Cyber Regulations: Cui Bono?

Posted on by Barry

Who benefits from cyber regulations?

(From September 25, 2023)

Not who should benefit but who will benefit from the seemingly ever-growing number of cyber regulations being issued from increasingly more governments around the world?

This post is my opinion about who will benefit. About which entities / participants in the cyber market will benefit.

As context, I never take any government “at their word” regarding regulations – there is always someone behind the curtain, and specifically for cyber, a curtain that can not be parted.

Cyber regulations popping out quicker than microwave popcorn pops

Regulations of cyber, which I hypothesize have been created mostly by people that equate physical artifacts with digital artifacts, scare me (beyond the fact that there is no equivalence between physical artifacts and digital artifacts).

Why?

  • Did the people creating the cyber regulations take into account the huge installed base of software solutions that corporations (of all sizes) currently use to maintain operations (e.g. the installed base of legacy systems)?
  • Were representatives from corporations (of all sizes) directly – and actively – involved in the creation of the cyber regulations?
  • Was there a “test period” with corporations of varying sizes and from varying industries involved in testing the cyber regulations (e.g. reasonableness, ability of corporations to comply, cost of compliance, resources – other than funds, that corporations needed to comply)?
  • Did most of the people who created the cyber regulations spend most of their working lives working with physical artifacts? (Or are they primarily career politicians and/or regulators?)
  • Do most of the people who created the cyber regulations know anything about creation, coding, testing, deployment, and maintenance of software solutions? Or did they assume: “we regulated vehicles, transportation, healthcare, pharmaceuticals, .. so what’s the problem regulating cyber?”?

Cyber participants who will & will not benefit from cyber regulations

Some selected participants in the cyber market who will benefit from cyber regulations in the short term, medium term, and long term:

  • The governments creating the cyber regulations (more control of corporations; more funds from fines);
  • Plaintiff’s Bar (bring lawsuits – possibly class-action lawsuits – against corporations not in compliance; generate income from lawsuits);
  • Insurance companies (use the cyber regulations as benchmarks and/or additional questions for underwriting cyber insurance policies; use non-compliance of cyber regulations to deny claims);
  • Cyber protection advisory and/or cyber modeling companies (use the cyber regulations as benchmarks and/or a roadmap for development of their cyber product / services offering; use changes in regulations to update their services and models);
  • Technology companies (IT or Telco use cyber regulations as benchmarks to develop software solutions to enable corporations to comply with cyber regulations; use changes in regulations to update their software solutions);
  • Cyber hackers (cyber regulations will provide a roadmap of what can be more easily attacked by highlighting what has to be “protected” – and therefore identify where protections are not mandated).

Of course, members of any of the entities / companies above are very healthy proponents for cyber regulations. Quick to pick up the pom-pom’s and cheer on the regulations and the regulators. After all, they should be very quick to defend the need for cyber regulations: it means more jobs and more income for them (and more fines for government coffers).

But lest we forget, who will not benefit from cyber regulations?

  • Corporations (of all sizes in any industry whether for-profit or not for-profit)
  • Clients of corporations

Why? Because the reality is that none of the cyber regulations are going to slow down or stop cyber attacks.

Cyber regulations will trigger corporations to “do better”

One of my LinkedIn members told me that cyber regulations will trigger corporations to “do better” regarding cyber security / resilience.

I have just a few questions:

  • What will “doing better” look like? (because the reality is that none of the cyber regulations are going to stop the cyber attacks whether in measures of frequency or severity)?
  • Who is going to define the measures of what it means to “do better”?
  • Who is going to use the measures of “doing better” for every corporation that has been cyber attacked? Industry associations? Government agencies? Plaintiff’s Bar (Now, there is a nightmare to contemplate!)
  • Who is going to use the measures of “doing better” for corporations that have not been cyber attacked? Industry associations? Government agencies? Plaintiff’s Bar (Now, there is a nightmare to contemplate!)

Budgeting in the Cyber Era

Turning to corporations …

Corporations are in a losing position: there are no effective controls or defenses to protect themselves against losing funds to cyber attackers, being fined by their own government, and shoveling out large sums of money to members of the plaintiff’s bar representing people who have been “wronged” by a corporation’s seemingly insufficient cyber security methods.

Can corporations minimize the funds flowing down the drain?

No, not really.

In the Cyber Era, corporations will have to continually budget (with no end in sight) for:

  • cyber security / resilience solutions;
  • cyber loss modeling;
  • penalties to their government for not complying with cyber regulations (even if corporations believe they are complying because if they get cyber attacked afterwards, then surely they are out of compliance and must be fined [again]);
  • payments to cyber attackers (ransomware; extortion)
  • lawsuits brought by the plaintiff’s bar representing “wronged” clients of the corporation and/or representing member companies (and their clients) of the cyber attacked corporation ecosystems (e.g. partners, suppliers, distributors, …)
  • higher retention / deductible levels before their cyber insurance coverage begins

Yes, corporations must be cyber secure and resilient

Please don’t misunderstand me.

In the Cyber Age, corporations of all sizes from every industry must protect themselves from cyber attacks. They must do whatever they can (e.g. within budget realities, within time-line realities) to achieve some semblance of cyber security / resilience. And they must realize that the portfolio of initiatives to become cyber secure / resilient will only grow and need to be attended to throughout every day their corporation conducts commerce.

However, no corporation should be re-victimized by their own government because their government doesn’t believe they are not becoming cyber secure fast enough … or worse, are cyber insecure even though the corporation has achieved compliance from the perspective of aligning with whatever the cyber regulations mandate.

Governments should use cyber regulations to offer guidance and resources to corporations in their quest, whether a voluntary or involuntary quest, to become and remain cyber secure / resilient. Governments should not become yet another villain in the Cyber Age by fining corporations for supposed non-compliance. Cyber attackers and the Plaintiff’s Bar represent a sufficient number of villains in the Cyber Age to corporations.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.