How Regulation Chases New Industry: The Case of Cybersecurity

Before the regulation

Not too long ago, the threat of cyber-attacks was rarely on the boardroom agenda. Yet, with the ubiquity of headlines relating to cyber-attacks in recent years, businesses across the world have been put on high alert. Today, these businesses scramble to identify and recruit cybersecurity talent and leadership. According to the Allianz Risk Barometer published earlier this year, cyber incidents ranked as the number one biggest threat for organisations worldwide, ahead of climate change and geopolitical risk.[1] With the cybersecurity landscape evolving so rapidly, regulators have truly had their work cut out for them.

Cybersecurity regulation has come in many different forms. Some of it has been geared around ensuring consumer privacy protection, while other regulation has sought to prevent fraud, increase digital transparency and mitigate systemic risks.

But as with any industry regulation, the wheel often takes time to get spinning. Consider, for example, the case-in-point for this year: crypto.

Let’s start by reviewing some history. The purpose of the original cryptocurrency, Bitcoin, was to create a decentralised currency outside of the purview of government – the people’s currency so-to-speak. The cryptocurrency’s roots can be traced all the way back to 2008 when Satoshi Nakamoto published his whitepaper “Bitcoin: A Peer-to-Peer Electronic Cash System”.

During Bitcoin’s infancy, governments were not particularly concerned about crypto. Not only were the adoption rates low, but the industry didn’t really have the participation rates we see today. Hence regulators felt no urgency to bring a set of rules to the system, such as regulation of Bitcoin’s blockchain or a framework for taxation (of this new asset class). Journalists were still referring to the industry as the digital “Wild West” of fraud.

Then in 2016, Japan became the first country to introduce cryptocurrency regulation[2]. This followed several high-profile hacks on major Japanese cryptocurrency exchanges, including the theft of 850 thousand Bitcoins. Now, while this didn’t spur immediate regulatory scrutiny in the West, it certainly caught the attention of then-Financial Stability Board (FSB) Chairman Mark Carney. In March 2018, Carney wrote a letter to the G20 asserting that the FSB’s initial assessment of cryptocurrencies had concluded that these new digital assets needed ongoing attention, but didn’t yet pose a systemic risk.[3]

Fast forward to today and things are very different. The regulatory landscape for cryptocurrencies has evolved. The industry has rapid adoption rates and high participation rates. Regulation has almost popped overnight, and many journalists today tell a very different story about the future of this new digital asset class. Regulation has finally caught up with the industry’s unprecedented growth. In many ways, the regulation of crypto may be the very thing that legitimises it, and takes it mainstream.

Coming back to cybersecurity, it is our increased dependence on digital technology that has hastened the profound growth of the industry. With greater dependence has come greater vulnerability. Last year, data breaches exposed over 22 billion records[4] with approximately 70% of these financially motivated[5] While there has been cybersecurity regulation in place for some time now to help manage risk, the regulation too has evolved and shapeshifted to accommodate the industry’s greatest concerns and trepidations.

Let’s consider two regulatory developments in recent history.

First regulatory development

Since 2011, publicly traded companies in the United States have been required by the Securities Exchange Commission (SEC) to disclose information relating to cybersecurity risk – including direct and indirect costs such as lost revenue, reputational damage and litigation expenses – in their financial disclosures.[6] In March 2022, the SEC proposed tightening these rules to require standardised and timely disclosures of all cyber incidents.[7]

The first part of the SEC’s new proposal stipulates that cyber incidents must be reported both to the SEC and shareholders (via Form 8-K) within four business days of identification of the material cybersecurity event (e.g. a data breach).[8]

The second part of their proposal seeks to consolidate reporting requirements (via Form 10-K) to improve visibility into governance and risk management practices. The rules also expand on the mandatory report requirement of cybersecurity expertise at the level of board directors.[9] Firms need to now clearly detail the inner workings of their cybersecurity risk mitigation, such as how they engage with third party assessors or consultants, what measures are in place to ensure attack prevention (or where prevention is not possible, detection and mitigation), the company’s processes for business continuity and recovery and the threat cyber incidents pose to company financials.

SEC Chair Gary Gensler has said: “Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing [this] growing [risk]. A lot of issuers already provide cybersecurity [disclosures] to investors. I think companies and investors alike would benefit if [the] information [was] required in a consistent, comparable and decision-useful manner.” [10]

It should come as no surprise that the regulation seeks to promote and encourage a better cybersecurity culture in publicly traded companies. And we believe that increasing regulation is likely to augur well for spending on cybersecurity products and solutions.

Second regulatory development

One of the reasons for the rise in cyber-attacks in recent years has been the growing number of networked devices. Indeed, networked devices are expected to double to 40 billion by 2025 (versus 20 billion in 2019).[11] This means an even greater attack surface for hackers to exploit – including things like our smart fridges, our autonomous vacuum cleaners and our wireless wearables, to name a few.

And in response to this growing and ever-expanding attack surface, the European Commission (EC) in September 2022 decide to propose the EU Cyber Resilience Act – new legislation to govern digital products throughout their whole lifecycle, placing the onus on manufacturers and software providers to provide support and updates to address ongoing vulnerabilities. Margrethe Vestager, Executive Vice-President for “Europe Fit for the Digital Age”, said: “Just as we can trust a toy or a fridge with a CE marking, the Cyber Resilience Act will ensure the connected objects and software we buy comply with strong cybersecurity safeguards.”[12]

The existing EU framework comprises several pieces of horizontal legislation relating to cybersecurity already. In 2013, the directive on attacks against information systems came into force and harmonised criminalisation and penalties for various cyber-offenses. In 2018, The General Data Protection Regulation (GDPR) law on data protection and privacy in the European Union and the European Economic Area was passed which aimed to give individuals more control and rights over personal data and to simplify the regulatory environment for international business[15]. And in 2019, the EU Cybersecurity Act came into law to enhance the security of information and communications technology products, services and processes by introducing a voluntary European cybersecurity certification programme.[16] All of these preceding legislations however leave out mandatory requirements for products with digital elements. This is precisely where the EU Cyber Resilience Act comes in.

The regulation seeks to ensure that manufacturers take security more seriously. The regulation also seeks to encourage consumers to take security into account when choosing digital products, in the same way as they might do when buying a physical product such as a car. The EC has even listed out some examples of critical products they define as having digital elements on their website.[17]

Compliance with the EU Cyber Resilience Act will be mandatory. And firms will be subject to fines of 2.5% of worldwide annual turnover for the preceding financial year, or up to EUR 15 million, whichever is higher, for non-compliance.[18] When the legislation enters into law, stakeholders will be given 24 months to adapt to these requirements or 12 months for manufacturers to meet reporting obligations. Overall, this is significant piece of regulation. It will no doubt result in businesses across the EU to investing significantly to boost their in-house cybersecurity expertise.

Conclusion

We often talk about the tailwinds that have made cybersecurity a success story for investors over the past decade. Whether it’s the growth of data as the “new oil”, the sheer number and scale of interconnected devices or simply the frequency of cyber-attacks and ensuing media headlines, the industry appears to be buoyed by positive momentum signals almost on a consistent basis. The regularity of these catalysts has led to tremendous energy being injected into the sector over the years. But one often overlooked catalyst is regulation. We would argue that regulation has been one of the major drivers of cybersecurity product and service adoption. Even though most cybersecurity (and by extension, data privacy regulation) has been reactive as opposed to proactive, its very existence validates the idea that digital products are now very much integrated into our lives. As with any type of new product, regulation exists to protect the users and ensure the manufacturers are doing the right thing by the users.

Related ETF

CYBR: Rize Cybersecurity and Data Privacy UCITS ETF 

References:

[1] Allianz, Allianz Risk Barometer, January 2022. Available at: https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html

[2] Sygna, Japan’s History of Crypto Asset Regulation: 2014-2020. Available at: https://www.sygna.io/blog/japan-crypto-regulation-history-2014-2020/

[3] Financial Stability Board, Chair sets out FSB priorities for the Argentine G20 Presidency, March 2018. Available at: https://www.fsb.org/2018/03/chair-sets-out-fsb-priorities-for-the-argentine-g20-presidency/

[4] Flashpoint, 2022.

[5] Verizon, 2021 DBIR Master’s Guide. Available at: https://www.verizon.com/business/resources/reports/dbir/2021/masters-guide/

[6] Security and Exchanges Commission, 2022. Available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm#_ednref7

[7] Security and Exchanges Commission, 2022. Available at: https://www.sec.gov/news/press-release/2022-39

[8] Varonis, SEC Cybersecurity Disclosure Requirements’ Impact on Your Business, June 2022. Available at: https://www.varonis.com/blog/sec-cybersecurity-disclosure-requirements

[9] ibid

[10] Security and Exchanges Commission, 2022. Available at: https://www.sec.gov/news/press-release/2022-39

[11] Cisco, Cisco Annual Internet Report 2021. Available at: https://www.cisco.com/c/en/us/solutions/executive-perspectives/annual-internet-report/index.html

[12] European Commission, State of the Union: New EU cybersecurity rules ensure more secure hardware and software products, September 2022. Available at: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_5374

[13] Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA OJ L 218, 14.8.2013, p. 8–14.

[14] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194/1, 19.7.2016 p. 1).

[15] European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), September 2022. Available at : https://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf

[16] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).

[17] European Commission, Annexes Proposal for a Regulation on cybersecurity requirements for products with digital elements – Cyber resilience Act, September 2022. Available at: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

[18] Proposal for a Regulation on cybersecurity requirements for products with digital elements – Cyber resilience Act, p. 65