DATA PROTECTION
PREDICTIONS FOR 2026
2025 IN REVIEW
Federal Incident Reporting Will Tighten CISA’s CIRCIA final rule is now slated to take effect in May 2026, which will lock in 72-hour incident and 24- hour ransomware-payment reporting for covered critical-infrastructure entities. New Assessment Rules Will Take Effect With NYDFS Part 500 amendments finished phasing in, 2026 will be the first full exam cycle under the stricter controls. Defense contracting will also have expanded assessment obligations when DOD’s CMMC program enters Phase 2 on November 10, 2026. AI-Powered Deepfakes Will Enter Routine Supplier and Investor Scams Short, low-resolution video clips in Teams, Zoom, and WhatsApp will be used to approve wire changes or grant admin access. Plus, voice-clone business email compromises and phone fraud will go mainstream. Expect executive, counsel, finance, and help-desk impersonation using cloned voices plus spoofed caller ID.
Cybercriminals Used New Ransomware Tactics The transportation and logistics sectors became victims of a new cybercrime threat actor in 2025. The “Coinbase Cartel” stole data and threatened public release to force payment, a major evolution in ransomware that exposes businesses to reputational and legal risk without even shutting down their systems. The transportation and logistics businesses became a major mark for these groups because they handle high-value operational and shipment data, often shared through complex supply chains of brokers, carriers, and IT vendors. Missouri Adopted New Data Breach Notice Law for Insurers Missouri enacted “The Insurance Data Security Act” in July, joining the growing state momentum behind stricter cyber security regulations for insurance firms. The law, which goes into effect January 1, 2026, sets new standards for insurers and licensed entities regarding data security, breach investigations, and notification protocols. SEC Cybersecurity Compliance Deadlines The SEC’s amended Regulation S-P required broker-dealers, investment companies, registered investment advisors, and transfer agents to enhance their data privacy protections. The update requires covered institutions to establish written policies and procedures to detect, respond to, and recover from unauthorized access to customer information. Large firms had to comply with the rule by December 3, 2025.
Daniel Pepper, CIPP/US Denver Partner, Chair
BACK TO HOME
Made with FlippingBook - Online magazine maker