There are thousands of breaches and cyber events each year, across geographies and industries – some that garner intense media coverage, and many that fly under the radar. Global regulators are continuing to ramp up the pressure on companies to improve cybersecurity resilience and implement safe data practices. As we enter 2023, it’s important to look back at some of the top events that shaped the cyber world in 2022 – what can we learn from them, and have they prepared us for events and news to come this year?
The link between geopolitics and cyber risk was once again put into focus with Russia’s aggression towards Ukraine. As governments and global bodies implemented sanctions against Russia, companies were warned to improve their cyber defenses for fear of retaliatory Russian cyber-attacks. UK and US intelligence also suggested that Russia was behind a Europe-wide attack hours before the invasion. The FBI also recently charged three Iranian nationals for targeting US Critical Infrastructure providers, stating that “the Government of Iran has created a safe haven for cybercriminals.” The message is clear: the threat of state-sponsored cybercrime and activity must be included in any resilience and continuity plans.
Fines, fines, fines
When regulators punished EyeMed with a $4.5 million fine for failing appropriate risk assessment requirements, the industry was once again reminded that when regulators ask, you must follow. Bodies in the US and Europe are increasingly providing prescriptive cybersecurity measures. Firms must focus on meeting and exceeding regulatory expectations or risk making the media headlines with millions worth of fines and damaged reputations.
Building on this, April 2023 is the month for SEC final action of its changing cybersecurity regulation, proposing rules to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and cybersecurity incident reporting.” In March 2022 the regulator also published its 2022 Examination Priorities, with a stress on operational resilience. With deadlines looming and the threat of fines growing, firms must shape up and prepare for the coming year.
2022 was marked by pressure to improve resilience and investment. The US government is offering 1 billion dollars in grants to improve state, local and territorial security. The program has an overarching goal to reduce systemic cyber risk. In the UK, the government made changes to legislation as part of its £2.6 billion National Cyber Strategy, strengthening Network and Information Systems (NIS) Regulations.
As companies dive into the new year, the key takeaways are that no matter how big or small your firm is, geopolitics can affect your cyber defenses – and regulators are no longer simply encouraging cybersecurity resilience improvement; they’re demanding it. If you fail the test – you will pay.
The good news? All these issues can be solved by building a robust cybersecurity program and investing in continuous vulnerability management. Get in touch with the Drawbridge team and let us help you protect your firm in 2023 and beyond.