/or best practices. A primary reason we have regulatory entities making changes is due to companies meeting only the minimum requirements and not looking at the larger regulatory environment for new or novel approaches.
Risk modelers and analytics experts know that we can’t predict or control the world with any degree of certainty, but it’s important to brace ourselves for the upcoming risks and new opportunities the coming year will present.
Here are eight key risk management predictions we have for 2023 that will shape the risk management industry.
1. CISOs should expect to see org chart changes
Being knowledgeable on cyber risk is not a new job requirement for CISOs. Pending regulatory changes require that the CISO be independent. Being independent will likely require organizational chart changes, as CISOs have historically reported to the CIO, CTO, or another senior executive with a background in technology.
These senior executives often have conflicting goals and incentives to those of the CISO; for example, the CIO may be charged with digital transformation at a rapid pace without adequate consideration for security, or a CTO may be incentivized by rapid product releases that may carry significant security risks.
This frequently creates an implicit conflict of interest when budgets and staffing considerations arise, as the incentives of the CIO or other senior executives do not necessarily align with the goals of the CISO. In today’s macro economic landscape, CISOs may find those proposed budgets cut if the budget does not advance the goals of the senior executive that they report to.
In 2023, CISOs should prepare to be adequately independent and have good visibility into the management of cyber risk. Being independent includes the responsibility of setting staffing and budgets for approval by a committee, rather than providing a cybersecurity budget line item as part of another senior executive’s larger budget for the year.
This responsibility gives the CISO a seat at the table for budgetary prioritizations, and if phrased in the language of risk, CISOs can successfully translate their budgetary priorities into a net reduction of risk for the company.
2. CISOs will receive more risk-related questions from the board …
It’s already difficult for organizations to continue to silo cyber risk as ‘different’ than business risk. A number of factors — including but not limited to digital transformation, the pandemic, remote work, supply chain vulnerabilities, the slow return to the office, and proposed rulemaking — have fundamentally changed how organizations and public sector entities do business. Board members are paying attention, and they are interested.
Thus, boards want to have more oversight of cyber risk. In 2023, organizations should plan on inviting their CISO to a board meeting (and to be somewhat forgiving of that first meeting with those CISOs who come from a technical background). While not all board members need to understand cybersecurity, all CISOs (or CIOs, or whoever presents to the board) need to be able to speak to the board in the language of risk to effectively communicate status, learn about larger initiatives, and ask for assistance or perspective when needed. Although this will be a new requirement for publicly-traded companies, privately-held companies should strongly consider adopting this new change to reporting.
CISOs will need to be prepared to talk to the board about business-level risks — not specific technologies — and to address their risk treatment plans at an adequately high level. If a specific board member has a background in cybersecurity, CISOs should offer to take them out for coffee on a regular basis for deeper conversations.
3. … and as a result, companies will need to be more diligent about communicating risk
Companies should track the risk of non-compliance and be able to describe their risk management plans associated with non-compliance. Depending on the specific regulatory body, civil and criminal penalties are potential outcomes, as well as congressional hearings or reputational damages.
For example, consider the case of Aerojet Rocketdyne. They recently settled for $9 million to resolve allegations that the company violated the False Claims Act (FCA) by misrepresenting their compliance with cybersecurity requirements in certain federal government contracts. These FCA violations with the DOJ are illustrative of the sorts of risks DoD contractors face in their attestations.
Companies like Aerojet Rocketdyne must also consider reputational risks: during testimony, Aerojet said that they had some security equipment but neglected to mention that they hadn’t yet unboxed that equipment. This attempt to “bend” the truth is likely to lose them business.
Companies that have DFARS requirements — particularly those with CMMC level 2 control requirements — hold the dual risks of non-compliance leading to denial of future DoD contracts as well as the potential of whistleblowers under the False Claims Act. Failing to document and communicate these risks means that boards and senior leadership may be unaware of them and unintentionally accepting the potential negative outcomes.
But organizations are learning from examples like this, and the need for CISOs to improve their ability to communicate risk is increasing. We predict that more CISOs will look to risk management software and other tools in 2023 to help quickly analyze their risk and compliance posture, track risk mitigation, and build risk management reports to better communicate risk to the rest of their organizations.
4. Non-banking institutions now covered under GLBA will need detailed written risk management plans
The FTC extended the deadline to comply with GLBA safeguards rule until June 9, 2023. For those unfamiliar, the “financial institutions” covered by the Safeguards Rule broadly includes non-bank entities “engaging in an activity that is financial in nature or incidental to such financial activities.” This definition is loose enough that it includes companies that are not technically financial institutions, like alternative lenders, retailers that extend credit to customers, and even colleges and universities that administer federal student aid programs.
Having an extra six months to implement cybersecurity controls and a risk assessment might be ideal, but there’s a flip side: this delay isn’t a great sign, as the required controls are table stakes for modern companies. Newly qualified “non-banking institutions” have a lot of work ahead of them, and a shortage of qualified information security personnel and supply chain issues affecting IT and security systems could restrict their ability to comply with the new requirements.
Having an annual written risk assessment is more important than ever, and these plans shouldn’t just be a paper tiger. Rather, companies should have a functional risk management system and be ready to describe how they’re operating it regularly to comply with the Safeguards Rule. Although it’s possible to manually conduct risk operations, many participants may deprioritize this activity because people generally are uncomfortable when talking about risks. This can be compounded by the time it takes to collect information about risks, measuring the effectiveness of mitigating controls, or uncertainty on how to conduct a risk committee meeting.
Companies that lack a formal risk management plan should create one based on a published risk management framework, like ISO or the NIST RMF. Similarly, companies should plan on automating as much of their risk management as possible, so as to improve efficiency and reduce the possibility of human error or omissions which can lead to an inaccurate understanding of a company’s current risk stance.
Enforcement actions in the second half of 2023 will reveal the laggards that didn’t get the memo or chose ‘hope’ instead of a strategy to improve their cybersecurity maturity.
5. CISOs will need to invest in internal assessments as more security breaches hit the news
Cybersecurity breaches have been a hot topic in 2022, with several high-profile cases making national news. For example, the FTC sought action against Drizly — and its CEO, Cory Rellas — for cybersecurity failures affecting over 2.5 million consumers. Notably, the FTC specifically named and sanctioned Rellas — a new move for the governing body. This change in posture may indicate a larger shift towards enforcement at the FTC, particularly for organizations that don’t have adequate controls around the protection and disposition of consumer data.
And, of course, we have to mention Twitter. Whistleblower and former head of security for Twitter, Peiter “Mudge” Zatko, released an 84-page complaint about the social media giant, alleging all manner of cybersecurity shortcomings, like:
- Poor access controls that left the company in violation of a consent decree with regulators
- Ill-defined roles and responsibilities for cybersecurity
- An inability to segregate different types of data
These comments were — to put it lightly — not well received, especially considering Twitter’s more recent problems as Elon Musk acquired the company in October of 2022. Twitter’s Chief Privacy Officer, CISO, and Chief Compliance officer have since departed, and the FTC has their eye on the tech giant.
One lesson carries across these stories: the importance of effective internal assessments, as they are critical tools to find weaknesses in your security program and assuring that those weaknesses are fixed. We predict a sharp increase in investigations with adversarial discovery in 2023 as companies watch these major news stories play out in real-time. Tech companies like Twitter and Uber have conducted massive layoffs in the midst of this turmoil, demonstrating the profound business impact cybersecurity breaches have, especially during times of economic uncertainty.
6. Cryptocurrency regulation will quickly evolve
With the recent news of FTX’s collapse, the economic fallout that ensued, and Sam Bankman-Fried’s recent arrest and indictment for fraud and conspiracy, cryptocurrency is top-of-mind, even for the average American barely educated on the subject. Retail investors are now pulling out in droves after the cryptocurrency darling — with an initial valuation of $32 billion — suffered a swift fall from grace, losing billions in value and hurting the broader market.
FTX’s new CEO, John J. Ray, who took the helm after FTX CEO and Founder, Sam Bankman-Fried stepped down, alleges that the company made an effort to conceal misuse of customer funds. Ray, who has previously overseen the cleanup effort at Enron, issued an assessment of FTX’s management practices, citing poor record-keeping, compromised systems integrity, faulty regulatory oversight, and a lack of experience among senior managers.
And to top it all off (as if this wasn’t enough to raise security and compliance concerns for the pros and governing bodies), within hours of filing for bankruptcy, FTX reported “unauthorized transactions,” which led outside analysts to believe the company lost about $477 million in a suspected hack.
So, what does this mean for security, compliance, and risk professionals? To start, the legal battle against Bankman-Fried could result in a shift in perspective from regulatory bodies on how cryptocurrency should be monitored. The U.S. Securities and Exchange Commission (SEC) might see FTX’s collapse as a justification for tightening regulations on digital tokens and exchanges, and Congress may be more inclined to pass new regulatory laws.
The volatility of the crypto market, combined with its new frontier of economic trade, has opened regulatory and security loopholes that governing bodies are still trying to adjust to, and we expect to see new conversations (and plenty of crypto regulation) emerging in 2023.
7. SMBs will have to increase security control monitoring to avoid cyber attacks
Smaller companies are more vulnerable to cyber attacks, but why? Simply put, they don’t have the budget or resources to combat ransomware attacks, which is why they are a high priority for threat actors. For example, multi-factor authentication has transformed from merely a suggestion to a must-have in the last two years as the pandemic increased the number of people working from home and in more vulnerable security environments.
More controls in place means more processes for maintaining those controls, which results in more manual processes that IT security professionals must handle. For example, SMBs will need to map out the GDPR compliance legalese to controls for breach notifications, or quickly finding CIS Control Group 3 to help with data disposal.
IT, security, and risk management professionals will need to better collect and organize their evidence in preparation for applications and renewals of their cyber insurance policies. They might also consider a tool that enables them to link risks to controls to decide how much coverage they actually need.
8. Companies will look for more granular ways to articulate risk for insurance purposes
It’s the age-old challenge: purchasing cybersecurity insurance that actually covers what you need.
Let’s say you’ve purchased insurance to protect against a cyberattack like ransomware, but you haven’t specified that this cyberattack could start via phishing due to a lack of effective email security controls. While your company might view this as a single cyber risk, some insurers might view your company as a financial risk. Your cyber insurance might not actually cover the ransomware attack as a result, or may require extensive and time-consuming discovery in an attempt to deny claims.
In 2023, new cyber risks will emerge and CISOs should be ever-watchful as threat actors become more creative. CISOs should start thinking about ways to present risk to insurers in specifics, like getting granular by specifying that you want coverage for the loss of key business data via a cyber attack, and being able to articulate the detective or compensating controls that your company currently has in place. This way, companies can purchase insurance to manage their specific risks instead of selecting plans that may not provide adequate coverage.
But articulating what these risks are, how they are being mitigated, and what controls are in place takes time and effort. Risk management SaaS software can help alleviate the manual processes behind this documentation, saving CISOs hours (and even days) of valuable time, and, in the long-run, money on insurance plans.
Prepare for 2023 and beyond
The road ahead might be paved with uncertainty, but one fact remains constant: automating as many manual risk management and compliance operations processes as possible will be essential to adapting to the changes ahead. With mounting frustration from regulatory bodies over how companies address risk, IT security professionals face increased workloads in the coming year.
One thing organizations looking to operationalize risk management and compliance operations can do to prepare is consider new tools to assist with the predicted changes that can streamline workflows. The right tools help with evidence, control, and risk management in a single platform so security and compliance teams can focus on what matters most: adapting to these anticipated regulatory changes and keeping your organization safe and secure.