6 Cybersecurity & Data Privacy Predictions for 2023

Click here to listen to this article via the BreachRx Blogcast

As we close out 2022 and look ahead to 2023, it’s important for businesses and individuals alike to get informed about the latest trends in cybersecurity and data privacy. The ever-evolving landscape of threats and vulnerabilities makes it crucial to stay vigilant and proactive in protecting both data and systems. In addition, the landscape of over 180 data protection laws and directives globally is growing increasingly complex.

In this blog, we’ll be exploring some of our top predictions for 2023 in the realm of cybersecurity and data privacy. While there are sure to be plenty of developments to keep an eye on, we’ll focus on what we see as the six key challenges and opportunities that will arise in the coming year.

1. US federal privacy legislation will not pass in 2023.

Even with how close Congress seemed to get in 2022 in finding consensus to pass federal data privacy legislation, we predict once again that a federal law will not pass in 2023. With control of the House changing and the prospect of split control of Congress, polarization and lack of consensus will continue to rule the day. One of the key points of contention will be preemption, with a number of aggressive states opposing their laws being overridden at the federal level. That alone would likely prevent a law from being passed by divided lawmakers.

However, the Federal Trade Commission (FTC) is taking an aggressive approach to cybersecurity and privacy rulemaking and enforcement. The recent Drizly action highlights once again that penalties for poor security can be far reaching and long lasting for executives of businesses. With the FTC continuing to throw its weight around, Congress will not feel obligated to pass a law quickly.

2. Product vendors will focus more deeply on their software supply chain.

Threats to the software supply chain will be a major focus for companies building products in 2023. Over the last couple of years, the notoriety of these attacks ranging from Solarwinds to Log4J has and will continue to entice more attackers to look at this vector as a means not only to attack product vendors, but to attack their customers as well. With four out of five organizations getting notified of a vulnerability in their software supply chain over the last year, leaders are demanding better security and data protection from their vendors.

Attackers are already realizing the extent to which open source libraries are used in products, and many, especially those abandoned or infrequently updated, are prime targets for threat actors to compromise and leverage their way into products using those libraries. It’s easy to predict at least one significant supply-chain attack with global repercussions. What isn’t easy to call is that we predict that product builders will heed the wake up call, dig into their software base, and work to get more secure.

3. CISOs will demand to be covered by corporate D&O insurance or they’ll quit.

CISOs across all industries will begin to demand they be covered by corporate D&O insurance or they’ll leave their jobs. Already under immense stress to defend against increasingly complex attacks with fixed, limited resources, security executives are now under fire on multiple fronts to ensure they understand and follow a complex web of global laws and regulations, in many cases on their own without sufficient or reliable legal support from internal teams. Add into the mix the US Department of Justice, FTC, and aggressive attorney generals like from California that are proactively looking for violators rather than waiting for breaches to occur.

Given all that, CISOs are losing confidence that their business will back them when a big incident occurs. With turnover rates already approaching new highs and an average tenure of no more than two years, and wide availability of security jobs, CISOs will feel no qualms about moving on from organizations in which they’ve lost trust.

4. California Privacy Protection Agency fines will exceed its initial annual budget.

In his press conference announcing the state’s first fine under CCPA, California Attorney General Rob Bonta indicated that the “kid gloves are coming off.” The Attorney General’s office has a wide variety of responsibilities but found the time to carry out an “enforcement sweep” of online retailers. With the California Privacy Rights Act (CPRA) going into effect in the new year, it brings a new enforcement agency dedicated to enforcing CPRA with an annual budget of $10M and future budgets coming from the fines it issues.

Even though CPRA is now scheduled to be fully effective in April rather than January, we believe it won’t take the agency long to exceed $10M in fines cumulatively given that penalties can reach up to $2,500 for individual infractions and $7,500 for intentional infractions. One event impacting more than 4,000 California residents, along with a subsequent fine, could easily eclipse the threshold in one fell swoop.

5. Cybersecurity compliance auditors will raise the bar for readiness to a realistic level.

The best practice for SOC 2, ISO 27001, and a number of audited cybersecurity compliance frameworks when it comes to demonstrating readiness for businesses to deal with incidents is far below what it should be: spreadsheets and simple, hand-waved exercises. External auditors, riding the rapidly growing compliance audit framework, have let this slide, even when frameworks require developing and implementing procedures that are “in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis,” or the equivalent. No more. 

In 2023, expect to see external auditors respond to pressure from the security leaders of large companies to lean in to ensure that companies have an actual incident response program especially as these leaders rely on their audits to build a secure pool of third-party vendors. Could we even see lawsuits against audit firms in that vein? We’re not confident enough to predict they’ll start happening in 2023, but we do believe they will come in the next few years.

6. Wider acceptance that cybersecurity prevention is insufficient.

There’s a reason the largest organizations have already recognized and shifted their security posture to assume they will be compromised and complement their defensive technologies with proactive measures to increase resilience and proactive readiness: the cost of an “average” incident. For incidents with just 2,000 to 102,000 records involved, a far cry from the mega-breaches in the news, that cost has risen to $4.35M globally and $9.44M for US companies. And for those globally that aren’t proactively prepared, costs start at nearly $6M.

We predict proactive approaches will spread more broadly into the market, with companies recognizing that what might appear to be small or run-of-the-mill incidents can be just as perilous for customer churn and brand reputation as the mega-breaches in the news. Especially with global regulators getting increasingly more involved in the outcome, cybersecurity and privacy leaders, their executives, and their boards will demand significant focus on augmenting prevention with readiness in 2023 and for years to come.