Much of the White House’s recently unveiled national strategy on cybersecurity is aimed at changing the behavior of U.S. companies through increased regulation, as well as incentives, including tax benefits.
The Biden administration’s new 35-page report, released last week, warns that some U.S. companies are not doing enough to respond to escalating cyber threats and promises action.
“The report is very clear that the administration believes that more regulations are needed in some places,” Norma Krayem, vice president and chair of the cybersecurity, privacy & digital innovation practice group at Van Scoyoc Associates, a Washington, D.C-based government relations firm, said in an interview.
Sectors that are already heavily regulated when it comes to cybersecurity include banking and financial services. Cloud computing is an area that could require the administration to seek new regulatory powers from Congress, according to the report.
“None of the big changes, such as increased regulation, will happen very quickly,” Michael Daniel, CEO of the nonprofit Cyber Threat Alliance, also based in Washington, told CFO Dive. “It’s all going to take years to come into fruition.”
The strategy represents an effort to reshape U.S. policy and priorities around cybersecurity, marking a significant shift in tone and focus from prior administrations’ efforts on the issue, according to an alert issued by law firm Hogan Lovells.
“Although the Strategy does not directly create new legal obligations for private sector entities, it does provide a clear signal regarding the direction the Administration intends to take in shaping legal obligations in the coming years,” the alert said. “Private sector entities are well-advised to get ahead of potential new and enhanced cybersecurity efforts and regulations by considering implications for their own information security programs.”
The plan calls for expanding minimum cybersecurity requirements in “critical sectors.” Federal agencies will leverage authorities under existing laws as well as try to work with Congress to fill any statutory gaps, the report said.
Other steps outlined in the report include:
- harmonizing conflicting and duplicative regulations to reduce the burden of compliance
- ensuring that cyber investments by companies are incentivized through tax structures and other mechanisms
- working with Congress to shift liability for software products and services from end users to vendors
- using federal purchasing power and grant-making to incentivize cybersecurity
- assessing the need for a federal backstop to support the cyber insurance market in the event of a catastrophic cyber incident.
A much more aggressive U.S. cybersecurity posture is needed due to emerging trends such as increased inter-connectivity, which is collapsing the boundary between digital and physical worlds and exposing some of the most sensitive U.S. systems to potential disruption, according to the White House. In addition, the cyber operations of overseas criminal syndicates now represent a threat to the national security, public safety, and economic prosperity of the U.S. and its allies, the report said.
“Ransomware incidents have disrupted critical services and businesses across the country and around the world, from energy pipelines and food companies, to schools and hospitals,” it said.
The administration has sought to strengthen cybersecurity in both the public and private sectors, instituting a “zero trust” approach in the federal government and partnering with private electric, natural gas and water companies to improve threat detection.
Meanwhile, the Securities and Exchange Commission is expected to finalize a new cybersecurity rule for public companies by as soon as next month.
The SEC rule is expected to require public companies to disclose information about the board of directors' oversight of cybersecurity risk, among other details. They will be required to report material cybersecurity incidents within four business days.
After the war in Ukraine began last year, many CFOs across industries scrambled to make sure they had adequate defenses in place to address potential for increased threats from cyber attacks.
Editor’s note: CFO Dive’s Jim Tyson contributed to this story.