Cyber Defenders Council: Is it Time for Cybersecurity Regulation?
In 2017, credit reporting agency Equifax suffered a data breach that to this day remains one of the most unprecedented in its cost, scope, and severity.
The breach exposed personal information on more than 163 million individuals, had a direct negative impact on the company’s revenue, saddled Equifax with huge recovery expenses and legal exposure, and cost both the CEO and CSO their jobs. According to Equifax SEC filings, the financial impact of the breach reached $1.94 billion between 2017 and 2020.
After the breach, security became a strategic priority for Equifax. The new CEO, Mark Begor, who remains at the helm, committed to making the company an industry leader by building security into every product, process, and business decision. It wasn’t just talk: Begor authorized millions of dollars in investments to back it up.
The Equifax breach illustrates a sad truism about security that persists to this day: it takes a crisis to get business executives to realize the imminent risk cyber creates for their organizations, and the need to do something meaningful to reduce that risk.
Security leaders’ ongoing efforts to get business executives to assume they’re at risk and take security seriously is the topic of the second report Bridging the Cyber-Business Divide: Will Regulation Reduce Risk and Improve Resilience? from the Cyber Defenders Council.
DOWNLOAD Bridging the Cyber-Business Divide: Will Regulation Reduce Risk and Improve Resilience? HERE
The report showcases best practices that Council members have used to align business executives around a common understanding of cyber risk and the measures needed to address it. It also explores a potentially controversial solution to the business-cybersecurity alignment gap: cybersecurity accountability regulation.
Cybersecurity accountability regulation emerged as a central topic of discussion during the Q2 NA/EMEA Cyber Defenders Council meeting. The resulting report highlights some of the pros and cons of such regulation and attempts to lay out what it might look like, along with key questions that regulators and business and cybersecurity leaders would need to address.
Do you think cybersecurity accountability regulation, modeled after Sarbanes-Oxley in the U.S. or the E.U. NIS Directive, would help to align leaders around a shared understanding of their organizations’ material cybersecurity risks and the actions and investments required to mitigate them?
The Cyber Defenders Council is an independent group of preeminent cybersecurity leaders from public- and private-sector organizations across North America, EMEA and Asia-Pacific.
The mission of the Council is to adapt an approach to cyber deterrence, known as Defend Forward, for the global private sector and provide prescriptive guidance to help organizations implement Defend Forward cyber deterrence strategies that increase costs for attackers and improve the efficacy of Defenders.
About the Author
Meridith Levinson is a director of content marketing at Cybereason. She began her career as a writer with CIO magazine, where she interviewed Madeleine Albright, Jeff Bezos and venture capitalist John Doerr, among many others, and reported on the passage of Sarbanes-Oxley, the impact of the 2008 financial crisis on IT, cybersecurity, and other topics. She also previously worked for Deloitte, ghostwriting articles on IT and cybersecurity for firm leaders that published on WSJ CIO Journal, and for RSA.