How the White House could incentivize cybersecurity compliance

A White House blog post suggested ways the federal government could incentivize businesses to comply with heightened cybersecurity standards, months after President Obama’s executive order in February for better protection of physical and virtual assets.

In the post, U.S. Cybersecurity coordinator Michael Daniel lists eight possible ways to encourage businesses to voluntarily adopt cybersecurity standards. These include collaborating with the insurance industry to provide cybersecurity insurance, offering federal grants, expediting government services to participants, and providing legal privileges such as liability limitation. It also suggests streamlining existing legal regulations to make it easier for participants to comply with new standards, publicly recognizing participants, allowing businesses to recover some of their cybersecurity investments, and emphasizing cybersecurity research to help participants find solutions to their specific cyber problems.

These potential incentives are based on recommendations from the Treasury, Commerce Department and Homeland Security.

Obama’s executive order moved to create a “cybersecurity framework” — a set of standards and procedures expected to be completed in October of this year, intended to diminish cyber risk. The order also encourages better communication about threats between the public and the private sector; businesses and agencies would receive incentives for joining a voluntary program in compliance with the framework.

Though these incentives aren’t yet final, the preliminary list allows businesses and agencies to offer their own input on cybersecurity compliance, said Kimberly Peretti, chair of law firm Alston & Bird’s Security Incident Management and Response Team in Washington, and former senior litigator for the Justice Department’s computer crime and intellectual property section.

“At this point, companies can think about, ‘if we have to increase our practices and the level of security we have in place, what’s the best way our organization can get to that level? What would incentivize our company to do that?’” Peretti said. “The variety of approaches and creativity gives something to the private sector to start feedback.”

And the cybersecurity insurance incentive could prove helpful for the insurance industry, said Michael Donovan, head of specialist insurance company Beazley’s data breach and cyberinsurance department.

“There are many approaches companies take to reduce their cyber risk, and it can be very difficult for us to evaluate it. Anything that would help standardize that, and provide more information, would be encouraging,” he said.

Donovan said he doesn’t think the incentives would put extra pressure on the insurance industry.

The incentives are “couched in the terms of being voluntary, and done in terms of incentives, rather than regulation and requirements. That would seem to be a positive approach” to public-private collaboration on cybersecurity, he said.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read Business



Success! Check your inbox for details.

See all newsletters

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.