It’s been about six months since we released our top eight predictions for 2023, which covered everything from org chart changes and crypto regulation to the new FTC Safeguards Rule.
Were our predictions accurate? Let’s find out:
1. CISOs should expect to see org chart changes
It’s still a little early to determine, however, we’re starting to see the first signs of this happening. The GLBA Safeguards Rule is going to force that conversation for many businesses. Similarly, when the SEC disclosure rules come into play, there might be a bit more movement in org charts, particularly if the market reacts based on a company not having a CISO with actual authority.
However, we’re also seeing org chart changes of a different nature, with CISOs leaving their positions due to a lack of resources or authority, combined with high stress levels and potential personal liability. That weighs on them as they decide if they really want the C-level title any more, and we’re seeing CISOs leaving the industry.
2. CISOs will receive more risk-related questions from the Board
Publicly traded companies should review the proposed SEC disclosure rules. If those come into effect this year, CISO will be engaging in a lot of conversations about how organizations are managing their risks. This also can apply to privately-held companies that are covered under the FTC Safeguards Rule.
3. … and as a result, companies will need to be more diligent about communicating risk
The proposed SEC disclosure rules, which are going to require disclosures on risks, have kept risk to-of-mind this year for compliance professionals. Although this hasn’t happened yet, companies should be planning for these types of disclosures of their risks and their controls as part of their 10-k.
3. Non-banking institutions now covered under GLBA will need detailed written risk management plans
As of June 9th, 2023, the FTC Safeguards Rule went into effect, so this was an easy one for us to accurately predict. Non-banking institutions have now shifted their attention to creating documented risk management plans to adjust to this new regulation.
5. CISOs will need to invest in internal assessments as more security breaches hit the news
We missed the mark with this one, merely because CISOs are worried about so much more than just security breaches. They’re balancing a number of audits and assessments — whether they’re for insurance purposes, discovery as part of litigation, getting a compliance certification, or verifying if security controls are working. In today’s macroeconomic climate, knowing if a control works gives companies leverage in negotiating renewals with vendors.
6. Cryptocurrency regulation will quickly evolve
In May 2023, the New York Attorney General proposed legislation that, if approved by the state Assembly, would set “first in-the-nation” regulations for crypto trading to reduce potential conflicts of interest, require public reporting of financial statements by crypto companies, and beef up the state’s consumer protection laws by including investors in the crypto industry. In June, the Securities and Exchange Commission filed two complaints against Binance and Coinbase, saying they operated illegal securities exchanges in the United States. In response, Binance has halted withdrawals and deposits of US Dollars, pivoting to being a crypto-only exchange.
7. SMBs will have to increase security control monitoring to avoid cyber attacks
We’re going to consider this a no because we should have phrased it differently: we should have said that they will increase monitoring and that they should look at moving some of the alert processing from their SIEM to a managed detection provider.
And if they want to be able to survive the latest 400-page cyber insurance renewal forms, as many SMBs just want to transfer most of their risk to insurance, they should automate collecting all the evidence that their insurer is going to require.
8. Companies will look for more granular ways to articulate risk for insurance purposes
The insurance industry has covered the rest. Lloyd’s recent exclusions for catastrophic events and the Merck judgment on NotPetya are forcing cyber insurers to decide how much risk they want to carry and how much they want to re-insure. This is trickling down to insurance buyers who are finding that it’s more expensive and difficult to obtain broad coverage. Knowing which risks a company can self-insure, and at what cost is useful, but not completely aligned with our prediction.
So, what did we miss?
Although our predictions were mostly accurate, let’s touch on what we missed: how much of an effect AI would have on the global conversation about cybersecurity and regulatory matters.
When we released our predictions at the start of December 2022, ChatGPT, along with its risk management challenges, wasn’t dominating the headlines daily. For fun, we’ll throw in another prediction: companies that use AI to simulate adversarial testing of their controls are going to be in better standing that those that don’t, and that the whole vCISO market is going to be dramatically re-shaped as it’s cheaper to have an AI draft initial policy documents, provided there’s enough oversight by experts.
Want more insights from Hyperproof? Subscribe to our blog today!