Top Cybersecurity Trends and Policy for 2023: What Organizations Need to Know

The Cybersecurity and Infrastructure Security Agency (CISA) and numerous new privacy laws moved cybersecurity forward in 2022 with great strides. 2023 now looks even more critical, with many laws that originated last year expected to be passed or revised this year. The urgency is real: Jim Lenz, a cybersecurity professor at Duke University, says that cybersecurity legislation is an issue of national security.

“We are still the engine of the world as far as innovation, in the United States,” Lenz says. “We have a vested interest to protect that. We have a vested interest to protect what we're doing in government and in private industry. It’s important that we have legislation that highlights that, but that also has the teeth to enforce it.”

Cybersecurity policy touches almost every private firm, nonprofit, or government entity. With the right tools, you can cut through the noise and help your team understand the cybersecurity policy landscape to better inform your government affairs strategy and the rest of your organization.

Top Cybersecurity Trends in 2023

As organizations continue to catch up to increased remote work and digital processes, the current trends and issues drive future legislation. Here are some of the big trends organizations should pay attention to in 2023:

1. Using Cloud-Based Infrastructure

Many companies and governments currently use antiquated infrastructure, which comes with significant cybersecurity risks. Lenz says current apps and systems are developed for the modern environment, but companies still use old technology designed decades ago.

For example, the financial services sector still relies on mainframe technology. “Many of the companies hit by ransomware attacks operate in a legacy environment that’s not up to the job of implementing best practices,” says Lenz.

By moving to cloud-based infrastructure, organizations can reduce security risks. With cloud adoption, businesses have full visibility and access to experts across the county, which eliminates many of the risks of operating outdated equipment.

2. Moving Toward Digital Identities

In 2023, digital identities will continue to push paper identities into history. Lenz says he sees a similar problem with privacy legacy identities that were created decades ago as paper documents. For example, it’s still common to be handed multiple pieces of paper to fill out with your medical history and other personal information when you go to a new doctor. Those pages are then read by a human and entered into the computer system.

While shredding those documents is a best practice, that doesn’t always happen. Lenz says that to create true privacy, organizations must use new authentication and protection techniques. By moving to digital identities, organizations can use cybersecurity techniques to secure sensitive data properly. Additionally, digital identity authentication across platforms and systems proactively identifies potential threats more quickly.

3. Holding Executives Accountable

While fines assessed to companies have increased and been leveled due to cybersecurity and privacy issues, company executives have not yet been held accountable. Fining the company, in essence, fines the organization’s shareholders — not the leaders responsible for the security deficiencies that allow issues to occur, Lenz says.

One of the greatest challenges he notes is that there is no sense of accountability at a corporate level. “We need to start holding senior executives accountable. When you hold people personally accountable, we will see changes,” Lenz adds.

4. Adopting Zero Trust

With an increase in remote work over the past few years, protecting the perimeter no longer properly secures an organization. To protect the new way of working, organizations are increasingly moving to zero trust, which is a framework that starts by assuming all apps, devices, and uses are not authorized. Organizations use strategies such as multi-factor authentication, encryption, and microsegmentation to ensure that only authorized users access the network.

Cybersecurity Policy and Legislation to Monitor

A solid understanding of rules and regulations in the event of a cybersecurity incident is crucial for an organization to effectively manage and prepare for a possible situation. Figuring out what to do, who to tell, and where to go can be confusing; especially in the U.S. as individual states legislate on the topic. Numerous pieces of legislation are currently in process or expected to be proposed in 2023 around the world.

1. Cybersecurity Vulnerability Remediation Act

H.R.285, the Cybersecurity Vulnerability Remediation Act, creates a protocol for processes of reporting and action for cybersecurity vulnerabilities. The bill requires the CISA to report on its activities while also giving the Department of Homeland Security the ability to counter cybersecurity vulnerabilities. By clearly outlining the processes and roles, the act aims to make remediates more coordinated and effective.

2. Tougher Network and Information Systems (NIS) Regulations in the UK

Because cyberattacks have continued since the introduction of the regulations in 2018, the UK is now requiring that managed service providers (MSPs) follow the rules. One of the key reasons that the UK government made the change is the impact of MSPs on the supply chain, which is a key source of vulnerabilities. This change is important as a precedent for adding MSPs to regulatory compliance rules.

3. US National Defense Authorization Act for 2023

The bill funds several key cybersecurity initiatives including $2.8 billion for CISA, representing a 12 percent increase from 2022. Key funding projects related to the bill include funding protections of state, local, territorial, and tribal (SLTT) networks, improving threat-hunting capabilities, and funding emergency communication preparedness.

4. US Securities and Exchange Commission Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Expected to be finalized in April 2023, this rule requires firms falling under specific guidelines to report cybersecurity incidents to the regulator. Additionally, the regulation now requires documentation of cybersecurity protocols and detailed plans for cybersecurity incidents. Firms failing to follow the new regulations could face hefty fines and reputation damage.

5. New York Part 500 Cybersecurity Regulations

The new amendments require updating the landmark bill from 2017. Because Part 500 was one of the first pieces of legislation requiring businesses to have a cybersecurity risk assessment and plan, many states and agencies based future legislation on this bill. Financial institutions, including banks and insurance companies, must update their cybersecurity programs under the revised Part 500, which now requires notification, reporting, and governance.

Keeping Track of Cybersecurity Legislation

Organizations are responsible for following all cybersecurity laws. Because these laws often are enforceable based on the location of the customer or origin of the data, companies and governments must track laws in jurisdictions other than those of their own locations. Updating often takes significant time and budgetary considerations, so it’s imperative for organizations to monitor pending legislation so they can plan for changes to stay in compliance.

With a fluid landscape, a high volume of legislation and regulation, and intense focus from almost every industry, changes in cybersecurity policy can prove difficult to monitor. Organizations are increasingly turning to FiscalNote to monitor the rapidly evolving cybersecurity policy trends around the world. FiscalNote’s legislative tracking solutions can provide policy information at the global, federal, state, and local levels when you need it, so you can craft and execute a successful government affairs strategy that keeps your team and wider organization in the know and compliant.