No, There Won’t Be New Rules On Cybersecurity – Until Someone Dies

GRC | 2 Min Read |21 June 17|by BLOG ADMIN

Recently, I did an interview with Bloomberg Newsweek on the WannaCry ransomware attack that affected over 200,000 computers around the world.  The attack shutdown parts of the U.K. National Health Service leaving thousands of people without access to healthcare services, and resulted in Renault’s assembly lines being shut down in France among other things.  Newsweek picked up on my most sensational comment in the interview which was, “People have to die or lose lots of money before government steps in to regulate.”

And that’s true – and has been true for over 100 years.  In the late 1800s, when railroad accidents were taking lives, the government finally interceded with safety rules.  When food poisoning became common with bad meat and processed foods in the early 1900s, the government stepped in.  With the Great Depression in the 1930s, government interceded with new rules on financial reporting. Loss of life and money are the primary rationale for new regulatory regimes, and over time those regimes grow and flourish.

Whenever a major cyberattack happens, one the most common questions I’m asked by reporters is whether the government will institute new regulations.  In the U.S. and in most other democracies, the answer appears to be “no.”  Certainly after 9-11 there were a few new rules on cybersecurity, but these were fairly innocuous.  There simply is not a legislative basis for any major new rules, and until there is a major loss of life or voters lose a big chunk of their life’s savings, Congress does not have an impetus to act.  So for now, government has settled on minor tweaks allowed under older legislation to address cybersecurity concerns, such as the SEC’s requirement that publicly listed entities must report cybersecurity incidents, and initiatives to encourage voluntary improvements in cybersecurity, such as the NIST Cybersecurity Framework and similar national cybersecurity strategies around the world.

But let’s not get complacent.  Public awareness of cybersecurity is high, and it is a public policy issue, even if that issue has not yet been translated into new laws and rules.  And it may turn out that people are dying due to bad cybersecurity practices.  Even before WannaCry, ransomware attacks on hospitals impeded healthcare delivery.  Who knows whether the inability to get access for an MRI, or allergy shots or other services has increased the death rate for the populations served by healthcare systems, at least on a small statistical scale?

Besides, these days, the public has an alternative to new rules for forcing companies and government services agencies to changing their behavior, and that is social media.  Take a look at the recent incident on United Airlines where a passenger was dragged off a plane by airport security.  United and other airlines have already reviewed their policies on passenger rights and remediated through policy updates and training.  No new regulations were required to deal with that public policy issue.  Notably though, public policy issues never go away, and with the increasingly frustrating passenger travel experience, we can expect more social storms.

All of our organizations face the prospect of social storms, and managing the risks from these storms is important to prevent lost business and damage to brand and reputation.  And preventing storms by taking proactive steps on public policy issues – such as cybersecurity – is a new imperative for chief risk and compliance officers.


Leave a Comment

The content of this field is kept private and will not be shown publicly.
6 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.


Posted Article: 113

Read More

Top Posts

The Next-Gen CISO - Building Cyber Resilience with Cyber GRC

IT Risk & Cyber Risk | | 5 Min Read

AWS Security Lake and OCSF: A Cyber Risk Perspective

IT Risk & Cyber Risk | | 4 Min Read

10 GRC Trends to Watch Out for in 2023

GRC | | 1 Min Read

Experience the Power of Connection

GRC | | 3 Min Read

Insurance Industry. Strengthen Cyber Resilience Now!

IT Risk & Cyber Risk | | 3 Min Read


Ready to get started?

Speak to our experts Let’s talk