From cybersecurity breaches to compliance mishaps,2017 proved a tough year for many of the biggest enterprises in theeconomy.

But organizations face an even more difficult situation in themonths to come.

Cybersecurity laws are breaking new legal ground.

More unique types of personal data are being created, stored andincreasingly regulated. And old risks are more prominent thanever.

For enterprise risk management programs, it's allhands on deck. Here's a look at the three biggest risks facingenterprises in 2018:

1. A new type of cyber regulation?

Sure, the New York State Department of Financial Services' (NYSDFS) new data security regulation only affects certain financialscompanies within the state of New York. But it represents a newtype of proactive state cybersecurity law that may become moreprominent in the months to come.

"Of the newer laws, I do think the DFS one in New York isprobably the most interesting, and possibly the most impactful,"said John F. Mullen, partner and co-founder of law firm MullenCoughlin.

He explained that this was primarily due to the law'sproscriptive nature, something that was previously unseen amonglocal cyber regulations. "Because of that, the NYS DFS law opens upa whole new area of risk for companies to make sure they areaffirmatively complying with it, not just complying after apossible event."

Though the regulation has only recently went into effect forenterprises in August 2017,and more of its mandates arestill coming online in periodic stages, New Yorkfinancial institutions are optimistic they can meet itscybersecurity requirements.

"I don't think many have had a lot of trouble implementingmultifactor authentication and otherpolicies," said Monique Ferraro, cyber counsel atHartford Steam Boiler, at ALM's December 2017cyberSecure conference in New York.

Related: Insurer compliance and N.Y.'s new cybersecurityregulations

Still, she noted there are some compliance issues that need tobe addressed. "Encryption, however, is a little bit more difficultto interpret, but everyone has decided we're going to interpret itthis way. And if it's good, it's fine, if it's not, it's not."

If and when the NYS DFS law spurs similar laws around thecountry remains to be seen. But following the Equifax Inc.breach, New York state has already proposed anew proscriptive cybersecurity law covering all companies withinthe state that handle "sensitive data."

2. The ever-present pitfall: vendor risk

The need for third-party risk management is nothing new. Butgoing in 2018, it's still adifficult challenge for many enterprises, justask Verizon. In late 2017, the company had the personal informationof 6 million of its customers exposed due toa breach at one of its vendors.

But for some, including several legal experts speaking at ALM'scyberSecure conference in December 2017, vendor risk may be anunavoidable reality. As the example of how hard it is to completelymitigate this risk, Noga Rosenthal, chief privacy officer atEpsilon, noted the2013 breach at Target, which was caused when oneof the company's HVAC vendors was compromised bycyberattackers.

Related: Businesses still reliant on insurance to tacklecyber risks, according to RIMS

"What I struggled with was that the vendor that allowed theattackers in was the HVAC vendor," she said. "How do we stop that?Would I have [classified] that HVAC vendor as a high-risk vendorthat is touching my data?"

At the same session, Buck de Wolf, vice president, chiefintellectual property counsel and general counsel at GE GlobalResearch added that if a vendor is a criticalsupply chain partner in a company's operations, vendor risk cansometimes be the inevitable cost of doing business.

"What if the vendor makes a critical component for what you'reselling?" He asked. "Do you stop selling that product because thevendor says we cannot comply with your contractual securityrequirements?"

But while vendor risk may be unavoidable, Nicole Eagan, CEO atDarktrace, who also spoke at the session, noted thatthere are ways to better manage it than just surveying thirdparties.

"If you're just filling out a vendor survey once a year, it'snot enough, threats change hourly, they change daily," she said."The person answering that survey likely doesn't know the answer,and they are doing the best to answer. But they lack visibilityinto what their own threats are."

Related: The AI paradox: What does it mean forinsurers?

Instead, Eagan advised companies to deploy artificialintelligence-based cybersecurity technology that can monitorvendors networks, "because then you can see the inside of theirnetwork and detect what is going on."

3. The growth of biometric data privacy laws

Enacted in 2008, Illinois's Biometric Information Privacy Act(BIPA) was the first law in the nation to regulate how companieshandle biometric data. But given the current legal climate, it maybe far from the last.

While there have been efforts to weaken whatsome see as the BIPA's broad scope, it is becoming increasinglyclear that the Illinois law was the first in what may benumerous state statutes across the United States.

Related: 3 best practices for a layered cybersecurityprogram

Though not as expansive as the BIPA, Texas andWashington state have come out with their own biometric dataregulations, for example.gAnd there are more states moving toregulate biometrics on the horizon.

Hanley Chew, of counsel at Fenwick &West, wrote in Legaltech News that currently,"several state Legislatures are considering legislation that wouldregulate [biometric data] collection, use and retention," includingAlaska, Connecticut, Montana and New Hampshire.

But states may be not be the only ones looking to regulate thisspace. Given the potential security issues withbiometrics data, federal agencies have also started to issueguidance on how biometric data should be used by corporations.

Both the Federal Trade Commission (FTC) and the Department ofCommerce's National Telecommunications and InformationAdministration (NTIA), for example, have come out with bestpractice recommendations for facial recognition technologies.

Rhys Dipshan is a New York-based legal tech reportercovering everything from in-house technology disruption to privacytrends, blockchain, AI, cybersecurity, and ghosts-in-the-machine.Contact him at [email protected].

Related: NAIC adopts model law on cybersecurity: Will statesadopt it?