On many occasions, I have seen a “Top 10 List” for predictions. Some stakeholders on social media give little credence to these predictions because – why does it matter? It is not like you get a trophy at the end of the year for the most correct predictions? It would be fun to see Las Vegas create an over/under line on these annual traditions in the cybersecurity arena.
I think the value of these Jimmy the Greek escapades is to provide ample warning of what people should be thinking about proactively. This begs the question of how much do people actually read these things and if they do, how (if at all) does this fit into their corporate risk management modeling?
In an effort to promote awareness, with a dose of humor, please take these predictions with a grain of salted caramel. Please note these are not in rank order of priority.
Prediction #1 – National Breach Notification Law (Not going to Happen)
As a result of the Equifax breach in 2017, there has been a lot of clamoring and posturing by the U.S. Congress on this matter. With 48 states already in play and expanding regulatory requirements like NYDFS Cyber, etc., the probability that the Congress will get in lock step on this outside of the most recent news cycle is slim to none. You have to remember, the Russians are coming to “getcha” via the digital election process and that clearly is more important than holding businesses accountable.
Prediction #2 – Cyber Talent Shortage
Not sure what the exact or correct number is but all data supports a huge deficit in this area. I always found this odd as in an industry with pretty much a 0% unemployment rate, you would think many would flock to these programs, so what’s the deal?
- U.S. Citizens measure success by how well we play sports or other means of illustrating that we are “winning”.
- The rough percentage of students that take Computer Science or Cybersecurity college level coursework that are foreign nationals, is over 67%. (Data collected when supporting DHS Cyber Skills Task-force)
- College programs are to heavy on theory and policy and not creating enough “bangers”. EDU should start to focus on classes on firewalls, SPLUNK, FireEye, TANIUM, RedSeal, etc.
- Colleges incorrectly believe additional training will be provided by the employer. With an average tenure of less than 3 years per job in cyber,….not going to happen with the exception of a rare number of employers.
So the shortage will continue in the U.S. Labor Markets and we will unlikely take effective measures to address this threat. (Buying more cyber widgets won’t suffice)
Prediction # 3 – The year of the penalty and the call on the field is under review
Now that we have NYDFS Cyber Law fully in force and GDPR is slated for May 25th, look to see these regulatory bodies identify a whipping boy to make an example of. This will be followed by an inevitable appeal by the defendant that will likely be heard at the State Supreme Court level or U.S. Federal Appellate Courts.
Depending on how egregious the error is, the defendant will likely seek options to keep out of the spotlight and I seriously doubt that Commissioner Vullo will waiver on taking the company to task.
The FTC will step up enforcement actions as a secondary enforcement action on NYDFS Cyber violations.
The EU will work closely with U.S. Stakeholders on Privacy Shield implications and devise enforcement strategies on U.S. firms that improperly protect EU resident data when goods and/or services are implied. (Example may include mailing lists when the domain doesn’t even have HTTPS connection or similar).
The U.S. DOD will issue an award subject to DFAR that will be protested because the Prime or Sub to the Prime failed to meet the Safeguarding Clauses (e.g. NIST 800-171 compliance). In this scenario, the DOD will learn valuable lessons on why the language in applicable solicitations will need improvements to better define Controlled Unclassified Information (CUI) specificity and applicability.
Prediction #4 – Uber – The hits just keep on coming
In 2018, we will likely see very unique legal strategies by U.S. Regulators and Uber’s Insurance Carrier. Uber’s data breach in 2017 is unique because of the alleged willful wrongdoing by “intentionally” not disclosing the breach to each of the 48 state attorney generals where notification is required by law. Where most causes of action on cyber litigation are predicated upon “harm”, state attorney generals will have a field day pursuing financial sanctions that will inherently impact the corporate bottom line and ultimately shareholder value.
Over simplifying but here is how Uber is different than Equifax and TARGET.
All three had technical issues that were driven by operational gaps in capability and/or performance. However, the fact that Uber intentionally (again, all alleged until proven in a court) did not disclose to the attorney generals constitutes an overt act to cover up the breach and failing to comply with state laws. If the dereliction in meeting the standard if care is proven to be intentional, then a potential exists for those C-Suite parties that were complicit to face criminal charges. So yes TARGET and Equifax CEOs were forced out of their jobs but if you add criminal prosecution to the mix, the degree of accountability becomes more visible to those business leaders.
Prediction #5 – Ransomware and Law Firms
I have seen a lot of predictions about the increase of ransomware attacks on the healthcare sector and I do not disagree but look for cases that are leaked to the press by law enforcement or corporate insiders about law firms that are held hostage just days or weeks before a massive case or Mergers and Acquisition activities.
Law firms remain one of the single best targets for adversaries to gain intelligence and if medical office will pay $15-$45k in Bitcoin to restore operations, how unlikely is it that a law firm wouldn’t pay to keep it quiet and protect their reputation or worse.
Prediction # 6 – Cyber insurance more pervasive
In 2016, the adoption rates of U.S. companies having cyber insurance was about 19%. In 2017, it looks to track for 31% (huge jump). There are always concerns about will the coverage payout. The short answer is “yes”. But as claims flow in more frequently, the insurance sector will need to re-evaluate how they measure risk beyond simply “yes/no” responses to the most basic of technical questions.
The mere fact that a company has a policy should provide comfort but not misaligned hubris in thinking that the system owner can transfer all the risk to the policy and not meet a duty to protect. As in the Uber case, if it is found that a basis exists to not pay on D&O, that may carry over to cyber coverages preventing a claim from being honored.
Prediction # 7 – M&A cyber risk impacts to valuation
As the DOW continues to increase and people are overjoyed with corporate taxes coming down, there is likely going to be an uptick in Mergers and Acquisitions (M&A). As a result of the Verizon/ Yahoo and Marriott/SPG mergers, the need to better ascertain the cyber risk profile of a company subject to an acquisition will become more prevalent.
To date, M&A activities rarely even explore what the real cyber risk profile is until after the valuation is already done. When you consider the costs of data breach notifications, responses to state attorney generals, FTC, and other regulatory bodies, the bottom line must also include the cyber risk that may be introduced as a result of a merger or acquisition. More specifically, how much impact exists with each organization’s supply chain as the Soha Survey identified 63% of all breaches were tied to a third party business partner.