As a result of several cyberattacks on both the public and private sectors over the last year, cybersecurity has become even more critical in everyday decision-making and a major priority for organizations around the world. Moreover, the emergence of cyber warfare, such as the Russian tactics used in its invasion of Ukraine, have prompted increases in government regulation and legislation in the cybersecurity and data privacy space. A look into events that helped shape the cybersecurity and data privacy landscape in 2022 can also paint a picture of what we may be able to expect in 2023. By reviewing the cybersecurity activities of the past year and analyzing cybersecurity trends for the year ahead, organizations can proactively prepare for cybersecurity incidents and become compliant with data privacy regulations that will soon take effect.
Notable Cyberattacks and Instances of Cyber Warfare in the Past Year
Since February 2022, cyberattacks have increased by 16% worldwide.1 These cyberattacks have touched virtually every industry in both the public and private sectors. Even government agencies were not safe from cyberattacks and were perhaps more likely targets for cybercriminals this year than ever before. For instance, on May 8, 2022, the day when the Costa Rican government elected its 49th president, it had to declare a national emergency after the country was attacked by the Conti ransomware gang.2 The Conti ransomware gang published 97% of the 672 gigabytes of leaked data belonging to various government agencies.3 Other notable cyberattacks this year include: (1) the attack on Crypto.com on January 17th that targeted nearly 500 people's cryptocurrency wallets and allowed hackers to steal over $30 million in cryptocurrency; (2) the Red Cross data breach of January 2022 where hackers carried out an attack on servers hosting the personal information of more than 500,000 people receiving services from the non-profit organization; and (3) the Microsoft data breach of March 2022 where the Lapsus$ cybergang released 37 gigabytes of source code stolen from the Azure DevOps servers for Bing, Bing Maps, and Cortana products.4
During the initial months of 2022, Russia's invasion of Ukraine brought attention to an emerging term that carries more force than a mere cyberattack – that term is "cyber warfare." Cyber warfare has been a major component of the conflict between Russia and Ukraine, and the term refers to the use of computer technology to disrupt the activities of a state or organization. Cyber warfare oftentimes encompasses the deliberate attacking of information systems for strategic or military purposes. In June 2022, Microsoft reported details on Russian cyber warfare tactics being used against Ukraine and its allies, revealing that state-backed Russian hackers engaged in strategic cyber-espionage against governments.5 Activities concerning cyber warfare have prompted governments around the world to increase cybersecurity with respect to critical infrastructure and begin processes toward enacting cybersecurity legislation.
New Cyber-Related Regulations
Cybersecurity was a top priority for the Biden Administration in 2022 in response to the increased number of sophisticated cyberattacks in the United States and around the world. To raise awareness of cybersecurity incidents in the U.S., President Biden signed new cybersecurity legislation on March 15, 2022, mandating critical infrastructure operators to report cyber-incidents to the Department of Homeland Security within 72 hours and within 24 hours in cases involving ransomware demands.6 Moreover, the Securities and Exchange Commission voted in March 2022 to propose two new cybersecurity rules for public companies, requiring mandatory reporting of material cybersecurity incidents on an 8-K form within four business days of the incident, and required disclosures on company policies to manage cybersecurity risks.7
Additionally, the U.S. House of Representatives was very active with respect to cybersecurity legislation in July 2022. The House of Representatives passed two cybersecurity bills during the summer of 2022. The first bill requires the Federal Trade Commission to report cross-border complaints involving ransomware and cybersecurity incidents. The second bill directs the Department of Energy to establish an energy cybersecurity university leadership program. Furthermore, on July 20, 2022, the House Energy and Commerce Committee approved the proposed American Data Privacy and Protection Act (ADPPA) for introduction to the House floor for a vote. The ADPPA is an omnibus federal privacy bill that would create national standards and safeguards for personal information collected by companies. Although a significant amount of time will likely pass before this bill is enacted, the ADPPA represents progress toward a comprehensive data privacy law in the U.S.
Anticipated Cybersecurity Trends and How to Become Cyber-Prepared for 2023
To help you prepare for the new year, we've developed a list of anticipated cybersecurity trends for 2023 and provided tips on how to adapt to each development.
- Flexible Approach to Cybersecurity Becomes More Popular
o The cyber-threat landscape is ever changing, and response efforts are evolving to adapt. Cybersecurity professionals need the ability to act fast without getting weighed down in the details of cybersecurity processes. The old approach to cybersecurity called for professionals to obtain several approvals and perform multiple tests before acting, but the new approach requires actors to work quickly to secure vulnerabilities. Organizations must regularly review and update their cybersecurity policies and procedures to account for changes in the cybersecurity space, including new regulations and new cyberattack tactics.
- Cyber-Insurance is Vital to Business Operations
o With the increase in cybersecurity attacks around the world, the global cybersecurity insurance market size is projected to grow from $11.9 billion in 2022 to $29.2 billion by 2027.8 Every organization needs to have adequate cybersecurity coverage to limit risks related to the costs of responding to cybersecurity incidents. However, due to the complexities of cyber-insurance policies, decision makers of organizations seeking cyber-coverage must be adequately advised by competent counsel.
- Continued Use of the Remote Workforce
o According to projections by data scientists, 25% of all professional jobs in North America will be remote by the end of 2022, and remote opportunities will continue to increase throughout 2023.9 Employers must review and update their remote-work policies for compliance with new data privacy regulations. Additionally, every organization with remote employees must undergo cybersecurity assessments to identify and fix vulnerabilities in their networks.
- Number of Cyberattacks and Sophistication of Attacks Will Increase
o 2022 has been another year of high-profile data breaches, and 2023 is expected to follow suit as the number and sophistication of cyber threats continue to rise. In response, organizations will need to look beyond conventional data protection practices to defend their data. To prepare, every organization must obtain experienced cybersecurity counsel to review cybersecurity measures for regulatory compliance, establish and update data privacy policies and procedures, and train employees in matters of cybersecurity awareness and incident response.
- Increased Cyber-Risks for Supply Chains
o Businesses today are mainly supported by the worldwide network of vendors, third-party services, and supply chains. Unfortunately, this dependency gives cybercriminals more entry points to exploit their victims. Organizations need to review and test their suppliers, especially those with a high-risk level of access to the organization's systems or data. Organizations should implement Zero Trust models that minimize privileged access to critical assets through supply chains.
- Cybersecurity Will Remain a Priority for State and Federal Legislators
o By the end of 2023, approximately 75% of the world's population will have their personal information protected by modern data privacy regulations such as the European Union's General Data Protection Regulation and California's Consumer Privacy Act.10 Additionally, several U.S. states have enacted their own state-level data privacy regulations, including Connecticut and Utah that passed data privacy laws in 2022. Moreover, organizations will need to become compliant with state-level data privacy regulations that take effect in 2023, including regulations from California, Virginia and Colorado. Every organization must review its data processing activities and connect with competent cybersecurity counsel to identify regulatory requirements and ensure compliance.
How Brouse Can Help
Every organization should prioritize cybersecurity and data privacy in the new year. Throughout 2022, we have seen an increased emphasis placed on the introduction and enactment of data privacy regulations. Therefore, in 2023 we must increase our cybersecurity protocols and adhere to applicable data processing requirements. Brouse McDowell's Cybersecurity and Data Privacy team can provide the guidance and tools you need to defend against cyberattacks, protect consumer information, and become compliant with applicable data privacy regulations. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
Footnotes
1. https://www.nasdaq.com/docs/cybersecurity-a-year-in-review.
2. https://www.nasdaq.com/docs/cybersecurity-a-year-in-review.
3. Id.
4. https://ermprotect.com/blog/top-10-data-breaches-so-far-in-2022/; https://www.nasdaq.com/docs/cybersecurity-a-year-in-review.
5. https://www.voanews.com/a/microsoft-russian-cyber-spying-targets-42-ukraine-allies/6628417.html.
6. https://www.nasdaq.com/articles/cybersecurity%3A-a-year-in-review.
7. Id.
8. https://cyberwrite.com/five-cyber-insurance-predictions-you-should-know-about-for-2023/.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.