1 | Trust Becomes Basic Issue
Senior Editor Michael Nadeau of CSO recently captured the broad context of the cyber world heading into 2018: “Trust will be a casualty of the war on cyber crime.” Experian is the latest example that went beyond the pale; when we hear “it wasn’t us but our customer who lost the data,” we realize how many companies pay lip service without a real commitment to protect our data, either before or after they sell it.
“This is an Alteryx issue,” Experian said in a statement, noting that the data in question is used often in marketing. “Data security has always been, and always will be, our highest priority. As a matter of security best practices, Experian vets all our clients and mandates robust security measures and controls to secure our data.”
“Alteryx Data Breach Exposes Information On 123 Million American Households” Ryan Grenoble, Huffington Post, Dec. 19, 2017
Malcolm Harkins of Cylance has suggested that companies designing new products and services should carefully consider the risk to consumer safety and privacy. Incorporating cybersecurity into a company’s ethical framework is necessary to ensure that consumers are protected. “We are focusing on the wrong things…[c]ompanies and boards should act on behalf of shareholders and society.” The broad recognition that no one’s PII is safe following the Equifax breach will impact commerce in 2018, including the way we interact with corporations and with each other.
2 | Governance Drives Best Practices
The notion that a new advance in cybersecurity technology will solve the problem continues to drive venture investing, but it’s rapidly losing its appeal for end users, since publicized breaches are almost always attributable to a failure of people, processes, or policies. The enterprise risk posed by cyberattacks now overshadows financial risk for many organizations. “Cybersecurity threats” is the number one topic for directors in 2018, according to Akin Gump’s most recent annual survey. How to engage directors and executive leadership in overseeing implementation of best practices has become a widespread concern.
The most important skill set in 2018 will be cyber-security governance – the ability to significantly reduce an organization’s cyber-risk through non-tech changes to policies, procedures, training, reporting lines, etc.
“Outlook 2018: Avi Gesser, Davis Polk” MarketsMedia, December 28, 2017
Employing standardized measurements of cyber risk, and keeping directors and leadership apprised of cyber resilience will become commonplace by the end of 2018.
3 | NIST CSF Becomes Global Standard
When President Obama ordered NIST to develop a universal framework to reduce cyber risk to critical infrastructure, the ultimate impact was unknown. In the few years since it was released in 2014, the Cybersecurity Framework (CSF), developed with input from 3,000 experts from commerce, academia, and government, has rapidly achieved prominence as the most often recommended standard for evaluating cyber resilience. The May 2017 executive order mandated that all federal agencies report on the cyber measures they employ by using NIST CSF. In 2018, as federal agencies work to comply with the executive order, they will begin requiring vendors who serve them to report their cyber status as well. With over 50% of U.S. organizations using it, NIST CSF will gain recognition as a de facto global standard by the end of 2018.
4 | Cyber Frameworks Unify
The most popular cyber frameworks are composed of the same DNA, that is, the controls they measure. The recognition of the NIST framework’s comprehensive view across the organization started a consolidation of cyber frameworks within months of its release. NIST started the ball rolling when they announced their intent to align with the ISO 27001 standard by rationalizing common controls. Two years after the initial release, NIST and the Department of Health and Human Services released a “crosswalk” between CSF and the HIPAA Security Rule. Successive frameworks, like the FFIEC Cybersecurity Assessment Tool (CAT) and the NY DFS regulations, have been heavily influenced by NIST CSF, and additional crosswalks have been developed. (Cybernance announced its NIST/FFIEC crosswalk in 2016.) Maintaining separate initiatives weakens the broader effort to achieve true cybergovernance. A medical industry company protecting PII and PHI shares the same control-level concerns as a tech company protecting its intellectual property. Gathering data on individual controls multiple times is inefficient. Instead, other frameworks will unify with CSF as the core to augment it with segment-specific lenses into the same data. With unification, the need for valid comparisons within verticals and across industries, and meaningful benchmarking will be met. As widespread adoption of NIST CSF continues, consolidation of frameworks will continue in 2018.
5 | Cyber’s Legal Infrastructure Expands
2017’s massive breaches of personal data are game-changing. The Equifax breach involved the PII of 145 million people; with a total of 116 million U.S. households, virtually every home in America was exposed. When Experian’s data was exposed more recently, it because clear that steps must be taken to compel safer handling of consumer data. The impact of these breaches will be extensive, with hundreds of suits ranging from seeking actual damages to allegations of negligence on the part of board members and executives, 2018 will stand out as the year that significant new cybersecurity legal precedents are established. The current imbalance between the rights of companies to act and the rights of consumers and business partners to be protected from negligent actions will also drive Congress to pass new privacy and cyber regulations and legislation in 2018. The challenge will lie in how to require reasonable protections of private data, both individual and corporate, while not affecting commerce negatively.
6 | New Forms of Hybrid Insurance Products Materialize
The insurance industry has seen the cyber insurance market emerge rapidly over the past several years. The first wave comprised new protections being added into existing property and casualty policies. The resulting myriad of offerings with little standardization makes it tricky for purchasers to know if they have the right kind and amount of protection. While insurers have rushed to get into a booming market, they have privately acknowledged the lack of data available to underwriters makes it difficult to price effectively. Large insurers like AIG have begun investing heavily to understand how to evaluate risk more effectively. Cyber insurance will evolve as the fire insurance industry evolved, although it will happen far faster. The growth of the cyber insurance market will lead to more detailed assessments of risk, collection of better data on internal measures employed by purchasers, and enforcement of better cyber risk management policies nationwide. Because they interact directly with buyers, and they need to differentiate their offerings, top insurance brokerages will create and develop innovative products and services that drive down risk and the cost of policies while improving security and governance for its portfolio of clients. In 2018, we will see new hybrid offerings that combine traditional insurance with technology to reduce the risk faced both by policyholders and insurers.