Cybersecurity Predictions for 2023

Alex Iftimie, Michael Burshteyn, Miriam Wugmeister, Lokke Moerel, Haima Marlier, Kristen Mathews, Vincent Schroder, Tina Reynolds, and Markus Speidel spoke to The CyberWire about predictions and trends the cybersecurity sector may expect in 2023.

Alex on a resurgence in Russian-based cyberattacks:

"As Russia continues to take losses on the battlefield, they will increasingly rely on nontraditional tactics like cyber-attacks, including against Western countries. These attacks will also come from nonstate actors who are reeling from Western sanctions and who continue to view Russia as a permissive environment for their activities."

Michael on more regulatory attention for crypto adoption:

"This past year saw tens of billions of dollars in cryptocurrency and digital assets lost. These losses stemmed from smart contract exploits, insider and external attacks, and collapses of centralized exchanges and decentralized protocols. At the same time, developers have continued to adopt web3 technologies and builders are continuing to develop innovative applications of blockchain, crypto, and related technologies. In response, 2023 is likely to see sharpened regulatory attention in an attempt to create predictable conditions for more mainstream adoption. A surge in litigation related to cryptocurrency token disputes and losses is on the horizon as well."

Miriam on the continued use of responsible AI and ethical tech:

"Responsible AI and ethical tech will continue to be a trend and only become more important and interesting as the economy slows and organizations looks for new ways to monetize the data that they have and to enhance their products and services in new and creative ways.”

Lokke on the European Union’s impending AI Act:

"While the EU’s AI Act may still be in draft form, EU data protection authorities are already applying similar principles assessing, developing, and applying AI under GDPR [General Data Protection Regulation]. As a result, 2023 may give you time less time to anticipate requirements under the AI Act. Further, once in force, the AI Act will apply also to AI products that were developed before the AI Act went into effect."

Haima on the Securities and Exchange Commission’s (SEC) implementation of cybersecurity rules for public companies and investment advisors:

"In 2023, the SEC likely will issue final cybersecurity rules for public companies and for registered investment advisers and other registrants, respectively. I expect that these final rules will impose heightened disclosure and internal controls obligations on issuers and registrants. I also expect that the SEC’s cybersecurity-related enforcement to continue, especially in cases where the agency perceives there to be a failure to escalate cybersecurity incidents that results in delayed investor disclosures and prolonged exposure of customer data."

Kristen on strengthening privacy policies under the California Privacy Rights Act (CPRA):

"The CPRA will be enforced starting July 1, 2023, and it will, for the first time, apply to employees in addition to other consumers. This means that employers need to present robust privacy policies to their California employees and give them numerous rights, some of which will be challenging to honor in the context of employer-employee relationships, such as the right to have their personal information deleted or corrected by the employer, the right to receive a copy of their personal information that is held by their employer, and the right to opt out of their employer using their personal information for certain purposes. These rights apply to current employees and independent contractors and also job candidates and former employees. We predict that these rights will be exercised in the context of legal disputes, making responding more high stakes."

Vincent on compliance at the forefront of regulatory scrutiny:

"Nearly three years following the effective date of the California Consumer Privacy Act (CCPA), increasing enforcement activity by the California Attorney General suggests that businesses should expect even more vigorous regulatory scrutiny next year. In the first half of 2023, audits by the Attorney General and the new California Privacy Protection Agency will likely continue to revolve around compliance with the CCPA’s extensive disclosure requirements and opt-out rights regarding the selling of personal information. Following the enforcement date of the California Privacy Rights Act on July 1, 2023, the focus might particularly expand to the processing of sensitive personal information."

Tina and Markus on the software attestation requirements for the U.S. government:

“Companies whose software products are sold to the U.S. government will need to begin providing attestations concerning the vendor’s software supply chain security in 2023. Federal agencies will be required to collect attestation letters from suppliers of “critical software” by mid-year, and from all suppliers by the end of the year. Affected vendors must attest to compliance with the relevant NIST [National Institute of Standards and Technology] guidance and may also need to supply a complete Software Bill of Materials, depending on software criticality or agency need. Additional agency guidance is expected in early 2023."

Read the full article (subscription required).