Potential Cybersecurity Strategies Taking Shape, Including Disclosure Rules

Last month, we detailed the emerging threats posed by cyberattacks to companies and the public at large. We also discussed the absence of obvious solutions to improve defenses against hackers. We’re starting to see some strategies for possible solutions now come together.

The White House is taking advantage of its bully pulpit. Even before the Securities and Exchange Commission announced its noteworthy settlement with First American Financial Corporation over lax cybersecurity in June, the Biden administration was promoting the need for businesses to beef up their defenses. The National Security Council’s cybersecurity adviser, Anne Neuberger, wrote corporate leaders last month to express the urgency of the potential threats. “Business leaders have a responsibility to strengthen their cyber defenses to protect the American public and our economy,” White House press secretary Jen Psaki said at the time.

While the White House offered suggestions on best practices, the guidance lacked any mention of consequences for cybersecurity deficiencies.

Meantime, in light of increased ransomware attacks on companies, insurance carriers are raising cyber insurance premiums and reducing payout amounts. They’re also tightening their underwriting standards – which often requires companies to boost their cyber protections. Facing extra scrutiny, companies often are waiting longer to obtain coverage.

The administration has been more explicit when it comes to one of the biggest vulnerabilities exposed in recent hacking events: infrastructure. That need became clear earlier this year when a ransomware attack forced the Colonial Pipeline to shut down its network for days. The incident left many gas pumps on the East Coast dry for an extended period.

Prompted by the Colonial Pipeline shutdown, the Department of Homeland Security laid out new cybersecurity requirements last week for pipeline operators. They include implementing a cybersecurity contingency and recovery plan and reviewing the operators’ cybersecurity architecture design.

Some experts are proposing disclosure as a prophylactic against hacking. As Maine Sen. Angus King pointed out in a CNN interview, there was a multiple-day gap between when the Colonial Pipeline was hacked and when the company notified the government. That kind of lag limits what authorities can ultimately do to remedy the situation, such as freezing transactions involving digital tokens, hackers’ currency of choice. For companies wary of the bad PR that follows a data breach, paying the ransom often seems more appealing. More disclosure would help increase awareness and understanding of cyber-criminals’ tactics, but it would also demand more alignment between the byzantine rules governing disclosure at different levels of government. From companies’ and insurers’ perspective, though, increasing disclosure might not necessarily provide a better understanding of how to assess risk and anticipate costs associated with these issues.

The SEC may soon bring clarity to the situation as it evaluates creating rules for cybersecurity disclosures under the umbrella of environmental, social and governance issues. The agency is currently working on new ESG reporting rules at the behest of the Biden administration. Even with the enormity of that project and the contentious debates over what should go into the ESG rules, regulators may soon find cybersecurity measures moving up the list of priorities.