Looking Back at our 2023 Cybersecurity & Data Protection Predictions

Nearly 8 incidents a day globally drive aggressive new regulations and put CISOs further under fire

Another year in the books. As we enter 2024, it’s time to reflect on the cybersecurity and data protections predictions we made going into last year. Overall, we did well in our prognostications, with some hits and a couple of misses along the way.

Let’s take a look at each prediction:

1. US federal privacy legislation will not pass in 2023.

We nailed this one. Despite renewed efforts by lawmakers, federal privacy legislation remained stalled due to partisan divides. Control of Congress was split, and key issues like preemption continued to be sticking points. Some held out hope after talks and various approaches seemed to gain momentum early in the year; however, it was clear that major sticking points remained. In addition, with the FTC ramping up enforcement actions under existing authority and federal agencies like DHS CISA and the SEC getting into the mix, pressure on Congress to act diminished, even as some believed the agencies were outside their jurisdiction. 

Legislation was punted into the future, and will almost certainly not pass prior to the next presidential election.

2. Product vendors will focus more deeply on their software supply chain.

Our prediction largely rang true. Several high-profile supply chain attacks kept pressure on vendors to secure their software pipelines. Open source security got more attention, though systemic challenges persist in that area. Vendors made moves to analyze their code bases more thoroughly, but work is still needed to fully lock down the software supply chain.

Fully securing the software supply chain remains an ongoing process. Momentum continued to grow around the adoption of software bill of materials (SBOMs) as a tool to gain visibility into the components used in software products, spurred by regulatory pushes. Agencies like NIST have recognized SBOMs as an important part of supply chain security, and standards are being developed to make them uniform. While adopting SBOMs is still in relatively early stages, their expanded use will likely continue growing as an important part of supply chain risk management.

We expect strengthening software pipelines to remain a key focus going forward.

3. CISOs will demand to be covered by corporate D&O insurance or they’ll quit.

While we don’t have a lot of specific evidence yet of CISOs demanding D&O coverage, our prediction generally played out with continued and expanding liability concerns and major consternation in security leader forums. The Uber, Drizly, and SolarWinds cases exemplify the increased scrutiny CISOs face, even on a personal level, though it remains to be seen if this directly spurs coverage demands.

Experts widely agree that the risk landscape is shifting. Regulators like the SEC are increasingly focused on holding security leaders accountable. Plaintiff attorneys are eager to include CISOs in lawsuits when possible. Though not every case may name CISOs, the risk is clearly heightened and CISOs need to verify they are covered as executives under corporate D&O policies. 

So while we don’t yet have hard evidence of CISOs quitting over D&O, the dominoes are seemingly lined up. Given high turnover rates already, we expect that coverage demands or concerns will continue to expand. For now, the expanding spotlight on CISO liability is a good start.

4. CPPA fines will exceed its initial $10M budget.

This prediction did not pan out as we expected. While California did issue fines exceeding $10 million, enforcement by the California Privacy Protection Agency (CPPA) started slowly as the agency built up its operations and addressed litigation over missed rulemaking deadlines. The rights and obligations under CPRA are still taking shape, and the CPPA’s ability to fully enforce the law remains in question for now. The CPPA’s enforcement actions so far, like the Sephora case, have focused on limited areas like opt-out requirements for advertising. Their broad privacy enforcement powers have not yet been fully exercised.

The CPPA’s privacy enforcement still appears to be in early stages. Momentum may pick up as litigation is resolved, rules are finalized, and the CPPA further builds out its operations. 

5. Auditors will raise the bar on cyber readiness levels.

Our prediction here was overly optimistic. While we have anecdotal evidence of some auditors pushing for more rigorous incident response programs, the majority appear to continue to adhere to minimal standards for readiness, incident response plans, and cyber exercises. 

In fact, cyber insurers have arguably stepped more into the role of assessing organizations’ security postures. Insurers are using detailed questionnaires and requiring proof of claimed security capabilities. Failing to meet stated benchmarks can result in denial of coverage, so companies tend to take them more seriously. Ultimately, their assessments are serving as de facto audits, with measurable financial consequences for misrepresenting security measures.

Progress remains gradual on the compliance front and barring a major change will likely remain so. We’re waiting for a lawsuit by a breached company against their auditor to shake things up.

6. Cyber prevention efforts will be seen as insufficient.

Trends toward proactivity look promising. Recognition is growing that focusing on defense alone is inadequate, and proactive resilience practices are spreading but have yet to be adopted at scale. Misconceptions around data breach costs persist as leaders continue to largely focus on security costs, which make up only about 30% of the total, versus the 70% attributed to the rest of the business. With an average cost of nearly $10M per incident in the US, and more in some sectors, we expect the focus on readiness to accelerate.

Overall, we did well, especially considering we didn’t go for easy fluff. We could have predicted more US States would pass cybersecurity and privacy laws like Iowa did. Or we could have predicted that there would be an increase in incidents and data breaches, and there was, nearly reaching an extraordinary eight per day globally.

2024 looks a lot like 2023, and our top blog posts from 2023 reflect these themes. Looking ahead, we anticipate cybersecurity, privacy, and data breach laws, supply chain threats, cybersecurity compliance, and proactive resilience will continue demanding attention. Companies need to get ahead of mitigating the financial, regulatory, and operational repercussions of incidents and better protect the privacy and security of their customers.

Recent Posts