)
In the next of our 2024 predictions, we delve into the evolving regulatory mandates that will require business leaders to apply enforceable rigor to security controls. Government and industry regulation of companies’ cybersecurity initiatives and risk posture is not new. Still, there is an urgent need for policies and standards to be reviewed in response to widening attack surfaces and the increasing use of AI and its associated data privacy issues.
As more and more data is produced, collected, and stored, and connectivity expands globally, attack surfaces are widening. This is especially true as organizations’ reliance on AI to improve performance and efficiencies grows, and data privacy concerns reach new heights. Good cyber governance must be part of any company’s cybersecurity and risk management program to ensure that organizations adhere to government and industry regulations and standards.
In Cybersecurity in 2024: Predicting the Next Generation of Threats and Strategies, we predict that in 2024 and beyond, companies across vertical sectors will need to apply enforceable rigor on security controls to comply with changing compulsory regulatory mandates. To achieve this, business leaders will need a clearer understanding of their organization’s cybersecurity policies, processes, and tools, resulting in the appointment of cybersecurity experts at the Board level to meet progressively stringent reporting requirements.
Regulatory changes of note include:
PCI DSS v. 4.0
As the threat landscape becomes increasingly complex and sophisticated, industry standards continue to evolve to ensure that security gaps are detected and properly identified. Of particular note is the Payment Card Industry’s Data Security Standard (PCI DSS) v. 4.0, which will put added pressure on retail, healthcare, and finance companies to address new reporting requirements by March 2024.
The changes are intended to enhance the measurement of risk and require businesses to prioritize gaps much faster and with more accuracy. Additionally, the updated PCI DSS includes specific measures to bolster vulnerability prioritization with other sources, such as threat intelligence to add enrichment and metrics to risk ranking of security gaps within systems.
Security & Exchange Commission
The U.S. Security and Exchange Commission (SEC) monitors disclosure practices and has historically issued what essentially amounted to interpretive guidance. This practice changed in 2023 when the SEC issued the “final rule” that enhances and standardizes disclosure of cybersecurity risk management, strategy, governance, and incidents by public companies. These changes were necessitated by an increase in cyber attacks, stolen data, and growing concerns about the use and vulnerabilities of AI and digital technologies.
The Cyber Resilience Act
The European Commission issued the Cyber Resilience Act (CRA), which will take effect in 2024. Set to bring significant changes to digital products throughout Europe, CRA mandates new cybersecurity requirements for products with digital components. The act applies to manufacturers and retailers, with protection extending through the product lifecycle in order to provide adequate security features and obligations, including risk assessments, vulnerability management, and free security updates.
NIST CSF 2.0
A major update to the NIST Cybersecurity Framework (CSF) – NIST CSF 2.0 – is expected to be released in 2024 to help organizations and industries manage cybersecurity risk. An important change in CSF 2.0 is the addition of governance in managing risk. CSF 2.0 includes additional updates, such as:
A focus on supply chain risk management
More guidance on implementing the CSF
Alignment with the Biden Administration's National Cybersecurity Strategy
All of these changes, and more that may come in 2024 and beyond, will further advance the significant need for proactive threat intelligence. Such intelligence, when factoring in a company’s attack surface and business context, can help organizations continuously identify and prioritize vulnerabilities, and take appropriate measures to mitigate risk and strengthen cyber hygiene.
Want to learn more about Cybersixgill’s insights and predictions for 2024 to keep your assets and stakeholders safe? Download Cybersecurity in 2024: Predicting the Next Generation of Threats and Strategies.
)
)
)
)