It's been a busy year, one of the busiest periods I've ever experienced as a compliance professional. One positive trend is that the C-suite is asking about compliance more than ever before, and they are asking all the right questions.
As an auditor, I have a foot in two different camps: the cybersecurity regulatory camp, where I help in the evolution and promotion of cybersecurity frameworks, and the privacy and protection camp, where I focus on improving the security controls that help to protect data. I am an active member and participant in the IAPP (International Association of Privacy Professionals), which keeps its finger on the pulse of privacy matters and data protection mandates that are emerging. I can't remember a time when new regulations, amendments and updates to data protection across all verticals came out with as high a frequency as they did this year.
I am certain 2023 will bring a tightening of regulations due to all these changes, which will happen at different velocities in various geographies. For international organizations that operate in multiple regions, it gets complicated. For example, when comparing the regulatory environment in the U.S. to the European Union, data responsibilities become confusing because these are two very different regulatory ecosystems. A new E.U. law applies to all member countries with very few or no exceptions, but attempts to federalize data protection mandates in the US. so far have not come to fruition, with a proposed federal data protection act still a way out. The main obstacle to federalization is, of course, that it's up to the individual state to implement and enforce the law. That's why we end up with a regulatory mix of data protection mandates, with a few flagship states with passed data protection legislation, such as California,, Colorado, Connecticut, Virginia and Utah, while some state privacy laws still await final processing or lack full legislation geared at data protection.
Revisions across the cybersecurity industry
The new version of the Payment Card Industry Data Security Standard (PCI DSS) Version 4.0, released earlier this year, is a great example of a vertical regulatory revision that has already taken place and will become the baseline for PCI DSS compliance in 2023. It's very common for new regulations like this to work their way through the system with this sort of trial period first before they fully take effect. PCI's Data Security Standard is found within healthcare, retail and finance, and that's where I believe we will see some of the biggest regulatory events in 2023
The Federal Deposit Insurance Corporation (FDIC) also strengthened its rules, as did the Federal Trade Commission (FTC), and the National Institute of Standards and Technology (NIST) has proposed updates and revisions to its cybersecurity framework (CSF) toward 2.0, every one of them with an increased emphasis on reinforcing the core security controls that enhance policy. We will no doubt see new executive orders in 2023 that may be used to push forward the regulatory changes introduced in 2022. Executive orders are easily dismissed as knee-jerk reactions to big events - like the SolarWinds breach - and they do tend to be reactive. But the positive of an executive order is that it is nationwide and affects many businesses, which will then listen. States may then pay attention and reinforce the mandates. as they realize the need for stronger cybersecurity as a law or regulation. For example, the SolarWinds incident triggered an executive order calling for businesses within the supply chain to do a risk assessment as part of their cybersecurity policy and supply chain management - that was a very positive change.
See also: Cyber Trends That Will Change 2023
The changing role of the CISO in 2023
I've had many conversations with chief information security officers (CISOs) lately, and they have asked me many compliance questions. It is a huge positive that CISOs are now asking: How will these new regulations affect my cybersecurity policy? How can I best comply with these new rules? Earlier, it seemed that I was always the one asking the CISOs if they knew how compliance and legal mandates might be affecting their organization, like how the GDPR (General Data Protection Regulation) affects them and their organization's ability to operate.
CISOs and the rest of the C-suite are recognizing that governance, risk management and compliance (GRC) is going to be more important than ever and that understanding of how to harness the data provided by GRC exercises can empower their businesses. I know that people often think compliance is kind of boring - believe me, I've gotten a lot of eye rolls over the years - but it doesn't happen as often anymore. Corporations are beginning to realize that they have no choice but to work hard to understand their compliance posture if they take data protection seriously. The nucleus of this equation is that strong data protection is why we have all the regulations. It's not because industry compliance is an evil force trying to slow everything down - the view is changing more toward how compliance can be a helping hand when it comes to fortifying systems and protecting data.
Growing concerns around e-commerce and online payment platforms
One of my biggest concerns for 2023, and a constant for me, is the growing and changing e-commerce market. There are new and emerging payment platforms - like virtual cards - and new data mechanisms that are very attractive and cost-effective for large retailers. However, these emerging technologies present cybersecurity challenges because we are still learning all the different attack vectors that can be employed to compromise and exploit the new systems. Every time it feels like there is a lull in cyber-attacks, we must remind ourselves that the bad actors are simply changing their tactics and spending time at the start of the exploit cycle, planning and collecting information to orchestrate the next big attack. For modern payment systems, businesses are quick to roll out virtual cards because for many there is a significant cost savings associated with using those systems. Sometimes, cybersecurity and cyber insurance become an afterthought during product launches that focus on implementing the latest and greatest technology, but we need to stay extra vigilant in measuring our potential risk, especially to new systems. It's totally possible that threat actors are already working on a non-typical type of exploit that's targeted straight at our business - we just haven't seen or heard of it yet.