A White House blog post suggested ways the federal government could incentivize businesses to comply with heightened cybersecurity standards, months after President Obama’s executive order in February for better protection of physical and virtual assets.
In the post, U.S. Cybersecurity coordinator Michael Daniel lists eight possible ways to encourage businesses to voluntarily adopt cybersecurity standards. These include collaborating with the insurance industry to provide cybersecurity insurance, offering federal grants, expediting government services to participants, and providing legal privileges such as liability limitation. It also suggests streamlining existing legal regulations to make it easier for participants to comply with new standards, publicly recognizing participants, allowing businesses to recover some of their cybersecurity investments, and emphasizing cybersecurity research to help participants find solutions to their specific cyber problems.
These potential incentives are based on recommendations from the Treasury, Commerce Department and Homeland Security.
Obama’s executive order moved to create a “cybersecurity framework” — a set of standards and procedures expected to be completed in October of this year, intended to diminish cyber risk. The order also encourages better communication about threats between the public and the private sector; businesses and agencies would receive incentives for joining a voluntary program in compliance with the framework.
Though these incentives aren’t yet final, the preliminary list allows businesses and agencies to offer their own input on cybersecurity compliance, said Kimberly Peretti, chair of law firm Alston & Bird’s Security Incident Management and Response Team in Washington, and former senior litigator for the Justice Department’s computer crime and intellectual property section.
“At this point, companies can think about, ‘if we have to increase our practices and the level of security we have in place, what’s the best way our organization can get to that level? What would incentivize our company to do that?’” Peretti said. “The variety of approaches and creativity gives something to the private sector to start feedback.”
And the cybersecurity insurance incentive could prove helpful for the insurance industry, said Michael Donovan, head of specialist insurance company Beazley’s data breach and cyberinsurance department.
“There are many approaches companies take to reduce their cyber risk, and it can be very difficult for us to evaluate it. Anything that would help standardize that, and provide more information, would be encouraging,” he said.
Donovan said he doesn’t think the incentives would put extra pressure on the insurance industry.
The incentives are “couched in the terms of being voluntary, and done in terms of incentives, rather than regulation and requirements. That would seem to be a positive approach” to public-private collaboration on cybersecurity, he said.