Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
What FTC and SEC Guidelines Mean for 2024: It is time to invest in Data Security and Reputation
By Gil
Dabah, CEO and Co-founder of Piiano
The
recent regulatory updates from the U.S. Federal Trade Commission (FTC) and
Securities and Exchange Commission (SEC) have brought significant changes to
the way businesses protect data. Their focus on transparency and stricter
security measures against escalating cybersecurity threats have important
practical implications for data storage, transfer, and use. In the upcoming year, we can expect the majority of
today's data-driven businesses to invest in new methods and technologies to
comply with these new rules. The best method will be to root out potential
problems at the code level.
What
to expect:
-
Cybersecurity budgets will
be more focused on privacy and data protection
-
Security incidents will
have a more pronounced impact on share prices
-
Integrating with GenAI will result in more unexpected security and
privacy issues
Privacy compliance requires better data security, and it
will remain an ongoing challenge in 2024, given that the majority of businesses
already struggled with it before the FTC and SEC's most recent updates. Although GDPR kickstarted
efforts in 2018, most businesses are still in the early stage of embedding
privacy and data security principles into their products on an ad-hoc basis. Their environments were never built with privacy in mind, and the goal to independently achieve privacy by design
remains out of reach. Such a feat is simply too time-
and resource-consuming. They require technical, security, privacy, legal,
and compliance experts and a massive technological overhaul that few can afford
to execute on their own.
Yet,
the privacy market is still nascent and largely
underdeveloped. In large part, the lack of options is the natural
consequence of low demand. Businesses of all sizes have consistently
deprioritized acquiring privacy solutions for their security stacks. This is
not to say that they do not aspire towards privacy-by-design down the
line-simply that other, easier to deploy or check-the-box cybersecurity
products preoccupy the security teams. As the privacy regulatory landscape
advances and grows more severe, maintaining a passive stance toward privacy
will prove unsustainable by the end of 2024.
The
stakes are only intensifying with the ever-expanding GenAI-the security and
privacy risks of which are still in the process of being properly discovered
and understood-are only piling onto existing concerns. The sophistication of
attacks has also never been higher. Though financial institutions face the
greatest degree of aggressive data breach and ransom attacks, the recent attack
on MGM underscores that all business vectors are at risk. It is largely for these reasons that the FTC and SEC have
updated their regulations.
What
the Regulations Say
The
FTC's Safeguards Rule has specifically raised data protection standards for
financial institutions, mandating non-banking financial institutions to
establish comprehensive security programs to keep customer financial data safe.
Meanwhile, the SEC's new issuances are of a different nature, focusing instead
on the obligation to disclose security events. Public companies must rapidly
report "material" cybersecurity incidents, meaning those "to which
there is a substantial likelihood that a reasonable investor would attach
importance." Companies under the SEC's purview now
have a four-day window to assess the significance of these incidents and
provide detailed information as required.
Contextualizing
a Broader Threat Landscape
From
a security perspective, traditional security standards, such as ISO 27001, fall
short of addressing the next generation of threats (or, frankly - current
attacks). Emerging threats and the still-ongoing shift towards cloud-based
environments, the R&D velocity, and rapid software releases all require
more adaptable and advanced security measures. The integration of AI, particularly GenAI, introduces a new security
concern with prompt injection as a real attack vector. On the privacy side of
GenAI, de-identifying the data before sending it to GenAI vendors becomes a
proven technical challenge, to say the least. All of
these technological advancements put crown jewels at risk. Remember,
sensitive customer data serves as the primary target for most breaches.
Increased
Stakes for Businesses
Even
if customer privacy does not serve as a primary basis for concern, we can also
expect more business-related motivations to take effect. Although it may be a
hard pill to swallow in today's economy, failing to invest in more robust
privacy and security or comply with reporting standards will lead to harsher
financial consequences. Security incidents are going to have a more significant
impact on customer trust, overall reputation, and share prices. Discounting the
top percentage of companies capable of taking on the reputational and
regulatory tolls of breaches, most companies cannot afford these penalties.
In
2024, businesses will be left with no choice but to build their own privacy-by-design architectures or invest in solutions
that can achieve this for them. Given their unlikelihood to attain such feats
on their own, it is important to find a middle ground between ad-hoc solutions
and system overhauls, strained budgets, and teams, and increasing privacy
obligations.
For
years, I have advocated for an easier way to write privacy directly into code
without requiring a total system overhaul. Integrating with pre-built privacy
components is the middle ground businesses need. It enables regular
developers-without any security and privacy expertise-to introduce necessary
changes to their products. Security solutions have indicated time and again that they cannot protect data or
maintain customer privacy. By shifting left privacy and security, businesses
can preempt costly war room scenarios that accompany every incident. This not
only bypasses the need to bring on a hoard of experts but also nullifies the
cost of breaches.
Cybercriminals
continue to target customer data, and we should not expect this to change. If
we wish to be realistic about the future of data protection, and given these
new regulations are any indication, our code must change instead.
##
ABOUT
THE AUTHOR
Gil
Dabah
Gil
Dabah is a hacker turned entrepreneur. Passionate about building (and breaking)
software, Piiano is his second company looking to make a major impact in the
sphere of cybersecurity. This time, he's on a
mission to change how industries protect sensitive data. A renowned bug bounty
hunter, Gil is also a celebrated speaker, and his open-source libraries are
used by commercial products worldwide.