2017 to be critical year for cyber preparedness regulations

Significant global political changes have and will continue to define 2017. In the United States, we’ve seen the inauguration of a new president and the start of the 115^th Congress.  There will be major national elections in Argentina, France, Germany and South Korea.  The United Kingdom is beginning the process to negotiate an exit from the European Union following last year’s referendum.

However, regardless of any national political changes, global cybersecurity challenges will persist, and this year will see some major developments in the cybersecurity and data protection policy landscape. 

Businesses and governments must monitor policy changes; assess the potential implications of these developments on their operations and customers; develop strategies to achieve compliance; prioritize resources and investments; and ensure compliance with any new requirements.

Otherwise, they risk eroding the trust of customers and the marketplace, in addition to significant fines and penalties for non-compliance.

Increased regulatory actions challenge leaders

A quick sampling of the cybersecurity regulatory landscape illustrates many of the challenges organizational leaders face.

In the United States, the Federal Deposit Insurance Corporation, the Comptroller of the Currency and the Federal Reserve are working to finalize cybersecurity guidance for financial institutions with consolidated assets of $50 billion or more.  Some of the proposed rules would require institutions to establish board-approved cyber risk governance processes, implement formal policies to manage workforce and supply chain risks and potentially adopt new standards to ensure that covered entities can effectively plan for, respond to and recover from cyber incidents. 

The Securities and Exchange Commission is calling on public company boards to conduct more active oversight of company cybersecurity practices. The Federal Trade Commission has taken regulatory enforcement actions against public companies for inadequate data protection and information security practices.  And the Federal Communications Commission is adopting rules designed to increase choice, transparency and security for broadband consumers.

Under a draft cybersecurity executive order from President Donald Trump, federal agency heads will be held accountable for their departmental cybersecurity risk management strategies and processes.  Further, the Office of Management and Budget will require federal agencies to adopt the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity to guide their cyber risk management programs.

If this requirement is included in the final executive order, agency heads will need to assess their current information security practices against the cybersecurity guidelines of the NIST framework, set goals based on their unique missions and risk environments and establish prioritized action plans to achieve improved security outcomes.

Regulatory preparedness extends globally

There are multiple other cybersecurity regulatory examples in Europe, the Asia-Pacific region, and South America, ranging from data privacy and protection to internet security.

In Europe, the EU and its member states are working towards the May 2018 implementation deadline of its General Data Protection Regulation.  The GDPR includes comprehensive data security, management and transparency requirements.  Organizations that fail to comply with these requirements can face severe penalties, such as fines of up to 4 percent of global annual revenue.

In the Asia-Pacific region, Japan is in the process of finalizing rules for its Protection of Personal Information Act, which includes new transparency and consent requirements for companies that wish to transfer personal data to third parties outside Japan. In South America, Brazil is implementing an internet security framework that includes strict controls on access to personal data, including authentication and access management mechanisms. 

Greater public-private collaboration on cybersecurity policy

From an advocacy standpoint, it’s important for businesses and organizations to engage with policymakers in the policy development and implementation process, either directly or through industry and organizational associations.  They must push for policies that allow for flexibility, given the accelerated pace of technical innovation.  And they need to advocate for regulatory alignment to prevent the global digital economy from becoming a fragmented marketplace with limited competition and innovation.

The 2017 global cybersecurity and data protection policy landscape will pose business and compliance challenges to organizations of all sizes.  However, these challenges may pale in comparison to those facing organizations that fail to comply. 

Preparation for compliance with many of these policies will require active engagement from multiple layers of organizations, including executive, development, legal and audit teams.  In many cases, public company boards will play active roles in policy compliance oversight.  Companies and organizations that have holistic processes in place to analyze, prioritize and act on policy and regulatory developments will be better positioned to drive transformation and compete in the modern, digital economy.