U.S. cyber legislation and regulation are rapidly evolving, as seen with the President’s recent Executive Order 14028 on cybersecurity, five bipartisan bills introduced in the House of Representatives and numerous state legislatures addressing cybersecurity and privacy, Fitch Ratings says.
These regulations are helpful in establishing minimum standards. However, increased regulation in and of itself is not likely to fully thwart cyberattacks, which are expected to increase in size, volume and sophistication globally.
The increase in attacks and severity has the potential to become a credit issue, and Fitch will evaluate a major incident within the context of each issuer’s credit profile. To date, the risk of criminal prosecution remains low, while profit incentives for cyber-attackers remains high.
The effects of regulation will be asymmetrical depending on the sector. Less regulated sectors, including non-financial corporates, will be more affected by increased regulatory oversight than sectors such as banks and insurance, which are already highly regulated. Over the longer term, we see more regulation related to cybersecurity as broadly beneficial, as this will require sectors that have lagged on cybersecurity to increase investments against this risk.
While increased cybersecurity regulations should be positive, the proliferation of uncoordinated or piecemeal cybersecurity regulations and laws can actually make managing cyber risk both more difficult in terms of compliance, cost and transparency. Cyber risk is unique in that attackers operate globally, and therefore global coordination on cybersecurity standards and enforcement are critical for long-term success to combat this growing risk.
Fitch views legislation that mandates layered controls and cyber basics, such as network segmentation, multifactor authentication, encryption, identity and access management, and cyber incident reporting, as positive for bolstering cyber hygiene.
The recent high-profile cyber attack of the Colonial Pipeline underscores the importance of network segmentation between information technology (IT) and operational technology (OT). The prevention or mitigation of cyber attacks when they do occur is essential for all sectors of the economy, particularly US critical infrastructure. We expect the financial, reputational and legal risks to continue to grow.
Along with the potential for federal legislation or executive action, states such as New York, California, Virginia, Nevada and Massachusetts have recently enacted their own legislation aimed at identifying and assessing cybersecurity risks that may threaten the security or integrity of nonpublic information.
These laws carry potentially steep penalties for violations, highlighting the need for regulatory compliance. The New York Department of Financial Services has one of the most comprehensive state laws related to cyber risk. It covers several common aspects of cyber risk, has exclusions related to size, and carries penalties for lack of compliance.