CYBER RISK: Navigating the Rising Tide of Cybersecurity Regulation (PDF)

With hacking and other “cyber incidents” now growing by nearly 40% every year, governments around the world are taking an increasingly active role in defining new requirements for corporate information security. They are passing new legislation, adopting new regulations, and tightening up procurement contracts. Case in point: During the past three years in the U.S., more than 240 bills, amendments and other legislative proposals have been introduced in Congress seeking to regulate, allocate funding to, or otherwise address various aspects of cybersecurity.

CYBER RISK: Navigating the Rising Tide of Cybersecurity Regulation (PDF)

Governments also are working with the private sector on new voluntary standards and best practices designed to achieve stronger cybersecurity protections and to safeguard confidential information from loss and theft.

The diversity and complexity of cybersecurity risks, and their evolving character, have caused governments to respond in many different ways. They have been motivated by a variety of policy concerns: protecting individuals’ sensitive personal, health and financial information; safeguarding companies’ proprietary data and competitiveness; and defending critical infrastructure and national security.

Some governments are taking action directly to require the cybersecurity of various public and private networks and systems.

Others are encouraging the development of voluntary frameworks and best practices that industries can choose to adopt. Some have adopted new requirements that are fairly general, while some actions are both specific to the protection objectives and prescriptive to the measures required. Some require information security with respect to particular kinds of data, while others deal with cybersecurity for all kinds of company data. Some of these requirements are being mandated by specific government legislation, while others are being implemented by regulatory agencies or as the result of agency or law enforcement actions, or private lawsuits.

Government efforts to defend against cyber threats are, in short, a patchwork. While there is common appreciation of cyber risks, at least at a high level, there is little coherence to these efforts, even within national borders, and even less coordination internationally. Most troubling for businesses trying to find an operational footing in this important area, these new requirements are often inconsistent among different governments, between different agencies of the same government, and from industry to industry. Sector-specific guidelines and standards are proliferating in the transaction processing, financial services, health care and other fields. One of the major unknowns for companies is whether they can embrace one overall information security framework, or whether they will face a splintered environment with an unmanageable number of different corporate, industry and government requirements, standards and practices.

This whitepaper surveys key legislative, regulatory and court-imposed cybersecurity developments that will impact the private sector and governments. It provides an overview of the efforts that governments are undertaking to expand cybersecurity requirements through regulation and procurement actions. It also reviews the development and utilization of the voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Framework”), developed by the National Institute of Standards and Technology (“NIST”) unit of the U.S. Department of Commerce, and other information-protection standards where NIST has shown leadership.

Finally, this paper highlights the importance of companies and governments taking a broad risk-based, management-systems approach as they work to improve their cybersecurity programs. It promotes leveraging a common cybersecurity framework—such as the NIST Framework—to guide sector-specific voluntary actions and inform nations and companies of useful strategies and methods that can evolve as the threat landscape changes, and can support regulation or even enforcement in critical areas. Indeed, the NIST Framework provides the opportunity to bring some cohesion to the disparate cybersecurity efforts and requirements that have been developing to date.

CYBER RISK: Navigating the Rising Tide of Cybersecurity Regulation (PDF)