The cybersecurity landscape is “worsening,” and 2016 “will be a tougher year” in terms of fighting breaches, Matthew Chung, Morgan Stanley’s chief information officer of technology and risk information, said Tuesday.

Speaking on a panel at the Securities Industry and Financial Markets Association’s annual conference in Washington, Chung said that the “complexity” along with the cost of keeping up with cybersecurity is an ongoing challenge.

Financial services, energy and health care and the defense sectors are “top targets” for cybersecurity criminals, Chung noted.

He cited three worrisome “emerging threats” that “will start to cause an impression in 2016.”

First, an “increase” in ransomware, which infects a system and causes a firm to lose access to its data unless the users pay a ransom, often in bitcoin. He noted that the group DD4BC — which stands for Distributed Denial of Service for Bitcoin — has been targeting financial services firms since mid-2014 with threats of locking up systems unless they are paid a bitcoin ransom.

The second threat is from “malicious insiders,” Chung said, which is someone within a firm with “valid credentials” that’s looking to do harm.

The third threat: destructive malware, which Chung said is more prevalent in the energy sector than in financial services. “This is a risk that will become more interesting over the next year,” Chung said.

Shawn Henry, president and chief security officer for CrowdStrike Services, noted on the cybersecurity panel that more nation-states and terrorist groups pose cyber risks. Also, “more asymmetric threats” from Iran and North Korea are likely, as these countries “have an interest in making a name for themselves” in the cyber breach space.

As to whether firms should purchase cyber insurance, Chung said he’s a “big fan” of the insurance as it will help firms with “some of the economies” of dealing with a cyber breach. However, a downside to cyber insurance is that it only helps firms cover the cost of “managing” the cyber incident, and doesn’t protect against loss of data.

— Check out: