What's in store for Privacy and Cybersecurity in 2024?
As we begin the new year, we offer this special edition with predictions for 2024 from members of the Cyber Bits Partner Committee. Regardless of what happens in 2024, we renew our commitment to keep you informed of the latest developments (and our practical takeaways) to help you navigate this complex environment.
As always, thanks for reading Cyber Bits. We wish you a happy, healthy new year and great things for 2024.
- Dechert’s Global Privacy & Cybersecurity Team
. Brenda Sharton
Chair, Privacy & Cybersecurity | Boston
brenda.sharton@dechert.com
Generative AI and machine learning undoubtedly will dominate the discussion in 2024, as the technology becomes smarter (doubling in intelligence roughly every two months). Expect to see regulators and companies sprint to try to keep up with its progress, all while adapting internal governance programs for its proper use. In addition, cyberattacks have been on the rise since I started handling them in the late 1990s, and they show no sign of slowing down this year. The use of AI in cyberattacks with uber sophisticated social engineering and phishing scams will continue to increase. AI-enabled deep fakes—designed to trick both people and products designed to detect malware—will create additional challenges. We’ve seen other countries try to tackle the governance of generative AI with laws like the EU AI Act, China’s August 2023 regulation and, more recently, the White House Executive Order, all in the name of trying to gain some control over this technology. We’ll see that trend only increase in 2024, along with the promised enforcement activity. Lastly, I’ll leave you with a not so comforting thought—could 2024 be the year that we see threat actors take down critical infrastructure (financial systems or otherwise)? I sure hope not, but like the old adage, we’re helping clients hope for the best while preparing for the worst.
. Timothy Blank
Boston
timothy.blank@dechert.com
Privacy and cybersecurity risk will become an increasingly important component of mergers and acquisitions deal valuations, as U.S. and EU regulations mature, and regulators become increasingly aggressive with enforcement.
The SEC’s new rules regarding cybersecurity risk disclosure will attract the interest of plaintiffs’ firms around the country, and when a cybersecurity incident occurs at a public company, the plaintiffs' securities lawyers will be quick to file claims based on inadequate or misleading disclosures.
. Kevin Cahill
Los Angeles
kevin.cahill@dechert.com
We expect the Securities and Exchange Commission to finally adopt long-awaited new rules for registered funds and investment advisers regarding cybersecurity risk management, cyber incident reporting and cyber risk disclosure. We also expect the SEC to adopt amendments to Regulation S-P, which governs the protection of customer records and information by broker-dealers and registered funds and investment advisers. Collectively, these rule changes will represent the most significant update to federal privacy law as applied to the asset management industry in more than 20 years.
. Dr. Olaf Fasshauer
Munich
olaf.fasshauer@dechert.com
In 2024, several new EU laws will impact companies operating in the European Union, including the Digital Operational Resilience Act (DORA), the Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive), the Cyber Resilience Act (CRA), and the AI Act.
In particular, the new cybersecurity provisions make significant changes to the EU security landscape. The NIS2 Directive, which came into force in 2023, updates the EU's cybersecurity rules to keep pace with increased digitization and evolving cybersecurity threats. It expands the scope of cybersecurity rules to new sectors and entities, improving the resilience and incident response capacities of public and private entities. The CRA aims to ensure safer hardware and software by introducing mandatory cybersecurity requirements for manufacturers and retailers of products or software with a digital component. It expands the scope of cybersecurity rules to new sectors and entities, improving the resilience and incident response capacities of public and private entities.
And of course, attention should be paid to the EU's AI Act, the world's first comprehensive AI law, as the process of finalizing the Act's provisions continues.
Vernon Francis
Philadelphia
vernon.francis@dechert.com
In the U.S., political divisions among members of Congress and differing opinions among government actors on how best to approach data protection regulation continue to make it highly unlikely that the federal government will enact comprehensive privacy legislation in 2024. Regulatory responses to consumer privacy and cybersecurity issues will remain the work primarily of federal administrative agencies and state governments. Local governments may also show interest in regulating or policing the use of technologies that capture the attention of their constituents, like facial recognition or other biometric scanning technologies.
. Paul Kavanagh
London
paul.kavanagh@dechert.com
2024 will see a UK General Election and a likely change of government. The probable winners of that election, the Labour Party, are likely to take a more EU-aligned approach to Privacy and probably also in relation to AI. It is hard to be certain because of the Delphic way in which Labour disclose policy commitments.
In the EU, the attempts to come to terms with AI will continue apace with the EU making individual’s rights over those of AI.
.jpg)
Laura Rossi
Luxembourg
laura.rossi@dechert.com
Over the past twelve months, artificial intelligence (AI) has developed in a very impressive way and it is now an important (if not essential) element of our day-to-day life. And this is in my view only the beginning. With AI increasingly being used to process personal data, issues around data privacy and security are likely to become even more important. Therefore, the AI Act is a great opportunity for Europe which, if it uses it wisely, can become a central and trustworthy center for AI.
. Benjamin Sadun
Los Angeles
benjamin.sadun@dechert.com
Calendar year 2023 will be remembered as the year of AI. Next year, the public will once again obsess over AI, but the excitement and anticipation will turn to fear and dread. In turn, governments will increasingly crack down on AI and designate it a national security risk. Thirty-six years ago (approximately three weeks before I was born at a Pasadena, California hospital), California’s former governor then-President, Ronald Regan, told the UN General Assembly: “Perhaps we need some outside universal threat to make us recognize this common bond. I occasionally think how quickly our differences worldwide would vanish if we were facing an alien threat from outside this world.” America has never been more divided. Good or bad, I predict AI to be the perceived outside threat that brings at least our politicians together.
