2015 was a year in which cyber criminals continued to innovate and expand their activities. As 2016 commences, look for insider threats to take center stage and for leading companies to respond. Meanwhile, cybersecurity and privacy issues will continue to reverberate globally. Here are a few predictions for the coming year:
Cyber threats and elections–
Threat actors targeted the websites and emails of presidential candidates in 2008 and 2012. Campaign websites continue to be used to raise money, making them targets for hacktivists and cyber criminals alike. Expect to see U.S. primary frontrunners and eventual nominees successfully targeted and to see at least one campaign undermined by a data breach.
IoT spurs new rules–
This will be the year consumers awaken to security and privacy concerns attendant to the Internet of Things. A major physical disruption — through the breach of a connected car or medical device or weak security in a connected toy — will spur regulators and consumers to demand action. Expect companies to spend untold amounts on testing and retrofitting IoT devices to meet hastily approved “privacy and security by design” rules.
Insider threats get addressed–
Insider threats — current or ex-employees with knowledge of, and access to, the corporate network — will take center stage in 2016. This will push human resources leaders onto cross-functional cybersecurity teams in many organizations. Expect leading-edge companies to invest in technologies that identify and, in some cases, prevent insider threats before they cause material damage.
International data flows narrow–
Uncertainty arising from the demise of the EU-U.S. Safe Harbor pact will disrupt international data flows. Expanding European nationalism, distrust of U.S. surveillance and subpoena power, the prospect of triggering huge fines for transborder transfers and political disputes over alternatives will drive some U.S. companies to avoid doing business with Europe altogether. Meanwhile, other multinationals will opt to segregate business functions geographically by building local cloud services and data centers that protect them from penalties.
With concern mounting over cyber risks, organizations will evaluate fresh approaches to ensure boards are well-informed and comfortable making strategic decisions. Expect the appointment of specialist, non-executive cyber directors and the formation of dedicated cyber-risk committees (similar to audit committees) with independent advisers. Regulators may also pursue the concept of “cyber competent” people as a requirement for boards.
Cyber insurance spike–
Demand for cyber liability coverage will continue to rise. Expect premiums to also rise because of constantly evolving threats, immature risk models and an underdeveloped reinsurance market. This will affect retailers, healthcare providers, banks and others that are considered high risk. Uncertainty about the concentration of exposure will lead regulators to impose cyber incident “stress testing.” This is a way to model the impact of multiple, simultaneous incidents on cyber insurance carriers — and potentially stop those that fail these tests from writing new policies.