Menu

Third-Party Risk Management

top cybersecurity risks trends and predictions for 2023

Top Cybersecurity Trends and Predictions for 2023

, , , , , , , , , , , , , ,

Without a doubt, 2022 has been such an eventful year in the world of cybersecurity. There were over 2.8 billion reported cases of malware attacks worldwide and over 236 million reported cases of ransomware attacks just in the first half of the year.

In 2022, the government of Costa Rica declared a state of emergency and Toyota was forced to shut its 14 factories in Japan, following different and several cyberattacks.

As we enter the last few hours of 2022 and look forward to 2023, cybersecurity remains top of the agenda for the leaders of several businesses and organizations worldwide.

It is, therefore, natural to start thinking about what the next year might bring in terms of cybersecurity trends and predictions, and help inform decisions on information security strategies and budgets.

Here are my top 10 cybersecurity trends and predictions for 2023:

Ransomware Attacks

Ransomware attacks, in which hackers encrypt a victim’s data and demand payment to decrypt it, have been a major problem in recent years. These attacks are likely to continue in 2023, as hackers find new ways to target businesses, organizations and individuals across different spectrums in different societies and cultures.

Remote Work Security

The shift towards remote work, accelerated by the COVID-19 pandemic, has created an increased need for secure remote access solutions. The nature of remote work is changing and more organizations are adopting policies and environments that allow their employees to carry out their respective tasks remotely more effectively.

In 2023, we can expect to see a continued focus on this area, as organizations look for ways to protect their networks and data while employees are working remotely.

Further developments in this area include the adoption of virtual private networks (VPNs) and other secure remote access technologies, as well as the implementation of strong authentication protocols and the use of multi-factor authentication.

Another major trend in this space is something known as Decentralized Security; a comprehensive network of proactive and reactive defenses with built-in machine learning features that monitor endpoints, identities, and access regardless of who the users are, what they do, or wherever they may be connected from.

Supply Chain Attacks

Supply chain attacks involve compromising the security of a third-party vendor or supplier to gain access to an organization’s systems or data. These attacks can be difficult to detect and prevent because they usually do not involve any direct interaction with the target organization.

Organizations can establish steps to mitigate against such attacks including implementing secure supply chain practices, conducting thorough random checks on their suppliers, and implementing incident response plans.

A recent policy statement published by the Bank of England outlines regulations that affect financial institutions regarding outsourcing and third-party risk management.

New Technologies & More Attack Vectors

As new technologies emerge, they will also bring new attack vectors for hackers to exploit. In 2023, we may see an increase in attacks targeting the internet of things (IoT), as well as attacks targeting emerging technologies such as 5G networks and quantum computers.

Artificial Intelligence and Machine Learning

Artificial intelligence (AI) and Machine Learning (ML) have already started to play a significant role in cybersecurity, and this is likely to continue in 2023. These technologies can be used to analyze large amounts of data and identify patterns and anomalies that might indicate a security threat.

One example of this is the use of AI and machine learning to analyze log data and identify unusual activity that might indicate a cyberattack. This can help organizations respond more quickly to threats and minimize the damage caused by an attack.

Regulation and Compliance Requirements

As cybersecurity threats continue to evolve and become more sophisticated, we are likely to see increased regulation and compliance requirements in the coming year. This may include new laws and regulations that require organizations to implement certain security measures, as well as increased penalties for organizations that fail to meet these requirements.

Last year, I wrote an article about the Digital Operational Resilience Act (DORA) regulation proposed by
the European Union (EU).

With DORA, the EU aims to harmonize and improve risk management and operational resilience within the financial sector across the region by addressing many of the issues that concern leadership, governance, and continued operations through a severe operations disruption as well as establishing an oversight framework for managing ICT critical third-party providers (CTPPs).

The Council of the European Union (i.e., EU Council) recently adopted DORA as policy across the region.

Evolution of Cyber Threats

Cyber threats are constantly evolving, and we can expect to see new types of attacks and tactics in 2023. As hackers become more sophisticated, they will continue to find new ways to target organizations and individuals.

To protect against these evolving threats, it will be important for organizations to stay informed about the latest developments in cybersecurity and to implement effective security measures. This may involve investing in new technologies and training employees to recognize and respond to potential threats.

Cloud Security Solutions

The use of cloud-based security solutions is likely to increase in 2023, as organizations look for ways to protect their data and systems in the cloud. This may include the use of Cloud Access Security Broker (CASB) services and other cloud security technologies.

Zero-Trust Security Models

Zero-trust security models, which assume that all users and devices are untrusted until proven otherwise, are likely to become more popular in 2023. These models can help organizations protect against insider threats and ensure that their networks and systems are secure.

We can expect more security products and services to be compliant with zero-trust models, satisfying all seven tents of the NIST 800-207 model on zero-trust, as an example.

Data Privacy and Protection

As more data is collected and stored online, the protection of personal and sensitive information will continue to be a major concern in 2023. Organizations will need to implement strong data privacy measures to ensure that they comply with applicable laws and regulations as well as protect against data breaches.

“How do we effectively protect our consumers’ information from unauthorized access, use, and abuse?” This is just one of many pertinent questions that information security and risk leaders must anticipate for the future and plan accordingly.

Cybersecurity Insurance

According to a recent report, the global cybersecurity insurance market size is expected to reach US$32.6 billion by 2028.

As the risks of cyberattacks continue to grow, we can expect to see an increase in the use of cybersecurity insurance in 2023. This type of insurance can helps organizations protect against the financial impacts of a cyberattack and ensure that they have the resources to recover from an incident.

We’re falling into this old habit of trying to treat everything the same as we did in the past… This simply cannot continue. We need to make sure that we are evolving our thinking, our philosophy, our program, and our architecture.

— Sam Olyaei, Gartner Analyst

In conclusion, 2023 is likely to see an increase in supply chain attacks, state-sponsored cyberattacks, a continued focus on the security of remote work, the emergence of new technologies and attack vectors, and the growth of ransomware attacks. However, it will also be a year for some organizations to derive benefits from their investments, preparedness, and innovations in information security and regulatory compliance best practices.

digital operational resilience act

How the Proposed Digital Operational Resilience Act (DORA) Could Impact Your Organization

, , , , , , , , , , , , , , , , , ,

In the autumn of 2020, the European Commission (EU) published the proposed Digital Operational Resilience Act (“DORA”) new regulation.

With the rise of blockchain and digital banking, the nature of finance requires some adjustments.

Unfortunately, as supply chain compromises and cyberattacks affecting several organisations; including Target, Tesla, SolarWind, FireEye, and Microsoft Office 365; indicate, all aspects of digital commerce and ever-increasing dependency on Information and Communication Technologies (ICT) pose significant real and present risks, particularly regarding ICT third-party suppliers.

In the Threat Landscape 2020 report; published by the European Union Agency for Cybersecurity (“ENISA”); phishing, identity theft, and ransomware continue to be top cyber threats faced by businesses and organisations in the EU.

With DORA, the EU aims to harmonise and improve risk management and operational resilience within the financial sector across the region by addressing many of the issues that concern leadership, governance, and continued operations through a severe operations disruption as well as establish an oversight framework for managing ICT critical third-party providers (CTPPs).

It is envisaged that the EU parliament, European Council, and the European Systemic Risk Board (ESRB) will engage in several negotiations and debates over DORA with institutions in the coming months, with appropriate laws established very quickly thereafter.

What is Digital Operational Resilience?

Operational resilience is the ability to develop and maintain capabilities, processes, systems, and cultures within an organisation to help ensure the continued provision of services at the expected minimum quality level in the face of operational disruptions.

Operational resilience has always been a key strategic objective in several business sectors including the financial, utility, transport, and ICT service providers. Operational resilience has become an increasingly key subject in countries such as United Kingdom, Australia, United States, and Canada.

Digital operational resilience focuses specifically on the operational disruptions that affect ICT capabilities, services, and processes.

What is DORA?

DORA is the proposed regulation to expand and improve digital banking within the EU system while managing and avoiding the potential risks that are inherent to relying on ICT.

Objectives of the proposed regulation include:

  1. Ensuring that all financial entities have proper risk management protocols in place to track and monitor all ICT functions and asset transfers. This risk management protocol will also feature an assessment of any weak points or vulnerabilities within the system and improve regulatory reporting.

  2. Financial institutions will have a well-structured incident reporting system to report, track and address all ICT related incidents that affect their respective networks.

  3. Institutions will be responsible for constantly testing and assessing the competency and resiliency of their respective ICT system to identify any vulnerabilities.

  4. All third-party activity will be assessed, tracked, and monitored regarding any risk and mitigated by any contractual acknowledgement and agreement relative to network risks and vulnerabilities.

  5. Information exchange between institutions will be monitored and guided relative to minimizing the threats due to cyber-criminal activity.

What is the scope of DORA?

The proposed DORA regulation is expected to cover organisations within the financial sector including retail and commercial banks, electronic money transfer organisations, credit and lending agencies, insurance and reinsurance firms, and investment firms.

Also, it is envisaged that DORA will require that CTPPs, including cloud service providers, managed service providers, data analytics service providers, and audit service providers come under the supervision and oversight of the European Supervisory Authorities (ESA).

Established and confirmed non-compliance with obligations and commitments outlined in DORA regulation will be expected to carry significant penalties.

A [financial institution’s] use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws [and regulations, just as if the institution were to perform the activities in-house].

What are the key elements of the proposed DORA regulation?

Much of the concerns relative to DORA are regarding third-party risk management and mitigating infringements against financial institution security measures.

Third-party management is often sought as a more cost-effective measure for monitoring network systems and performing system checks. Unfortunately, when there are abundant vendors, suppliers and other components regularly participating and contributing to an organisation’s ICT capabilities, processes, and functions it is reasonable to expect that monitoring and identifying security breaches can become a costly and complicated process.

DORA provides a much greater incentive and structure for properly monitoring and tracking third-party involvement. Institutions will be encouraged to automate vendor onboarding where possible while tracking all vendor activity to ensure that any disruptive activity is immediately identified and addressed. Such activity will be recorded in business continuity plans, providing regulators and any security providers consistent access to ICT service usage.

DORA will also institute and regulate the various ESA who will be responsible for reporting any major ICT threats to the respective national regulator. The ESA would also be responsible for evaluating whether respective third parties have respective and effective monitoring systems to track and record any malicious network activity.

This system, in addition to instituting early-warning threats for any cyber encroachment activity and regulating which providers are reputable, will allow financial organisations to better monitor their ICT dependencies more closely.

How will the proposed regulation affect financial organisations?

As the proposal passes through the European parliament for review and revision, various organisations are considering the potential impacts and implementation strategies relative to DORA.

  1. European Union

    Given the interconnectedness of member nations, the EU is playing a critical role in the implementation of risk management measures such as DORA. Given the increasing risk of crypto assets and the advent of digital ledger, having a secure network that provides clear regulatory guidelines for financial institutions and third-party vendors across member nations will help to create a more stable financial ecosystem.

  2. Bank of England (BoE)

    Despite having left the European System of Central Banks (ESCB) since the start of Brexit, the Bank of England has been trying to mitigate its security breaches relative to third-party service providers. Creating an integrated financial network that ensures safety for all institutions within and outside of the EU is beneficial for all parties, including the Bank of England.

  3. Financial Sector

    As financial institutions, lending agencies and all digital vendors become more dependent on ICT for conducting transactions and managing accounts, ensuring a more fluid and streamlined operation that cannot be compromised will facilitate greater compatibility for vendors, suppliers, and users.

  4. Third-Party Risk Management (TPRM)

    As already noted, one of the main priorities that DORA seeks to address is the lack of regulatory power over third-party security concerns. Greater regulation will allow more streamlined interaction between financial institutions and third-party vendors and network security suppliers to ensure that the confidentiality, integrity, and availability of dependent ICT capabilities, processes, and functions are constantly maintained, monitored, and assessed.

Are there potential obstacles to DORA implementation?

Yes, it is expected that some organisations would experience some challenges to effectively implementing DORA.

Some of these obstacles would include the organisation’s existing risk culture, inconsistent risk management policies and standards, ineffective risk management framework and practices, poor or non-existent TPRM policies and strategies, and the possible underestimation of efforts and commitments required to achieve operational resilience maturity.

eu proposed dora regulation

Is DORA the future?

The proposed DORA regulation is considered a vital step in creating a standardised regulatory framework for the digital operational resilience for financial services in the EU.

In a previous article, I had looked at how GDPR would “evolve” and continue to have expected impacts in the UK as it would across the EU region.

Given the significant penalties that would be imposed for non-compliance with DORA directives, it is perhaps reasonable to envisage that DORA could eventually have similar, if not greater, impacts in both the UK and the EU region as did GDPR, albeit with very different objectives.

As the economy shifts to the digital sphere and ICT capabilities and services become more inherent to financial and commercial activities, ensuring operational resilience becomes even more paramount. As the world waits for the outcome and implementation of the directives put forth through DORA, the power of digital finance will wait to be unleashed.

 

Back To Top
Management Wire

ManagementWire © 2015-2023. All rights reserved.

Terms of Use

Privacy Policy

Cookie Policy

Contact