From the risk, regulation, and insurance perspective of cyber, we review the key moments in 2015, while forecasting possible events in 2016.
2015: The year Cyber went mainstream.
This holiday season when we sit down with family and friends and they ask about work and we talk about cyber and insurance, no longer do we get the bewildered look and glazed over eyes. We now we get heads nodding with a slight smile and an understanding about the notorious cyber events of the year. Here’s a look back at the cyber events of 2015.
The year started off with a bang with the Anthem breach. This breach was a wake-up call to exposure from employee data held by vendors and continues to impact the insurance marketplace’s pricing and underwriting of cyber risk.
While the Ashley Madison breach provided entertainment this year as did the USA Network show Mr. Robot (Elliot Alderson white hat security expert by day, vigilante hacktivist by night), the volume of breaches did not slow down and in fact ticked up over 2014.
The breaches in the latter part of this year, ranging from Experian having a breach with T-Mobile customer data (up to 15 million customers) and the hotel and hospitality market getting hit this year (Mandarin Oriental, Hilton Worldwide, The Trump Hotel Collection, and Hyatt Hotels), have yet to impact the insurance marketplace.
This year (2015) also saw change from the government and regulatory perspective on a global basis. The US–EU Safe Harbor framework went up in smoke only to be replaced by the Global Data Protection Regulation (GDPR). The FTC and Wyndham Hotels and Resorts went a few rounds (decision: FTC) and let’s not overlook the recent announcement of the FTC handing out a record fine of $110 million to LifeLock for violating their prior consent decree. Ouch.
The US Congress managed to accomplish a few things in 2015 with the passing of the Cybersecurity Information Sharing Act where private entities can share cyber threat indicators with the US Federal Government through a “portal” at the Department of Homeland Security. The US Senate recently introduced the Reed-Collins Cybersecurity Disclosure Act of 2015 that intends to improve the cybersecurity practices at publicly traded companies by encouraging their disclosure of cybersecurity expertise on their board of directors.
Finally we’d be remiss if we didn’t mention the Europay MasterCard Visa (EMV) liability shift date that took place on Oct. 1 where merchants’ point-of-sale systems needed to accept and process chip-and-pin payment cards or accept the liability from use of fraudulent payment cards.
Just like the holidays, a little something for everyone.
2016: Expect more of the same, but with a twist.
The new year will feature some of the same events from 2015, but also with some multi-dimensional aspects. Breaches will continue, but we will see continued growth and complexity in what’s getting attacked.
The recent movement on the underwriting side at the end of 2015, created anticipation for new capacity out of the London market in the latter half of 2016. Also, with the anticipated rise in interest rates and with a cyber insurance market that is growing at a significant clip year over year, we just may see insurers go for market share this year.
As far as trends for security in 2016, companies will continue the migration to managed security service providers and virtualized desktop environments where end point security is managed at the network level. Moreover, we anticipate artificial intelligence will make take a larger role in new and anti-virus software.
From a breach perspective, it doesn’t take Captain Obvious to suggest that the type and volume of breaches will continue to increase, with wearable technology and the Internet of Things joining the fray. It’s been suggested in the press that in 2016, 1-in-3 personal healthcare records will be the subject of a breach.
What we are likely to see in 2016 is an increase in breaches of industrial control systems running our nation’s infrastructure. With the risk to both bodily injury and property damage as a consequence of cyber attacks, these attacks are going to be a growing trend.
With the FTC’s recent hire of online privacy advocate Lorrie Cranor, expect more activity from the FTC particularly around mobile technology and the Internet of the Things with a focus on disclosure and compliance.
In 2015, we’ve learned to accept the new normal: reading about a data breach on a daily basis. However, in 2016 what will be attacked and how they will be attacked may be surprising. Regulators and US Congress will continue to turn up the volume on accountability, and companies will be asked to have cybersecurity expertise on their boards.
Finally, it’s not too late for state attorney generals to show their moxie and enter the fray during an election year, especially those with political aspirations. They may try to show they are tougher on data and privacy than anyone else, especially in the absence of a national breach notification law. Suffice to say, 2016 won’t be dull and will provide us many interesting topics to blog about in the coming year. Here’s to another year of cyber being mainstream. Cheers to that.