Virtualization Technology News and Information
Article
RSS
Piiano 2024 Predictions: What FTC and SEC Guidelines Mean for 2024 - It is time to invest in Data Security and Reputation

vmblog-predictions-2024 

Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

What FTC and SEC Guidelines Mean for 2024: It is time to invest in Data Security and Reputation

By Gil Dabah, CEO and Co-founder of Piiano

The recent regulatory updates from the U.S. Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) have brought significant changes to the way businesses protect data. Their focus on transparency and stricter security measures against escalating cybersecurity threats have important practical implications for data storage, transfer, and use. In the upcoming year, we can expect the majority of today's data-driven businesses to invest in new methods and technologies to comply with these new rules. The best method will be to root out potential problems at the code level.

What to expect:

  • Cybersecurity budgets will be more focused on privacy and data protection
  • Security incidents will have a more pronounced impact on share prices
  • Integrating with GenAI will result in more unexpected security and privacy issues

Privacy compliance requires better data security, and it will remain an ongoing challenge in 2024, given that the majority of businesses already struggled with it before the FTC and SEC's most recent updates. Although GDPR kickstarted efforts in 2018, most businesses are still in the early stage of embedding privacy and data security principles into their products on an ad-hoc basis. Their environments were never built with privacy in mind, and the goal to independently achieve privacy by design remains out of reach. Such a feat is simply too time- and resource-consuming. They require technical, security, privacy, legal, and compliance experts and a massive technological overhaul that few can afford to execute on their own.

Yet, the privacy market is still nascent and largely underdeveloped. In large part, the lack of options is the natural consequence of low demand. Businesses of all sizes have consistently deprioritized acquiring privacy solutions for their security stacks. This is not to say that they do not aspire towards privacy-by-design down the line-simply that other, easier to deploy or check-the-box cybersecurity products preoccupy the security teams. As the privacy regulatory landscape advances and grows more severe, maintaining a passive stance toward privacy will prove unsustainable by the end of 2024.

The stakes are only intensifying with the ever-expanding GenAI-the security and privacy risks of which are still in the process of being properly discovered and understood-are only piling onto existing concerns. The sophistication of attacks has also never been higher. Though financial institutions face the greatest degree of aggressive data breach and ransom attacks, the recent attack on MGM underscores that all business vectors are at risk. It is largely for these reasons that the FTC and SEC have updated their regulations.

What the Regulations Say

The FTC's Safeguards Rule has specifically raised data protection standards for financial institutions, mandating non-banking financial institutions to establish comprehensive security programs to keep customer financial data safe. Meanwhile, the SEC's new issuances are of a different nature, focusing instead on the obligation to disclose security events. Public companies must rapidly report "material" cybersecurity incidents, meaning those "to which there is a substantial likelihood that a reasonable investor would attach importance." Companies under the SEC's purview now have a four-day window to assess the significance of these incidents and provide detailed information as required.

Contextualizing a Broader Threat Landscape

From a security perspective, traditional security standards, such as ISO 27001, fall short of addressing the next generation of threats (or, frankly - current attacks). Emerging threats and the still-ongoing shift towards cloud-based environments, the R&D velocity, and rapid software releases all require more adaptable and advanced security measures. The integration of AI, particularly GenAI, introduces a new security concern with prompt injection as a real attack vector. On the privacy side of GenAI, de-identifying the data before sending it to GenAI vendors becomes a proven technical challenge, to say the least. All of these technological advancements put crown jewels at risk. Remember, sensitive customer data serves as the primary target for most breaches.

Increased Stakes for Businesses

Even if customer privacy does not serve as a primary basis for concern, we can also expect more business-related motivations to take effect. Although it may be a hard pill to swallow in today's economy, failing to invest in more robust privacy and security or comply with reporting standards will lead to harsher financial consequences. Security incidents are going to have a more significant impact on customer trust, overall reputation, and share prices. Discounting the top percentage of companies capable of taking on the reputational and regulatory tolls of breaches, most companies cannot afford these penalties.

In 2024, businesses will be left with no choice but to build their own privacy-by-design architectures or invest in solutions that can achieve this for them. Given their unlikelihood to attain such feats on their own, it is important to find a middle ground between ad-hoc solutions and system overhauls, strained budgets, and teams, and increasing privacy obligations.

For years, I have advocated for an easier way to write privacy directly into code without requiring a total system overhaul. Integrating with pre-built privacy components is the middle ground businesses need. It enables regular developers-without any security and privacy expertise-to introduce necessary changes to their products. Security solutions have indicated time and again that they cannot protect data or maintain customer privacy. By shifting left privacy and security, businesses can preempt costly war room scenarios that accompany every incident. This not only bypasses the need to bring on a hoard of experts but also nullifies the cost of breaches.

Cybercriminals continue to target customer data, and we should not expect this to change. If we wish to be realistic about the future of data protection, and given these new regulations are any indication, our code must change instead.

##

ABOUT THE AUTHOR

Gil Dabah

Gil Dabah 

Gil Dabah is a hacker turned entrepreneur. Passionate about building (and breaking) software, Piiano is his second company looking to make a major impact in the sphere of cybersecurity. This time, he's on a mission to change how industries protect sensitive data. A renowned bug bounty hunter, Gil is also a celebrated speaker, and his open-source libraries are used by commercial products worldwide.

Published Friday, October 27, 2023 7:39 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<October 2023>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234