Cybersecurity incidents are getting worse as internet criminals become increasingly skilled and creative at orchestrating devastating attacks, finding companies that lack preparedness as their targets. Various routes may be considered to steer entities toward good cyber hygiene and best practices.
The 2018 Hiscox Cyber Readiness Report measured respondents’ ability to defend against attacks based on their cybersecurity strategies and oversight. It found 73 percent were considered “novices,” and still have a lot of progress to make.
One argument for getting companies ready to fight back against cybercriminals is that they should receive fines for having inadequate cybersecurity practices. But would that tactic lead to improvements or only make things worse?
Companies in the United Kingdom Are at Risk of Fines
Recent legislation in the United Kingdom resulted in companies facing fines of up to £17 million (about $21.9 million) for poor cybersecurity practices if they don’t meet guidelines. The National Cyber Security Centre, which is part of GCHQ, publishes guidance that sets expectations for companies per this May’s implementation of the EU Security of Networks and Information Systems (NIS) Directive.
Notably, the framework only applies to providers involved in “essential services” that meet thresholds in the energy, transportion, healthcare, utilities and digital infrastructure sectors. Besides taking appropriate measures to minimize attacks and limit the damage caused, entities must alert the relevant authorities within 72 hours of experiencing attacks that cause service disruptions.
The European Union required member states to begin by May 9 legislative movement toward implementing the directive, which requires standard cyber capability and exercises, cross-border collaboration, and national supervision of critical sectors.
In the United Kingdom, the government plans to inspect companies and issue fines when appropriate. However, the language used about the possible financial penalties is overly vague, which is causing concern. Government officials insist fines would only be issued as last resorts and not when companies had adequately assessed their risks.
But it’s not clear what constitutes adequate assessment. So, might UK companies be at the mercy of regulators who are working off a framework that’s too loose and open to interpretation? There are also fears that companies could get fined twice under both the General Data Protection Regulation and these new cybersecurity regulations for a single breach. Officials insist that won’t happen in most instances, but the worry persists.
The UK Already Has an Extensive Cybersecurity Plan
In addition to this new legislation, in 2016 officials in the United Kingdom rolled out an all-encompassing plan for confronting cybersecurity threats by investing £1.9 billion in infrastructure improvements, defense and deterrence. Taking action against those with insufficient cybersecurity was included in the strategy, with fines as a punitive measure.
The Information Commissioner’s Office (ICO) is a privacy watchdog and the entity responsible for issuing cybersecurity-related financial penalties — even if the companies at fault have their headquarters elsewhere. It fined Equifax, the credit-reporting agency, £500,000 for exposing the data of up to 15 million citizens in the United Kingdom as part of a much larger breach.
Facebook also received a fine for the same amount for failing to protect users’ information in the Cambridge Analytica data-harvesting scandal. It was reportedly the largest fine the agency could impose before GDPR came into effect shortly after the incident with the social media site.
GDPR Fines Not Issued Yet By the ICO
Concerning GDPR, an article published in September8 confirms that the ICO had yet to enforce any GDPR-related fines by that time but receives about 500 calls a week to its breach-reporting hotline.
However, an ICO representative clarified that the body is not an income-generating agency and seeks to resolve thousands of GDPR shortcomings without resorting to issuing the fines that tend to make headlines around the world. Instead, the organization prefers to dispense advice and guidance, giving offenders opportunities to correct mistakes without getting fined.
Varied Financial Penalties in the United States
Punishments for inadequate cybersecurity in the United States are similarly complex, primarily because many factors determine the fines imposed — if any. The Securities and Exchange Commission (SEC) recently fined Voya Financial Advisors $1 million for cybersecurity-related inadequacies after hackers retrieved data on 5,600 of the company’s customers.
The fine related to the identity theft Red Flags Rule. It came into effect five years ago for SEC-related entities, but this instance was the first time the SEC used it to punish a company.
Moreover, Uber shelled out $148 million for a settlement with all the state attorneys general involving a 2016 data breach cover-up. The settlement was steep because Uber paid hackers in an attempt to conceal evidence of the breach and evidence.
Yahoo also came under fire from the SEC in April 2018 and got a $35 million fine for waiting nearly two years to disclose a breach to its investors.
Voluntary Measures Versus Fines
A 2018 PwC survey found current and former employees are both more significant risks to a company’s cybersecurity than unknown hackers. Businesses can implement internal training and coaching programs to tackle the most pressing cybersecurity problems.
They could also work toward achieving ISO 27001 certification to help give confidence to customers and other stakeholders that information management and cybersecurity are essential and that legal requirements alone are not compelling the company to tighten its cybersecurity measures.
Moreover, if companies become too fixated on possible fines, they could create a fear-based culture in which employees fear punitive measures. An Intermedia poll last year discovered 59 percent of employees hit by ransomware paid the ransom amounts on their own, with shame and embarrassment cited as the top reasons why.
Government Measures to Tackle Cybersecurity Risks
Despite no single U.S. government body being responsible for doling out all cybersecurity fines, there are some legislative efforts to better enforce strong cybersecurity. Last month, legislation passed in the House that would allow the Department of Homeland Security to bar contractors and subcontractors deemed security risks to the DHS technology supply chain.
H.R.6430, the Securing the Homeland Security Supply Chain Act of 2018, would require DHS officials to give notification to contractors at fault and allow those parties to dispute the finding or try to fix the issue. However, time is running out in the 115th Congress and the bill has been sitting in the Senate Homeland Security and Governmental Affairs Committee since Sept. 5.
Also, spurred by the 2017 Equifax data breach, Democratic Sens. Elizabeth Warren (Mass.) and Mark Warner (Va.) co-sponsored a bill, S.2289 the Data Breach Prevention and Compensation Act of 2018, which fines companies for data breaches and compensates victims. The senators assert the federal government lacks the power to intervene now. A report about the Equifax incident reveals numerous damning failures of the credit reporting company.
An Immensely Complex Issue
Fines for insufficient cybersecurity might be beneficial, but only if universally imposed within a straightforward framework. Such regulation and implementation risk companies feeling afraid of unknowingly not being in compliance because of non-standardized enforcement, or if employees get anxious about reprimands after getting fooled by phishing or similar attempts.