Raising the Accountability Bar: The push for higher cyber standards

November 16, 2016

The Advanced Cyber Security Center Annual Conference on November 3 featured a panel discussion on regulation and insurance entitled "Raising the Accountability Bar."

Moderator:
Melissa Hathaway, President, Hathaway Global Strategies; Former Acting Senior Director for Cyber Space, National Security Council and Director, Joint Interagency Cyber Task Force

Panelists:
Phillip Larbey, Head of Sector Cyber, Information Security Division, Bank of England
Adam Sedgewick, Senior Information Technology Policy Advisor, National Institute of Standards and Technology
Gregory Vernaci, Head of Cyber US and Canada, AIG

Key Themes:

Different countries with widely different standards pose regulatory challenges.
Lack of common terminology, for starters, confounds implementing common standards.

The key role of the private sector driving and promulgating standards.
“Regulations alone won’t do it because regulators don’t have the capacity to manage the problem.”

“You’re not going to solve this on the governmental level; it has to be shared between government and industry.”

The problem of creating a regulatory culture of compliance versus a culture of outcomes.
Regulation requires more than a check the box mentality. “Compliance does not mean security.”

Supply chain regulation remains a vexing issue.
“How do you develop the right set of questions to ask along the supply chain?”

NIST compliance framework.
A work in progress. Panel expects improvements that raise standards and reduce “stovepipes.”

The insurance industry will continue drive compliance as risk management in cyber grows.
There are 50-65 insurers that sell true cyber insurance, including a suite of coverage that responds to failure of security; but also covers privacy events.

Insurers increasingly are holding clients accountable to qualitative factors about their operations. “The clients who can identify their risk factors clearly get coverage. Those who don’t get reduced coverage or no coverage.”

The issue remains on developing different standards for different companies and industries. Does one size fit all?
“I don’t think there is a single standard. What you would expect from someone who is systemically important is completely different than someone who isn’t."

We should be "measuring the standard that is proprotionate to the risk the company has in the sector.”

Coming: more regulatory attention to the Internet of Things
“We can’t have the world taken over by video cameras and toasters.”