It's more than likely your company has experienced a cyber breach. Indeed, 79% of companies have been subject to a cyber incident in the past year, according to a PwC report. And the threats are on the rise: hacking and other “cyber incidents” are growing at an estimated rate of nearly 40% each year. Amid this escalation, it's no surprise that government regulation is also on the increase. Case in point: in the United States alone, over 240 bills, amendments and other legislative proposals have been introduced in Congress since 2013, seeking to regulate, allocate funding to, or otherwise address various aspects of cybersecurity. The new requirements have far-reaching implications across sectors and for companies of all sizes—and it's something that every organization has to unlock for itself.
This topic is the focus of a new whitepaper – Cyber Risk: Navigating the Rising Tide of Cybersecurity Regulation– recently released by the Center for Responsible Enterprise And Trade (CREATe.org). As well as providing insights into the evolution of cybersecurity regulation, the paper also looks at voluntary cybersecurity frameworks and standards that companies are utilizing to better protect confidential information.
Flurry of cybersecurity regulation
The diversity and complexity of cybersecurity risks have caused governments to respond in different ways. Measures are motivated by a variety of policy concerns: protecting individuals' sensitive personal, health and financial information; safeguarding companies' proprietary data and competitiveness; and defending critical infrastructure and national security.
As a result, government efforts are also a patchwork. Some governments are directly requiring the cybersecurity of public and private networks and systems. Others are encouraging the development and adherence to voluntary frameworks and industry best practices. Some are being mandated by government legislation and others are being implemented by regulatory agencies or as the result of agency of law enforcement actions, or private lawsuits.
Tightened government contracting requirements
As governments seek to improve their own cybersecurity, they increasingly are insisting that contractors and suppliers that wish to do business with the government closely manage cybersecurity risks at their own firms and with their subcontractors and suppliers.
The United States has been particularly active in the adoption of legislation requiring government contractors to undertake cybersecurity compliance measures. Currently, the Federal Acquisition Regulations (FARs) require all government agencies to comply with the Federal Information Security Management Act (FISMA) in their acquisition planning; FARS further dictates that agencies include appropriate security policies and requirements in their acquisitions, namely those acquisitions relevant to information technology. Comparable federal acquisition requirements are either currently in place or up for consideration in the EU, UK, Australia, and Japan.
Growing use of cybersecurity frameworks & standards
With cybersecurity regulation on the rise, how can a company prepare? To help companies seeking to address these new requirements, governments and the private sector are working together to develop security frameworks and guidance designed to protect confidential information more effectively from cyber risks. The most thorough and broad-based cybersecurity approach appears to be the “NIST Cybersecurity Framework” (the NIST Framework) which was developed by the U.S. Department of Commerce's National Institute for Standards and Technology (NIST) to help U.S. government agencies protect critical infrastructure. It takes a risk-based, management-systems approach to assessing and implementing needed protections.
The private sector has generally been supportive of making cybersecurity requirements more consistent among the different government agencies' contract requirements. Use of a risk management program, such as the NIST Framework, provides the opportunity to bring some uniformity and cost-effectiveness to the varying cybersecurity efforts and requirements that have been developing to date. Such an approach can also help organizations assess, manage, and respond to their particular cyber risks more effectively, both internally and down the supply chain.
The bottom line for companies, particularly those selling to the U.S. government or critical infrastructure industries: given the influx of new regulations in the cybersecurity space, the use of leading practices such as the NIST Framework may become virtually, or actually, mandatory. Thus, by taking steps now to implement leading practices will position organizations to proactively meet these ever-evolving procurement requirements.