With hacking and other “cyber incidents” now growing by nearly 40% every year, governments around the world are taking an increasingly active role in defining new requirements for corporate information security. They are passing new legislation, adopting new regulations, and tightening up procurement contracts. Case in point: During the past three years in the U.S., more than 240 bills, amendments and other legislative proposals have been introduced in Congress seeking to regulate, allocate funding to, or otherwise address various aspects of cybersecurity.
CYBER RISK: Navigating the Rising Tide of Cybersecurity Regulation (PDF)
The diversity
and complexity of cybersecurity risks, and their evolving character, have
caused governments to respond in many different ways. They have been motivated
by a variety of policy concerns: protecting individuals’ sensitive personal,
health and financial information; safeguarding companies’ proprietary data and
competitiveness; and defending critical infrastructure and national security.
Some governments
are taking action directly to require the cybersecurity of various public and
private networks and systems.
Others are
encouraging the development of voluntary frameworks and best practices that
industries can choose to adopt. Some have adopted new requirements that are
fairly general, while some actions are both specific to the protection
objectives and prescriptive to the measures required. Some require information
security with respect to particular kinds of data, while others deal with cybersecurity
for all kinds of company data. Some of these requirements are being mandated by
specific government legislation, while others are being implemented by
regulatory agencies or as the result of agency or law enforcement actions, or
private lawsuits.
Government
efforts to defend against cyber threats are, in short, a patchwork. While there
is common appreciation of cyber risks, at least at a high level, there is
little coherence to these efforts, even within national borders, and even less coordination
internationally. Most troubling for businesses trying to find an operational
footing in this important area, these new requirements are often inconsistent
among different governments, between different agencies of the same government,
and from industry to industry. Sector-specific guidelines and standards are
proliferating in the transaction processing, financial services, health care
and other fields. One of the major unknowns for companies is whether they can embrace one
overall information security framework, or whether they will face a splintered
environment with an unmanageable number of different corporate, industry and
government requirements, standards and practices.
This whitepaper
surveys key legislative, regulatory and court-imposed cybersecurity
developments that will impact the private sector and governments. It provides
an overview of the efforts that governments are undertaking to expand
cybersecurity requirements through regulation and procurement actions. It also
reviews the development and utilization of the voluntary Framework for
Improving Critical Infrastructure Cybersecurity (the “NIST Framework”),
developed by the National Institute of Standards and Technology (“NIST”) unit
of the U.S. Department of Commerce, and other information-protection standards
where NIST has shown leadership.
Finally, this
paper highlights the importance of companies and governments taking a broad
risk-based, management-systems approach as they work to improve their
cybersecurity programs. It promotes leveraging a common cybersecurity
framework—such as the NIST Framework—to guide sector-specific voluntary actions
and inform nations and companies of useful strategies and methods that can
evolve as the threat landscape changes, and can support regulation or even enforcement
in critical areas. Indeed, the NIST Framework provides the opportunity to bring
some cohesion to the disparate cybersecurity efforts and requirements that have
been developing to date.
CYBER RISK: Navigating the Rising Tide of Cybersecurity Regulation (PDF)
CYBER RISK: Navigating the Rising Tide of Cybersecurity Regulation (PDF)
No comments:
Post a Comment