The year 2015 was one in which cyber criminals continued to innovate and expand their activities. As 2016 commences, look for insider threats to take center stage, and for leading companies to respond proactively. Meanwhile, cybersecurity and privacy issues will continue to reverberate globally. Here are a few predictions for the coming year:
1. Cyber threats and elections. Threat actors targeted the websites and emails of both presidential candidates in 2008 and 2012. Campaign websites continue to be used to raise money, making them targets for hacktivists and cyber criminals alike. Expect to see U.S. primary frontrunners and eventual nominees—from both parties—successfully targeted, and at least one campaign undermined by a data breach.
2. IoT spurs new rules. This will be the year consumers awaken to security and privacy concerns attendant to the Internet of Things. A major physical disruption—through the breach of a connected car, medical device or weak security in a connected toy—will spur regulators and consumers to demand action. Expect companies to spend untold amounts on testing and retrofitting IoT devices to meet hastily approved “privacy and security by design” rules.
3. Insider threats get addressed. Insider threats—current or ex-employees with knowledge of, and access to, the corporate network—will take center stage in 2016. This will push human resources leaders onto cross-functional cybersecurity teams in many organizations. Expect leading-edge companies to invest in technologies that identify and, in some cases prevent, insider threats before they cause material damage.
International data flows narrow. Uncertainty arising from the demise of the EU-U.S. Safe Harbor pact will disrupt international data flows. Expanding European nationalism, distrust of U.S. surveillance and subpoena power, the prospect of triggering huge fines for transborder transfers, and political disputes over alternatives will drive some U.S. companies to avoid doing business with Europe altogether. Meanwhile other multinationals will opt to segregate business functions geographically by building local cloud services and data centers that protect them from penalties.
4. Boardroom shuffle. With concern mounting over cyber risks, organizations will evaluate fresh approaches to ensuring boards are well-informed and comfortable making strategic decisions. Expect the appointment of specialist, nonexecutive cyber directors and the formation of dedicated cyber-risk committees, similar to audit committees, with independent advisers. Regulators also may pursue the concept of “cyber competent” people as a requirement for boards.
5. Cyber insurance spike. Demand for cyber liability coverage will continue rising. Expect premiums to also rise due to constantly evolving threats, immature risk models, and an underdeveloped reinsurance market. This will impact retailers, health care providers, banks and others considered high risk. Uncertainty about concentration of exposure will lead regulators to impose cyber incident “stress testing.” This is a way to model the impact of multiple, simultaneous incidents on cyber insurance carriers—and potentially stopping those that fail these tests from writing new policies.