These seven trends will define cybersecurity in 2024:
- Good, Bad, or Ugly? AI Will Improve the Productivity of Both Cyber Attackers and Defenders
- Enterprises Will Be Compelled to Adopt a Holistic Approach to Cybersecurity
- Cloud Platforms Will Establish Stronger Relationships with Cyber Insurers
- Ransomware Dwell Times Will Continue to Decrease in 2024
- Board-Level Involvement in Cybersecurity Matters Will Increase in 2024
- Cyber Insurance Adoption Continues to Grow in 2024
- Companies Will Leverage Partnerships with External Security Vendors to Tackle the Shortage of Cybersecurity Talent
1. Good, Bad, or Ugly? AI Will Improve the Productivity of Both Cyber Attackers and Defenders
The public discourse on AI is starkly bifurcated: Is AI good or bad? It is a simplified way to examine the topic, but we can expect more dire predictions from some and more optimistic outcomes from others.
What’s missing is a deeper conversation that seeks to understand exactly what AI is capable of and how it can be used. Generative AI (gen AI) can play a role in every market segment, including cyber insurance. For tangible examples of gen AI in the cyber insurance realm, download Measured’s recently released white paper: How Generative AI Will Transform Cyber Insurance in the Next 24 Months.
Gen AI’s conversational features can enhance the functionality of virtual agents (chatbots) to answer questions about coverage, cybersecurity, and claims. Brokers, underwriters, and claims processors can also benefit from improved, quick access to information when working with customers.
Threat actors are taking advantage of new AI tools as well. As this article in Forbes explains, hackers are using AI to create more effective zero-day exploits, malware, and ransomware. Gen AI can improve the language in phishing attacks, removing errors and typos that typically alert the recipient to suspicious activity. Gen AI also helps those with little coding experience to create malware quickly, which may increase the volume of cyberattacks.
“AI is a powerful tool that goes beyond the simplistic debate of good or bad,” said Padmanabh Dabke, Chief Product Officer at Measured. “Understanding its capabilities and applications is crucial. Generative AI has the potential to revolutionize industries, including cyber insurance.”
2. Enterprises Will Be Compelled to Adopt a Holistic Approach to Cybersecurity
The worst cybersecurity threats are those not under your control. That’s why one of the trends to watch in cybersecurity is the growing awareness of the importance of monitoring the supply chain. Cybersecurity needs to be part of a comprehensive assessment of risk.
In some respects, recent regulations, like the SEC’s new rules on incident reporting, have improved cybersecurity’s prominence among decision-makers. If boards of public companies are now required to outline their incident response policy, this may be the push they’ve needed to finally take cybersecurity out of its “tech” silo. Cybersecurity needs to be a part of the larger risk picture.
“Cybersecurity isn’t just about firewalls and passwords. It’s understanding the larger risk picture as it relates to your business ecosystem, including internal actors, customers, and supply chain partners,” shared David Whipple, Co-founder and CTO of Measured.
3. Cloud Platforms Will Establish Stronger Relationships with Cyber Insurers
The migration to the cloud has eased the burden on IT teams of all sizes. The usage of cloud-based apps is on the rise, and large enterprises now run an average of 130 applications in the cloud, according to Statista.
However, this trend also has a downside: a false sense of security about data in the cloud. According to The Hacker News, despite CISOs reporting a high degree of confidence in their SaaS security with their data in the cloud, 79 percent reported cybersecurity incidents in the past year. The expanding adoption of data in the cloud via SaaS applications means vast volumes of data are being generated – data that can be an alluring target for threat actors.
Cloud platforms are increasingly concerned about the expanded attack surface and the need to go beyond mitigating the technical risk. As seen from the recent AWS partnership announcement with cyber insurers, they are keen to collaborate with insurers to protect their customers from the financial risks of cyberattacks. This kind of collaboration is what’s needed to build more secure cyber environments.
[To learn more about Measured’s perspective on cybersecurity in the cloud, please visit here to download Measured’s whitepaper, “Cybersecurity in the Cloud Era: Financial and Operational Impacts Decoded, a Guide for CISOs and CFOs.”]
4. Ransomware Dwell Times Will Continue to Decrease in 2024
Reporting of 2022 ransomware attack trend data pointed to lower levels of ransomware attacks in 2023. However, by mid-2023, ransomware payouts of $449.1 million had nearly equaled all of those of 2022, according to Wired.
Progress has been made, but there is still a long way to go. According to Sophos, dwell times (the time between when a breach occurs and is detected) are shrinking. Dwell times fell from an average of 10 to 8 days and may fall further. This is partially due to the success of detection and response tools. For years, cybersecurity professionals have been stressing the importance of automation in detection.
However, better detection and response means threat actors are now increasing the pace of their attacks. This in turn requires faster detection and response time—and the cycle continues.
Vince McCarthy, President of Measured observed, “Given the decreasing duration of this dwell time, defenders need to be extra vigilant and use advanced XDR (Endpoint Detection and Response) or MDR (Managed Detection and Response)tools for detecting and neutralizing threats before the attack materializes.”
5. Board-Level Involvement in Cybersecurity Matters Will Increase in 2024
In December 2023, the new Security and Exchange Commission’s (SEC) rules on cybersecurity incident reporting went into effect. The rules require immediate (four days after the determination that the incident is material) reporting of incidents.
This information will help everyone better understand the cyber threat landscape, to the benefit of insureds and insurers. However, this will also raise public awareness of cyberattacks, sometimes to the detriment of companies’ reputations, and stock prices.
We will enter a new era in 2024 with much deeper board-level involvement in cybersecurity than ever before. Once considered a subset of insurance concerns, risk management in the cyber sense now puts the onus on board members to understand and act on cyber risk mitigation. This will increase the top-down pressure from board members to executives and IT and security teams, leading to increased attention and budget for security.
6. Cyber Insurance Adoption Continues to Grow in 2024
According to global insurer Swiss RE, cyber insurance gross direct premiums reached $13 billion in 2022 and are estimated to reach $23 billion by 2025.
Question to ponder: Could negative events (challenging to predict when, how, or where) toss cold water on soft market pricing and increase market demand for more coverage from more parties?
The cyber insurance market, though new, is maturing. Instead of basic questionnaires, insurers now use technology-guided evaluations of IT infrastructure and vendor risk. In 2024, we expect more C-suite and board-level focus on cyber insurance as it moves from “an insurance product” to a critical component of cyber risk management and business risk management.
“Cyber insurance is no longer a mere formality, it’s a crucial financial planning tool,” said Nick Little, Head of Insurance at Measured. “In 2024, expect heightened C-suite and board focus as cyber insurance becomes integral to business risk management.”
7. Companies Will Leverage Partnerships with External Security Vendors to Tackle the Shortage of Cybersecurity Talent
The global cybersecurity worker shortfall isn’t getting any better. The global headcount shortage rose to 4 million in 2023, according to a report from ISC2: How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce). Some sources say the shortfall won’t be met in 2024 either.
However, it’s not the worker shortage per se that’s the problem—it’s the skills gap that it represents. Many companies are reporting skills gaps in cybersecurity knowledge and skills at a time when cyber threats are becoming more sophisticated.
There is an upside to this shortfall—companies are addressing the skills gap by partnering with tech and managed service providers, accelerating the ramp-up time while freeing up IT staff to focus on the bigger picture rather than being in the weeds.
“The global cybersecurity workforce shortage, estimated at 4 million in 2023, remains challenging. Companies must adopt a strategic approach by augmenting security teams with AI-powered security tools to ensure cyber resilience,” highlighted David Whipple.
The Bottom Line
- The AI discussion will evolve to real-world benefits.
- A growing holistic view of cybersecurity is taking root.
- Cloud providers are recognizing the expanded attack surface and teaming up with cyber insurers.
- Faster cycles of intrusion and detection boosts the need for automated detection.
- Increased board-level scrutiny of cybersecurity will have some positive effects.
- Cyber insurance continues to grow and is becoming more mature.
- Cybersecurity worker shortage continues, but partnering for skills succeeds.