NEW YORK—Expect regulators to begin imposing cyber incident “stress testing” and boards becoming more cyber-competent this year.
Those are predictions shared by Edward M. Stroz, founder and executive chairman of cyber forensics firm Stroz Friedberg, New York, in ThirdCertainty. He shares more predictions below:
Boardroom shuffle: With concern mounting over cyber risks, organizations will evaluate fresh approaches to ensuring boards are well-informed and comfortable making strategic decisions, Stroz wrote in ThirdCertainty. “Expect the appointment of specialist, nonexecutive cyber directors and the formation of dedicated cyber-risk committees, similar to audit committees, with independent advisers. Regulators also may pursue the concept of ‘cyber competent’ people as a requirement for boards,” he said.
Cyber insurance spike: Demand for cyber liability coverage will continue rising. Expect premiums to also rise due to constantly evolving threats, immature risk models, and an underdeveloped reinsurance market. “This will impact retailers, healthcare providers, banks and others considered high risk,” Stroz said. “Uncertainty about concentration of exposure will lead regulators to impose cyber incident ‘stress testing.’ This is a way to model the impact of multiple, simultaneous incidents on cyber insurance carriers—and potentially stopping those that fail these tests from writing new policies.”
IoT spurs new rules: This will be the year consumers awaken to security and privacy concerns attendant to the Internet of Things. A major physical disruption—through the breach of a connected car, medical device or weak security in a connected toy—will spur regulators and consumers to demand action, Stroz wrote in ThirdCertainty. “Expect companies to spend untold amounts on testing and retrofitting IoT devices to meet hastily approved ‘privacy and security by design’ rules.
Insider threats get addressed: Insider threats—current or ex-employees with knowledge of, and access to, the corporate network—will take center stage in 2016. This will push human resources leaders onto cross-functional cybersecurity teams in many organizations, Stroz explained. “Expect leading-edge companies to invest in technologies that identify and, in some cases prevent, insider threats before they cause material damage.”