Looking Back at our 2022 Cybersecurity & Data Privacy Predictions

Enter six hour notification requirements, more expensive cyber insurance, and lots more stress to cap off another year.

Click here to listen to this article via the BreachRx Blogcast

It’s been nearly a year since the predictions we made for 2022 were published, and now that we’re almost at the end of the year, it’s a good time to look back and see how accurate they were. In the post, we made several predictions about the state of privacy and security in 2022. Overall, our predictions were largely accurate, with a couple of misses along the way.

6 Game-Changing Trends Impacting Incident Reporting and How to Keep Up

Top trends shaping global cybersecurity & privacy incident reporting

Let’s look at how each prediction turned out:

  1. One government regulation will require notification in under 24 hours for the first time.

Nailed it. The Indian Computer Emergency Response Team (CERT-In) issued a directive back in April with implementation in September that requires 6 hours notifications for a wide array of incidents, from denial of service attacks to megabreaches. There’s no requirement for personally-identifiable information (PII) to be a part of the incident, which left many teams scrambling to figure out how to deal with this, and with many more still unaware of its implementation. Read the details and learn how to comply with this directive here.

  1. Federal privacy legislation will not happen in 2022.

We got it right. While it appeared for some time that perhaps something would happen, a few key issues like preemption kept this off the table for another year.

We did get new federal cybersecurity legislation. The Cyber Incident Reporting For Critical Infrastructure Act of 2022 (CIRCIA) passed, requiring defined critical industry sectors to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA). The rules do not go into effect for another three years, so companies have some time to get prepared. Dig in to the details of CIRCIA here.

There’s also the hotly-debated proposed cybersecurity rule from the SEC. Their guidance on cybersecurity risk management, strategy, governance, and incident disclosure introduces rules for how publicly traded companies should approach cybersecurity risk management. The guidance emphasizes the importance of having a comprehensive cybersecurity strategy and governance structure in place. It would require companies to disclose any significant cybersecurity incidents via filings in a timely and transparent manner, in some cases as rapid as four days. The goal of the guidance is to help companies effectively manage cybersecurity risks and protect investors and other stakeholders, but many companies are pushing back on the depth of the requirements. We’ll see where this goes.

  1. Increasing security onslaught will continue without respite.

Mostly correct. Interestingly, breaches seemed to drop for a stretch but have jumped back up more recently to more normal levels. Why the brief respite? One theory is that the drop coincided with the drop in cryptocurrency prices, the typical form of payment for ransomware attacks. Perhaps attackers were waiting to see if the crypto market would recover before launching a new wave of attacks. Regardless, attackers are now back in full force.

  1. Cybersecurity insurance will increase 100% or more, while coverage diminishes.

We think so. Unfortunately for our review, 2022 numbers just aren’t out there yet. However, it came out during the course of this year that 2021 saw an average 92% year-over-year increase. Nothing truly positive happened in 2022 that would cause cyber insurers to hold premiums steady, and many would argue (especially given above) that the bad continues to get worse, so we still expect this to hold true. Given premium increases, it’s important to safeguard your ability to actually obtain cyber insurance, even if you have it currently.

We’ve also directly seen and heard that insurers are holding a harder and harder line with their clients. Be sure to read your policy thoroughly and understand what exceptions are in place and what requirements you have to follow if you have an incident. Some key insurance terms to watch out for are here when you’re doing that analysis.

  1. ‘Chief Privacy Officer’ will be LinkedIn’s fastest-growing title.

To be determined. There’s nothing specific yet for 2022, but we did see privacy job postings increase 30% in a study released earlier this year from a well-known recruitment firm. There are continued calls for the global 1M+ open jobs in cybersecurity that we’ve seen every year for at least a decade, and privacy laws are getting lumped into many of them now as well.

  1. The bulk of the world’s population will be covered by at least one privacy regulation.

Missed. We were banking on India’s PDPB passing in 2022, but instead, it was withdrawn and re-proposed. Even after being amended, like many other privacy laws, it still applies to organizations operating outside India on the data of Indian citizens. After complaints by many tech companies, the Indian government lowered the ceiling for potential fines and relaxed data localization requirements. We expect the law to pass in 2023, and with all the other laws out there, once it is implemented it will be easy to assert that the bulk of the world is covered.

  1. 75% of CEOs will consider cybersecurity & privacy incident readiness a competitive differentiator.

Close! While we probably were a bit aggressive here, Deloitte’s release from just a few days ago (partly) backs us up. In one of their surveys of US executives, over half responded in the affirmative to cybersecurity being important for business enablement and readiness, with even more stating privacy and protecting data is critical. We’re happy with these results, and believe the trend will continue with business executives and board members.

Overall, we did pretty well. And we didn’t go for the easy stuff. We could have predicted that there would be an increase in data breaches, especially with a focus on small and medium-sized businesses. Unfortunately, this has proven to be accurate, with many businesses continuing to fall victim to cyber attacks in the past year. We could have predicted more US States would pass cybersecurity and privacy laws: Connecticut, Maryland, and Utah did, to name a few. We’ll continue to raise the bar for strong predictions in our upcoming 2023 predictions piece – keep your eye out.

As we move into 2023, it will be important to stay vigilant and continue to prioritize security and privacy in order to protect yourselves and your customers. It’s a given that cyber attackers continue to constantly find new ways to infiltrate systems and steal sensitive information. That means businesses must continue to evolve, stay up-to-date with the latest threats, and be proactively prepared.

Incident response compliance criteria slowing you down?

Use the BreachRx platform to automate and accelerate getting SOC 2, ISO 27001, and more today!

Recent Posts