Potential Cybersecurity Strategies Taking Shape, Including Disclosure Rules

Last month, we detailed the emerging threats posed by cyberattacks to companies and the public at large. We also discussed the absence of obvious solutions to improve defenses against hackers. We’re starting to see some strategies for possible solutions now come together.

The White House is taking advantage of its bully pulpit. Even before the Securities and Exchange Commission announced its noteworthy settlement with First American Financial Corporation over lax cybersecurity in June, the Biden administration was promoting the need for businesses to beef up their defenses. The National Security Council’s cybersecurity adviser, Anne Neuberger, wrote corporate leaders last month to express the urgency of the potential threats. “Business leaders have a responsibility to strengthen their cyber defenses to protect the American public and our economy,” White House press secretary Jen Psaki said at the time.

While the White House offered suggestions on best practices, the guidance lacked any mention of consequences for cybersecurity deficiencies.

Meantime, in light of increased ransomware attacks on companies, insurance carriers are raising cyber insurance premiums and reducing payout amounts. They’re also tightening their underwriting standards – which often requires companies to boost their cyber protections. Facing extra scrutiny, companies often are waiting longer to obtain coverage.

The administration has been more explicit when it comes to one of the biggest vulnerabilities exposed in recent hacking events: infrastructure. That need became clear earlier this year when a ransomware attack forced the Colonial Pipeline to shut down its network for days. The incident left many gas pumps on the East Coast dry for an extended period.

Prompted by the Colonial Pipeline shutdown, the Department of Homeland Security laid out new cybersecurity requirements last week for pipeline operators. They include implementing a cybersecurity contingency and recovery plan and reviewing the operators’ cybersecurity architecture design.

Some experts are proposing disclosure as a prophylactic against hacking. As Maine Sen. Angus King pointed out in a CNN interview, there was a multiple-day gap between when the Colonial Pipeline was hacked and when the company notified the government. That kind of lag limits what authorities can ultimately do to remedy the situation, such as freezing transactions involving digital tokens, hackers’ currency of choice. For companies wary of the bad PR that follows a data breach, paying the ransom often seems more appealing. More disclosure would help increase awareness and understanding of cyber-criminals’ tactics, but it would also demand more alignment between the byzantine rules governing disclosure at different levels of government. From companies’ and insurers’ perspective, though, increasing disclosure might not necessarily provide a better understanding of how to assess risk and anticipate costs associated with these issues.

The SEC may soon bring clarity to the situation as it evaluates creating rules for cybersecurity disclosures under the umbrella of environmental, social and governance issues. The agency is currently working on new ESG reporting rules at the behest of the Biden administration. Even with the enormity of that project and the contentious debates over what should go into the ESG rules, regulators may soon find cybersecurity measures moving up the list of priorities.

Latest Articles

Accounting Errors Dim Holiday Outlook for Macy’s, Other Companies

From jolly television personality Al Roker cruising around New York City during the retailer’s annual Thanksgiving Day Parade to the Christmas classic Miracle on 34th Street, few b...

Read More

Crypto Lobby Boosts GOP Effort to Secure Sole Control of SEC

With the waning days of the current congress upon them, Senate Democrats appear to be fighting an uphill battle to secure the renomination of Caroline A. Crenshaw as a commissioner...

Read More

Trump Makes Conventional Pick to Helm SEC in Crypto Champion Atkins

President-elect Donald J. Trump has picked a familiar face to lead the Securities and Exchange Commission, tabbing 66-year-old Paul Atkins to return to the agency where he served a...

Read More