Risk-based Approach Essential to Taming Wave of Cybersecurity Regulation

Pamela S. Passman is the president and CEO of the Center for Responsible Enterprise and Trade (CREATe), which recently published Cyber Risk: Navigating the Rising Tide of Cybersecurity Regulation.

The increase in volume and intensity of cyberattacks, including recent ransomware attacks against healthcare organizations, catapulted government officials and business leaders into action. Governments worldwide are rushing to put policies and regulation in place to address the evolving threat landscape for public and private institutions.

The result is a growing patchwork of disparate policies and regulations that results in an increased regulatory burden for any company or agency trying to comply with the scores of proposals guidance and regulations under consideration. . However, guidance from the U.S. Department of Commerce’s National Institute for Standards and Technology (NIST)—the Cybersecurity Framework—provides the opportunity to bring some cohesion for organizations operating domestically and globally.

Flurry of Proposals

In just the past three years, more than 240 bills, amendments and other legislative proposals have been introduced in the U.S. Congress as a way to regulate cybersecurity in some form or another.

Even if a fraction of those regulations make it into law, the increased regulation could spell chaos for many companies and agencies with already constrained IT and security budgets.

In the European Union, companies and organizations face similar challenges. They are reckoning how to comply with the new EU Network and Information Security (NIS) Directive, which went into effect in April 2016. Under this directive, each national government must adopt a national network and information security strategy, appoint responsible agencies, develop a plan to identify possible risks, and identify measures for preparedness, response and recovery, including cooperation between the public and private sectors. In Germany and Japan, firms and agencies are assessing the requirements of Germany’s IT Security Act of July 2015, and the Japanese government’s Cybersecurity Strategy adopted in September 2015. Other countries, including China, are evaluating their current cybersecurity laws in light of the increased threats.

Laws requiring government departments to improve management of their own cybersecurity are also appearing around the world, with obvious implications for government contractors. In the United States, every government agency is required to implement information security protections based on their risks under the Federal Information Security Management Act (FISMA) originally released in 2002 and updated in 2014. The EU’s NIS Directive also places new obligations on European governments to put their houses in order. In Australia, where cybersecurity is still largely governed by recommended guidelines and industry frameworks, federal government agencies are required to comply with two security frameworks for protecting information and other assets. These are just a few of the many other national and state governments tightening up cybersecurity programs.

Companies are also facing new mandates on other fronts. Trade secret protection is one such area, as indicated by the recently passed Trade Secret Directive in the European Union; and the Defend Trade Secrets Act in the United States. The implementation of both legal schemes will no doubt look to cybersecurity requirements as part of the steps companies must take to demonstrate that it has protected its trade secrets. Also on the rise are securities laws and tightened government contracting requirements.

The Cost of Compliance

The motivations behind many of the policies and regulations are different: some are to protect individuals’ sensitive personal, health and financial information; while others are to focus on safeguarding companies’ proprietary data and competitiveness; and still others seek to defend critical infrastructure and national security. When organizations have multiple priorities, the ensuing policies fuel rather than stem the confusion.

In many companies, security is dictated by responding to regulatory requirements rather than implementing an enterprise-wide, risk-based approach encompassing security strategy. In many U.S. healthcare IT departments, for example, significant resources are focused on HIPPA compliance at the expense of other important security gaps that need to be addressed.

The price for noncompliance is great. Companies are being fined for noncompliance to regulations by government agencies and sued by shareholders in an environment where the standards are evolving. For example, after hackers stole personal and credit card information of approximately 56 million Home Depot customers, a shareholder derivative suit in September 2015 followed more than forty four other civil suits by consumers and financial institutions. The suits allege the company breached its fiduciary duties of loyalty, good faith, and due care by failing to take reasonable measures to protect customer information.

A better approach

Governments and the private sector are working together to develop security frameworks and guidance to help organizations protect confidential information more effectively. The most thorough and broad-based cybersecurity approach is the U.S. National Institute for Standards and Technology’s Cybersecurity Framework. It breaks down security concerns into functions, categories, and subcategories, and provides a way for organizations to identify and meet security outcomes. Crucially, it doesn’t mandate a specific risk management process or specify any priority of action, instead leaving it up to organizations based upon individual risk profiles.

With the rising tide of cyber regulation, there is an opportunity to cooperate and consolidate efforts across countries to help companies and government agencies proactively prepare. The emergence of voluntary guidance, such as the Cybersecurity Framework, offers an approach that helps companies and governments integrate cybersecurity into an organization’s overall risk management and compliance program, and as a result, ensure that people, process and technology issues are assessed and managed effectively.