Cybersecurity Regulations Will Force Companies to be Trustworthy

in #cybersecurity2 months ago

I think the list of executives and board members genuinely interested in cybersecurity will increase greatly as regulations, such as the US SEC cybersecurity reporting requirements and the European Union’s proposed Cyber Resilience Act (CRA), are established to correct longstanding financial incentives that do not benefit the customers or investors.

These are requirements, for those under their oversight, that force a level of transparency that creates accountability for company’s cybersecurity posture and management. Such strong catalysts will drive recognition across the top tiers of business leadership for the importance and necessity to commit resources to develop and actively maintain the security of their digital products and services.

Needless to say, such regulations are unpopular with many organizations as they greatly narrow down the options of concealing security issues and, therefore represent an undesirable forcing function to invest more in cybersecurity and maintain executive oversight.

I see this as a strategically important shift that strengthens the trust in digital technology.


Well, if businesses did the right thing, there would be no need for new regulations.

You point out that people that use a product should be provided security updates. Are they indemnified? Must a company provide updates after they declare some product obsolete and no longer supported? For people using Windows 7 today, for example. What about voluntary sharing of peoples data. Are companies required to report that? I think if not, this legislation is worthless, because companies will just sell, or even give, their records to hackers to avoid reporting breaches.


 last month 

There are many different privacy regulations, but that vary based upon country or union.

This notification will help people become aware when products or services they use are being actively exploited. This enables them to make good security decisions.

I find it difficult to trust companies that sell the information and don't inform their compromised victims to inform that same cohort if someone else takes the information to sell. It may result in slightly improved security, but the bar should be that when information of the user leaves the care of the fiduciary, there should be reporting. I suspect companies are cavalier about security of customer data because they sell it anyway, so hackers getting it is hardly any more harmful.


 last month 

I have always advocated that if a company has your PII, it should notify you annually:

  1. What personal data they possess
  2. To whom they have shared/sold/provide that data to
  3. If they have lost or exposed that data (ex. breach)
  4. When they will remove/delete the data
  5. Provide a 1-click option to delete the data

In this way, consumers can track what data is out there and who has it!

Recently, I began to think about the economic consequences of cyber attacks, also after I looked at the data in an article on the website about the basics of cybersecurity. It's quite difficult to think about how a single breach can have far-reaching consequences across multiple industries. The nature of the global economy means that a security breach in one sector could potentially have significant financial consequences in another. Therefore, I understand that the importance of a robust security infrastructure to mitigate such risks is truly not overstated. Has anyone already had experience with this kind of data protection?