U.S. Companies Conflicted About Cybersecurity Mandates
 

As America endures ongoing cyberattacks against critical infrastructure and software supply chains, U.S. policymakers have been selectively issuing cybersecurity requirements in key sectors. To many observers, this is raising the prospect that minimum cybersecurity standards could be applied across the board.[1]

In Mimecast’s State of Email Security Report for 2022, U.S. companies express mixed feelings toward such mandates. Fewer than a third of companies think minimum standards would make a big difference in how much risk they face, how they protect their businesses or how much they spend to do so. Yet roughly half see at least a moderate impact in these and other areas, as described below. 

Washington Starts Setting Cybersecurity Minimums

Last May, President Biden issued an executive order calling for stronger cybersecurity standards within the federal government and among its contractors, as well as improved software supply chain security and the creation of a playbook for cyber incident response. Since that announcement, some related legislation has picked up steam.

This March, Biden signed a law that would require critical infrastructure companies to report cyberattacks and ransomware payments.[2] Meanwhile, a number of federal departments and agencies have followed the commander-in-chief’s lead with new reporting obligations and cybersecurity requirements for certain sectors. Unlike the cybersecurity framework provided by the National Institute of Standards and Technology (NIST), which is voluntary for companies, these new initiatives are compulsory, “continuing the government’s move to an increasingly regulatory approach to private sector cybersecurity,” according to legal experts.[3]

Some Washington observers say these greater expectations and new standards for the federal government, its suppliers and critical infrastructure players are likely to bleed into the broader private sector, edging closer to minimum cybersecurity standards for all. 

A Ripple Effect 

In January, the Biden administration starting setting timelines for requirements laid out in his executive order. That memo gave federal departments and agencies 180 days to implement multi-factor authentication and encryption for classified systems, while allowing the Committee on National Security Systems (CNSS) 90 days to come up with a cybersecurity framework for systems in the commercial cloud and giving the head of each executive department or agency 60 days to update plans to prioritize the adoption of cloud technology and a zero-trust architecture.[4]

In between, some departments and agencies have made significant moves. Following up on its rigorous cybersecurity mandates specifically for pipeline operators, the Transportation Security Administration issued directives requiring air carriers as well as passenger and freight rail operators to implement an array of cybersecurity measures to prevent disruption and degradation to their infrastructure.[5] The Securities and Exchange Commission voted to propose new cybersecurity risk management requirements for the investment industry, a move one law firm described as “the most significant update to federal privacy law” for this sector in 20 years.[6]

In terms of consequences for the private sector, the U.S. Department of Justice announced an initiative that will enable it to use a preexisting fraud statute to prosecute companies that fail to comply with federal cybersecurity standards or misrepresent their efforts to meet them. Some industry watchers noted this as a dramatic shift on the part of the Justice Department to not simply protect private companies who fall victim to cyberattack, but to prosecute those who fail to comply with cybersecurity mandates.[7] “The initiative leverages the buying power of the federal government to raise the bar on cybersecurity,” legal experts wrote, “with the hope that the standards adopted by government contractors will eventually be matched by the private industry.”

Companies See Increased Costs, Less Autonomy

Historically, private companies and public entities have largely been responsible for setting their own cybersecurity direction with guidance, support and some standards from the government. While the drivers for increased government involvement and mandate-setting may be obvious, the anticipated impact on private companies is less clear. Here’s how U.S. survey respondents described it in the State of Email Security report:

• Cybersecurity risk: Just 31% of U.S. participants in the survey believe that government-mandated minimum security standards would have a significant impact in reducing the risk of cyberattacks affecting their business. Four in ten say mandates would have a moderate impact, and nearly a quarter (23%) think such requirements would have a low impact. 
• Cyber resilience: Similarly, just three in 10 U.S. respondents indicate that government-mandated minimum security standards would result in big improvements in their business’ cyber resilience. Nearly half say mandates would lead to moderate improvements in their overall cybersecurity profile, while 17% say they would result in minimal changes.
• Security budget: More than a quarter (28%) of those surveyed say mandates would significantly increase their costs, while 46% expect such requirements to moderately raise costs. Two in ten respondents say minimums would have a more limited impact on their cybersecurity budget. 
• Cyber strategy: More than a quarter (28%) of U.S. respondents say mandated minimum levels of cybersecurity would greatly decrease their business’ freedom in determining the best course of action in response to cyberthreats, while 43% feel it would moderately infringe on their autonomy, and 18% say it would have minimal impact on their self-determination with regard to cybersecurity actions. 
• Board and C-level engagement: Nearly three out of ten (29%) survey participants think that mandated minimums could greatly increase the level of care business leaders show regarding the improvement of cybersecurity in their organizations. Half of respondents say that such legislation would moderately increase business leaders’ level of interest, and 15% think it is likely to increase their attention levels only a little.

The Bottom Line

Whether these evolving government requirements will result in mandatory cybersecurity minimums for a broader spectrum of private companies remains to be seen. In the meantime, experts expect increased scrutiny of companies’ cybersecurity postures — particularly for those that work directly with the government or operate as part of the IT supply chain. Read more about how companies are reacting to these and other cybersecurity events in Mimecast’s State of Email Security report for 2022.

[1] “Cybersecurity and data privacy foresight 2022,” Reuters

[2] “With Eye to Russia, Biden Administration Asks Companies to Report Cyberattacks,” New York Times 

[3] “TSA Rail Cybersecurity Directives Show Increasing Government Regulation of Critical Infrastructure and the Private Sector,” Wiley

[4] “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” White House 

[5] “TSA Imposes New Cybersecurity Requirements for Rail and Air Sectors,” Inside Privacy

[6] “SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds,” Dechert LLP

[7] “Cybersecurity and data privacy foresight 2022,” Reuters