Predictions for Cybersecurity in 2024: Communications and Reputational Perspectives
What will the cybersecurity space look like in 2024? And what do companies need to do to ensure they are prepared from a communications and reputational perspective?
Predictions from FTI Consulting’s Cybersecurity and Data Privacy Communications practice to help businesses navigate the ever-evolving threat landscape and strengthen their communications and incident response preparedness.
Cybersecurity is set to continue dominating headlines and boardroom agendas as threats evolve and span both borders and regulatory jurisdictions. Based on our in-depth knowledge of the changing cybersecurity space and what this means for businesses from a communications and reputational perspective globally, we captured five key predictions for 2024.
Tom Bolitho
Senior Director, Cybersecurity & Data Privacy Communications
1. Geopolitical risk – A spotlight on cyber & critical national infrastructure
A volatile geopolitical environment will encourage threat actors to expand their cyber operations and exploit partisan public sentiment in support of broader nation-state objectives. Critical National Infrastructure (CNI) and its supply chain will remain a target as threat actors continue to prioritize attacks against all CNI sectors.
Threat actors will draw further attention to their activities, coupling social and traditional media campaigns with offensive cyber activity as they seek to capitalize on major geopolitical events in support of wider nation state objectives. The alignment of ‘hacktivist’ influence campaigns with wider nation state objectives in Ukraine and Israel is an example of this, as threat actors make false claims and seek to magnify the perceived impact of their operations.[1] Meanwhile the complexity and frequency of cyber attacks against critical national infrastructure will increase as threat actors continue to exploit vulnerabilities in the Internet of Things (IoT) environment and across Operational Technology (OT).[2]
Wider awareness of international cyber events invites a reduced tolerance from key stakeholders for organizations that remain ill-prepared. Companies should rehearse their communications strategies to ensure reputational risk is mitigated. Organizations associated with CNI and its supply chain should be prepared to communicate those proactive steps they have taken to match or exceed the frameworks provided by national authorities and agencies. Real-time press engagement must remain a priority and teams should understand how they will respond to cyber activity that generates persistent and widespread media interest.
Jack Rozier
Senior Director, Cybersecurity & Data Privacy Communications
2. New SEC incident disclosure rules
Even before the SEC rules went into effect in December 2023,[3] the precedent had been set for organizations to follow the spirit, rather than the letter, of the law. This is evidenced by multiple publicly traded organizations making pre-emptive 8-K disclosures before materiality was assessed or incidents were determined to be material at all.
With precedent emphasizing the spirit of the new regulation, we expect to see an over-disclosure of cyber incidents that do not materially impact company financials. This will lead to cyber incident disclosures becoming more standardized, meaning that they will likely not move markets like many thought they would when rumours of the SEC rules were in full swing. But, companies shouldn’t ignore thoughtful, carefully coordinated disclosures altogether. In fact, companies should anticipate a higher expectation from the market in the way the disclosure and subsequent communications about the incident are managed – investor relations, commercial communications, and media management.
First and foremost, threat actors intentionally target organizations during pivotal moments in time such as quarterly earnings and merger integration. This further emphasizes the fact that companies need to assess their disclosure obligations not only with a high degree of accuracy, but at a pace we’ve not seen before. To manage this expectation, publicly traded companies should form a cross-functional cybersecurity communications disclosure committee and regularly test their collaboration and decision-making capabilities through table-top exercises and strategic communication scenario planning.
Second, we will see the SEC step up its enforcement actions against those companies that do not comply with its incident disclosure rules or fair disclosure of relevant information to the market. The SEC’s recent litigation against a CISO following its company’s incident highlights that the SEC is tuned into any malpractice by company leadership or unfair disclosure of information, even if the commission’s new rules standardise incident disclosure altogether. [i]
Alex Rostron
Senior Consultant, Cybersecurity & Data Privacy Communications
3. AI is everywhere
The use of Artificial Intelligence (AI) in offensive and defensive cyber technologies will increase as AI becomes more accessible. Generative AI and Large Language Models (LLMs) will allow sophisticated attacks to be deployed by threat actors rapidly, at scale and across the entire cyber attack kill chain. In response, organizations will continue to adopt AI as part of ‘active defense’ cybersecurity models as the majority (82%) of IT decision-makers plan to invest in AI-driven cybersecurity in the next two years.[4]
With threat actors using LLMs to generate more compelling phishing content, there is an increased need for sophisticated phishing awareness trainings across business functions, as well as a greater discourse between CISOs/InfoSec and other business leaders to ensure organisations are prepared.
This goes beyond IT. Companies should be prepared to define and defend how they use it. Ethical considerations must be reflected and policies regularly updated in line with latest guidelines as AI augments existing resources. Where AI capabilities are used to enhance cyber defence, and to ensure a company’s reputation is protected, it is key for companies to be open, honest and transparent and to communicate their stance, demonstrating clearly that they have grasped the ethical and regulatory considerations not only at the policy level but at a practical level across their organization.
Florence Hugenholtz
Managing Director, Cybersecurity & Data Privacy Communications
4. A federal U.S. data privacy law – will it (n)ever be?
Will 2024 be the year where industry’s optimism for the long-awaited federal data privacy law is finally answered? After years of ongoing anticipation and speculation for one all-encompassing edict, there hasn’t been significant activity to suggest 2024 will be the year it comes to pass.
Despite industry calls for clarity and consistency, the evolving patchwork of various state laws addressing data privacy is expected to continue over 2024. While the Biden administration has taken steps taken steps to help support legislation, such as a call for bipartisan cooperation in the October executive order on AI[5], Congress does not appear poised to pass a bill as it related to privacy.
Maintaining a proactive stance and consistent privacy communications aligned to the ever-changing current patchwork of data privacy laws is challenging and complex – particularly as the landscape will continue to change through 2024. It is therefore key to ensure your organization is well prepared with a communications strategy that meets the requirements of any applicable state or industry laws. Organizations should scenario plan for the many possibilities outside of a data breach that can impact reputation, such as ‘What if protected information ends up as an answer to someone else’s ChatGPT question?’.
Tracy Wilkison
Senior Managing Director, Cybersecurity
5. Third-party breaches
Threat actors will continue to target software companies and other third-party vendors to increase the potential of exploiting multiple organizations by compromising one. According to a study from the Ponemon Institute regarding data risk related to third parties, 59% of organizations confirmed that they were affected by a data breach as a result of an incident with one of their third-party vendors. Additionally, in the same study, 61% of respondents answered that their organization does not have a record of all the third-party vendors with whom they share sensitive or confidential information.[6]
Organizations should constantly be evaluating the security risk of their third-party vendors, and any cybersecurity incident notification obligations in their contracts with them. Additionally, for all third-party vendors, organizations should be aware of the extent to which they have access to their organization’s network and hosted information. Access should then be restricted to only what is required for the third-party to fulfil their role, which limits the ability of threat actors to move laterally within systems and networks, once they gain entry to a connected third party.
A good rule of thumb to operate by: Even though you may not experience a cybersecurity incident, you may still be impacted if one of your third-party vendors experiences a breach. It is absolutely critical to always be prepared with a practiced and updated incident response plan for managing a third-party cybersecurity event.
FTI Consulting’s Cybersecurity & Data Privacy Communications practice is widely considered to be the only, and the largest, cross-border crisis communications practice specializing in cybersecurity crisis communications in the business consulting and management advisory industry.
Related Expertise
[1] “Analyzing cyber activity surrounding the conflict in the Middle East,” Group-IB (October 24, 2023), https://www.group-ib.com/blog/middle-east-conflict-week-1/
[2] 41% of threat notifications Microsoft sent to online services customers between July 2022 and June 2023 went to critical infrastructure organisations per “Microsoft Digital Defense Report 2023,” Microsoft (October 2023), https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023
[3] “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” U.S. Securities and Exchange Commission (July 26, 2023), https://www.sec.gov/news/press-release/2023-139
[4] “SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures,” U.S. Securities and Exchange Commission (October 30, 2023), https://www.sec.gov/news/press-release/2023-227
[5] “ChatGPT May Already Be Used in Nation State Cyberattacks, Say IT Decision Makers in BlackBerry Global Research,” Blackberry Global Research (February 2, 2023), https://www.blackberry.com/us/en/company/newsroom/press-releases/2023/chatgpt-may-already-be-used-in-nation-state-cyberattacks-say-it-decision-makers-in-blackberry-global-research
[6] “FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence,” The White House (October 30, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence/
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2024 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
