By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP
In part one of this series, we discussed what lies ahead in 2023, including a rise in wiperware and ransomware attacks plus challenges with OT infrastructure and staffing shortages.
In our part two of this series, we will explore issues relating to cybersecurity insurance, data privacy, supply chain and artificial intelligence (AI) technology.
Cybersecurity Insurance
The global cybersecurity insurance market is projected to grow to U.S. $30 billion by 2027, nearly tripling in growth over five years. In 2023, we can expect the demand for cybersecurity insurance to continue to expand, however it is going to be harder to obtain. Premiums will rise, especially as more organizations become aware of the potential financial and reputational consequences of cyber incidents. Insurance carriers will also enforce stricter requirements to get cyber insurance, such as requiring two-factor authentication or adopting various technology. In addition, many insurance firms will increase cyber insurance premiums for less coverage and enforce stricter requirements.
Data Privacy
Since GDPR was enacted in 2018, it has affected how many organizations use and protect consumer data. Recently, massive fines have been levied against organizations (e.g., Marriott, WhatsApp-Ireland, British Airways and Google). It is expected that this trend will continue over the next several years.
We also anticipate that in 2023, many EU residents will begin implementing the EU Whistleblowing Directive into their laws.
California passed the California Consumer Privacy Act (CCPA) in 2018, and to date, we have only seen one fine levied, which required Sephora to pay $1.2 million. We anticipate that there will be additional cases brought by the Office of the Attorney General (OAG) in California. Effective January 1, 2023, the California Privacy Rights Act (CPRA) becomes effective and will be enforced on July 1, 2023. What does this mean? For the first time, the CCPA will also apply to employees in addition to consumers. We anticipate that other U.S. states will begin developing their own privacy laws.
China implemented the Personal Information Protection Law (PIPL) in 2021, but in 2023, we expect many companies that conduct business in China will need to become compliant with the rules governing cross-border data transfers.
We suspect that in 2023, we will see many countries establish or revise legislation, including Saudi Arabia, Nigeria, Vietnam and Australia, and we will see the implementation of new and revised laws which are pending in Canada and Israel.
With more than 100 countries having their own laws and regulations around data and its protection, we foresee a more challenging landscape for security personnel.
Supply Chain
During the pandemic, we saw supply chain issues ranging from toilet paper shortages to not being able to buy new cars due to chip shortages. In 2021, the SolarWinds cyberattack compromised data from 18,000 organizations.
We believe that these challenges impacting the global supply chain -- order backlogs, personnel shortages and labor issues, equipment shortages along with companies shuttering plants -- will continue in 2023. We hope executive boards will implement a strategy that includes cybersecurity, risk detection and response.
Google OpenAI ChatGPT Chatbot
Google recently released its OpenAI ChatGPT Chatbot, and which had one million users in less than five days. The ChatGPT provides a very human-like conversation by gathering information from numerous websites.
Much like other AI that have been developed, this technology has already been used to spreading racist, antisemitic, and false information. For those implementing this technology, there needs to be comprehensive testing conducted as it could land Google, or other organizations, in hot water. As a result of more AI technology being deployed, we may see governments around the world bring in artificial intelligence legislation to protect their respective nations.
With previous AI technology, users have been able to block unsafe or illegal information from being passed. This brings up many questions:
- Who is correcting it before it releases its output?
- Whose ethics are being applied?
Most recently, IBM recently developed governance principles for trustworthy AI technology. So, this is one technology that we will closely watch in 2023, and yes, it will become a headache for cybersecurity professionals as this technology offers the ability to generate the necessary attacks (regardless of the skill level) against a given target, which will undermine current thinking and adapt and self-program these attacks to be successful.
Is there something not covered here you expect to be top of mind for cybersecurity professionals this year? Join the conversation over on the (ISC)² Community.