The U.S. government is beefing up regulations and oversight in the fight against cyberattacks. The threats are top of mind for many Americans thanks to an onslaught of high-profile ransomware attacks like the one that hit Colonial Pipeline, sparking panic buying at gas stations up and down the East Coast.
The hope is a stricter regulatory landscape will help the government fight criminal enterprises, prevent catastrophic cyberattacks, and protect the public from growing threats. It will also affect those organizations seeking cyber liability insurance, even as the market for coverage hardens.
The Focus of Critical Regulation
Recent government regulatory action intended to mitigate cyberattacks has included:
Ransomware Reporting: Ransomware is the number one issue for clients and insurers. The number of ransomware attacks we know about is a small fraction of how many there actually are. Proposed legislation will require businesses to report attacks within 48 hours. Critical infrastructure operators will be required to report all cyber incidents within 72 hours.
SolarWinds Probe: The Security and Exchange Commission is investigating hundreds of corporations impacted by the 2019 SolarWinds attack, requesting records on related data breaches or ransomware attacks. Those who do not disclose breaches or did not have proper controls in place could face penalties.
Transportation: The Transportation Security Administration is introducing regulations that will require high level U.S. railroad and airport operators to upgrade cyber security defenses by naming a chief cyber official, reporting any hacks, and creating a recovery plan.
Privacy: Existing state to state cyber security laws are mostly built around privacy rights -- if someone’s personal identifiable information was accessed by someone who did not have the authority to do so via a cyberattack, it is a liability issue for the company that was attacked.
One industry that will likely face cybersecurity regulations next:
Technology: The reliance consumers and businesses have on tech creates the potential for a large-scale disaster. If Google or Amazon experience a cyberattack, it could disrupt millions of businesses globally.
Federal enforcement of cybersecurity regulation will be difficult. All 50 states have different cyber security and privacy laws with no overarching federal law dictating protocols. Given the government’s slow pace, federal legislation on the issue is unlikely to be approved anytime soon. States will likely pass their own laws before the feds will act – you can expect New York and California to lead the pack.
Impact on Insurance
The cyber insurance market has hardened due to more frequent cyberattacks, the costs of which have significantly increased from just a few years ago. A more stringent regulatory environment could make this worse. Regulatory inquiries are costly to defend, and there is also the potential for fines and penalties. Regulations also expose businesses to third-party private right of action from the plaintiff’s bar.
Strict state laws like the California Protection Act set minimum statutory damages for what one could seek if their information were compromised. While it is helpful in protecting consumers, class action litigation is sure to rise and encourage more state regulation elsewhere. This drives up both the total and average loss costs that insurance carriers are dealing with when a cyber incident happens.
More regulation could, however, lead to better behavior. We could, for instance, start seeing companies more focused on cyber security education and investing in proper protection, which could reduce the number of cyber claims.
As we close out the year and enter a new one, the experts at Risk Strategies will continue to monitor moving goal posts and the latest in cyber security threats, regulations, and best practices.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at firstname.lastname@example.org.
Email me directly at email@example.com.
The contents of this article are for general informational purposes only and Risk Strategies Company makes no representation or warranty of any kind, express or implied, regarding the accuracy or completeness of any information contained herein. Any recommendations contained herein are intended to provide insight based on currently available information for consideration and should be vetted against applicable legal and business needs before application to a specific client.