We typically invest time at the end of every year to read expert predictions about privacy and security in the upcoming year. While the predictions are never intended as law, they also aren’t offered without considered thought. Hypothesizing the future is a fantastic tactic to evaluate possible scenarios.
Last year, Matt Hartley and I crafted our own list of data privacy predictions for 2021 instead of just reading about predictions. Some were on the money, and others might have been a bit premature. This year, in collaboration with BreachRx’s employees, board and advisors, we expanded our predictions to include privacy, security and risk. The broader scope reflects our team’s increased purview in the last 12 months.
It was a pleasure to collectively pause to assess the challenges and opportunities of today’s marketplace — alongside how our business can play a role in addressing both. We look forward to hearing which of the following predictions are most relevant for your industry, workplace, team, and role, as well as what predictions you would add.
1. One government regulation will require notification in under 24 hours for the first time.
As more and more states and countries announce privacy and security regulations, they complexify how organizations remain in compliance — and skyrocket risks for those who do not. This year, at least one government regulation will require companies to notify appropriate groups within a one-day timeframe for the first time. And by one day, we don’t mean “immediate” or “expeditious” timelines but a defined timeline at or before 24 hours.
Still, 2022 remains part of the beginning. As the global wave of regulations continues to rise, the legislative peak will remain elusive.
2. Federal privacy legislation will not happen in 2022.
Speaking of elusive legislation, this year will come to an end before the United States puts a federal privacy law into effect. As one of our advisors succinctly noted, cooperation is a rare bird when Congress is divided on partisan lines. Instead, U.S. government leaders will follow the Federal Trade Commission for privacy rulemaking.
3. Increasing security onslaught will continue without respite.
While previous ransomware and other attacks have already captured mainstream public consciousness and global headlines, 2022 events will take incidents’ visibility and impacts to even greater heights. And that’s quite a statement, considering that data breach volume was up 27% year to date as of October 2021, according to the Identity Theft Resource Center.
Major events like the Olympics and midterm elections will function as large draws for attackers, as they always are, and the results will populate mainstream media, infiltrate boardroom discussions and CEO top five priorities, and further raise the bar for companies to get cyber insurance.
4. Cybersecurity insurance will increase 100% or more, while coverage diminishes.
Alongside such mainstream visibility and proliferating legislation, cyber insurance coverage costs will catapult. While some experts like Willis Towers Watson predict cyber rates could attain up to 150% of existing cost structures in certain areas, we predict an 100% increase by year end — while insurance firms slash currently insured areas due to missing expertise and/or marketplace anxiety on their rate-setting teams. We also anticipate that insurance companies will greatly increase scrutiny of and influence over applicants’ privacy and cybersecurity readiness.
An expert from Fitch Ratings’s North American insurance rating group said it best: this trend is “one of the bigger challenges that is not going to be solved in 2022.”
5. ‘Chief Privacy Officer’ will be LinkedIn’s fastest-growing title.
Changing business priorities dictate new ownership. Just like we saw companies begin to appoint CISOs in earnest about a decade ago as more mature threat actors entered the scene, we will see a similar explosion of Chief Privacy Officer appointments in companies to focus on privacy compliance and related issues.
6. The bulk of the world’s population will be covered by at least one privacy regulation.
We agree with Gartner’s prediction that more than four of five companies worldwide will encounter at least one privacy-focused data protection regulation by the end of 2023.
For example, when India’s Personal Data Protection Bill (PDPB) passes, companies will face monumental levels of new compliance requirements — particularly when you consider that at its inception, India’s comprehensive privacy legislation was far more strict than General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). In response, global enterprises will endeavor to surmount new legislative mountains to service the country’s sizable population and customer base, alongside other new legislation around the world.
7. 75% of CEOs will consider cybersecurity & privacy incident readiness a competitive differentiator.
Companies will respond to legislative changes and increased attacks, incidents, and breaches by emphasizing their policies, processes, and technologies. Ultimately, CEOs will prioritize putting a comprehensive strategy and capabilities to align with board mandates and ensure seamless, differentiated operations globally.
Similarly, data ethics will become more common as companies look to leverage existing legal, privacy and security review processes to ensure responsible use of data.
As Gartner’s Kasey Panetta wrote, “Security and risk management has become a board-level issue for organizations.” As that prioritization and increasingly sophisticated breaches spur the changes outlined above, there’s no doubt that proactive incident management will gain importance as security and privacy shape business decisions.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!