First Annual Cyber Security Predictions Pinpoint Areas of High Cyber Risk in the New Year and Beyond
As business decision-makers look to the year ahead, it is critical to address existing and new cyber security concerns. To help with that process, Chubb has launched its first annual cyber security predictions, which focus on the top risks in 2019 and beyond.
“The cyber risk landscape is constantly evolving — it’s vital to stay on top of potential risks as they emerge,” said Michael Tanenbaum, Head of Chubb Cyber North America. “We expect shifts in the regulatory landscape, changes to the fundamental models of cyber crime, and additional risks brought on by the explosive growth in Internet of Things (IoT) devices. It is critical to stay abreast of these things in 2019.”
“Throughout the years, we have seen everything from Y2K to today’s mega-breaches and the evolution of cyber crime,” said Bill Stewart, Division President of Chubb’s Global Cyber Risk practice. “We continue to stay ahead of the latest cyber risks to help our clients protect against and respond to an ever-increasing cyber threat.”
Chubb, an innovator in the cyber insurance space, has more than 20 years of experience writing cyber insurance policies. Based on that experience, the Chubb Cyber practice has issued the following three cyber security predictions for 2019 and beyond:
Cybersecurity regulation and enforcement will increase and focus more on actions taken by businesses pre-incident, in addition to post-incident protocol.
Until now, regulatory efforts have largely focused on steps businesses must take after a cyber incident, including fixing vulnerabilities, notifying law enforcement, and notifying customers. Chubb anticipates this will change as lawmakers also focus regulatory attention on companies’ data collection and data usage practices, as well as on the actions that organizations should take to better prevent a cyber incident from occurring in the first place. This phenomenon has already begun to take hold in the United States with laws such as the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation and the California Consumer Privacy Act, which have put new obligations on organizations to not only protect the information they collect, but also to ensure that they are allowed to collect such information, that they are using that information legally, and that they remain responsible for that information when they share it with a third party.
Additionally, this trend has been seen globally, which impacts many more businesses now than ever before. The internet and virtual connection has provided great opportunity to many organizations, but it could also be subjecting them to the laws of the jurisdictions in which their new customers reside. Thus, organizations not only need to ensure that they are in compliance with the laws of the state in which they physically operate, but also determine if they are subject to the laws of the locations where they virtually operate. In the coming years, organizations of all sizes can expect to see increased data regulation in the United States and abroad, which will focus on data privacy, data use, as well as data security.
Crime does pay, and business is booming: the business model of cyber crime will tilt heavily toward direct monetization attacks.
During the past 20 years, the dark market has become saturated with private records and personally identifiable information (PII). In 2019, rather than seeking additional PII, cyber criminals will prioritize attacks that result in direct monetization as they operationalize PII that they’ve already obtained. In order to pursue these types of attacks, criminals will continue to employ ransomware.
Already a threat on the rise, ransomware will continue to grow and will remain a top cyber threat for the next five years, and will become even more destructive and costly. Social engineering financial fraud also will ramp up, and cryptojacking — the unauthorized use of someone’s computer to mine cryptocurrency — will be employed heavily by cyber criminals.
Cyber criminals will target individuals just as much as businesses as billions of Internet of Things (IoT) devices come online.
As billions of additional IoT devices come online during the next year, cyber criminals will have even more avenues to target individuals. As device use overlaps between enterprise and individual, we will see more targeted ransomware and phishing attacks. Video and audio capabilities on devices — from smartphones to refrigerators, smart assistant devices, and nanny-cams— will help cyber criminals gather personal information and images. Bad actors can gain access to businesses through personal devices — particularly when businesses allow individuals to connect with their personal devices through an enterprise server. As an increasing number of IoT devices come online, businesses will need to monitor vigilantly to intercept and short-circuit cyber risks.
As always, business leaders should look to defend their companies from cyber attacks rather than react to cyber attacks. As cyber threats evolve, cyber insurance will play a key role in the awareness, preparedness, and resiliency of governments, corporations, and individuals.