No, There Won’t Be New Rules On Cybersecurity – Until Someone Dies

Posted by

Recently, I did an interview with Bloomberg Newsweek on the WannaCry ransomware attack that affected over 200,000 computers around the world.  The attack shutdown parts of the U.K. National Health Service leaving thousands of people without access to healthcare services, and resulted in Renault’s assembly lines being shut down in France among other things.  Newsweek picked up on my most sensational comment in the interview which was, “People have to die or lose lots of money before government steps in to regulate.”

And that’s true – and has been true for over 100 years.  In the late 1800s, when railroad accidents were taking lives, the government finally interceded with safety rules.  When food poisoning became common with bad meat and processed foods in the early 1900s, the government stepped in.  With the Great Depression in the 1930s, government interceded with new rules on financial reporting. Loss of life and money are the primary rationale for new regulatory regimes, and over time those regimes grow and flourish.

Whenever a major cyberattack happens, one the most common questions I’m asked by reporters is whether the government will institute new regulations.  In the U.S. and in most other democracies, the answer appears to be “no.”  Certainly after 9-11 there were a few new rules on cybersecurity, but these were fairly innocuous.  There simply is not a legislative basis for any major new rules, and until there is a major loss of life or voters lose a big chunk of their life’s savings, Congress does not have an impetus to act.  So for now, government has settled on minor tweaks allowed under older legislation to address cybersecurity concerns, such as the SEC’s requirement that publicly listed entities must report cybersecurity incidents, and initiatives to encourage voluntary improvements in cybersecurity, such as the NIST Cybersecurity Framework and similar national cybersecurity strategies around the world.

But let’s not get complacent.  Public awareness of cybersecurity is high, and it is a public policy issue, even if that issue has not yet been translated into new laws and rules.  And it may turn out that people are dying due to bad cybersecurity practices.  Even before WannaCry, ransomware attacks on hospitals impeded healthcare delivery.  Who knows whether the inability to get access for an MRI, or allergy shots or other services has increased the death rate for the populations served by healthcare systems, at least on a small statistical scale?

Besides, these days, the public has an alternative to new rules for forcing companies and government services agencies to changing their behavior, and that is social media.  Take a look at the recent incident on United Airlines where a passenger was dragged off a plane by airport security.  United and other airlines have already reviewed their policies on passenger rights and remediated through policy updates and training.  No new regulations were required to deal with that public policy issue.  Notably though, public policy issues never go away, and with the increasingly frustrating passenger travel experience, we can expect more social storms.

All of our organizations face the prospect of social storms, and managing the risks from these storms is important to prevent lost business and damage to brand and reputation.  And preventing storms by taking proactive steps on public policy issues – such as cybersecurity – is a new imperative for chief risk and compliance officers.

Leave a Reply

Your email address will not be published. Required fields are marked *