As the new year begins, CISOs gather with their security teams and corporate management to scope out top priorities for 2024 and how to address these issues.
This year - with a multitude of new privacy laws, Securities and Exchange Commission regulations, cyber threats, and new technologies promising to solve those threats - they might be losing sleep trying to optimally stack the proverbial Tetris pieces of the cybersecurity strategy.
Of all the challenges vying for the CISO's attention, the personal and legal responsibility for data breaches the SEC has placed on CISOs could be the most challenging in the new year, says Nicole Sundin, chief product officer at Axio.
Defend Yourself Against Personal Liability Sundin likens CISOs to healthcare executives, who keep detailed records of every action they take in order to defend themselves against claims of malfeasance.
Considering that many CISOs are not covered under corporate directors and officers insurance policies, they would be liable personally under new SEC rules should a breach occurs.
That includes personal liability for both a breach with data loss or a privacy breach without data loss.
Tell the board exactly which security controls are required, their cost, and the potential loss to the company if a breach occurs due to not having the security controls in place.
CISOs must also be active participants when negotiating cyber insurance policies, Sundin says.
Normally CISOs need to sign off on what the general counsel or CFO ultimately negotiates, but without having direct input - with a written record of their recommendations - they could become legally liable protecting a non-insurable exclusion.
Monitor Emerging Privacy Threats Cyber insurers will focus on privacy breaches in 2024, predicts David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage.
Erson says cyber insurance underwriters are expected to harden regulations on how organizations implement security on private data and privileged accounts, including service accounts, which he notes, tend to be overprivileged and often have not had their passwords changed in years.
Citing the tightening privacy laws in states such as California and Washington, he says cyber insurers are demanding organizations not only have comprehensive privacy policies in place, but be able demonstrate that they follow their policies.
Manage Third-Party Risks While privacy threats will be high on board of directors' priorities for 2024 thanks to the new SEC regulations and cyber insurers' requirements, so too will other supply-chain threats.
Forward-thinking visionaries look at third-party risk management and data in the aggregate and what data breaches mean based on emerging and expanding regulatory compliance, said Parr.
Rather than focusing on the data itself, he suggests taking a holistic approach, calling it a cross-functional supplier risk management framework.
The vast majority of companies today are struggling with TPRM, Parr says, because they focus more on the cost of data governance than on regulatory compliance, operational resilience, brand impact, or the reputational risk associated with data breaches.
Looking Ahead In the environment of increased regulation, CISOs are now held personally liable for data breaches, regardless of whether they involve data loss or privacy violations.
In response, cyber insurance underwriters are tightening their rules on how organizations should protect private data and privileged accounts.
To meet these challenges in the coming year, CISOs need to protect their organization and themselves by creating a system to document relevant actions and decisions, establishing and enforcing comprehensive and consistent privacy policies, and assessing their third-party partners in terms of operational resilience.
By working across the organization with procurement, legal, and security teams, CISOs can mitigate the potential impact of supply chain threats and insurance costs on their business - and cover themselves too.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 19 Jan 2024 22:25:17 +0000