S&P Global expects new and emerging legislative measures to increase cyber resilience, though at a cost
S&P Global published data on new and emerging legislation dictating cyber-related disclosure and governance standards could weigh on issuers’ financial risk profiles by increasing the likelihood of penalties and by necessitating investment to meet minimum standards. It assesses that stricter disclosure requirements will also reveal differences in cyber preparedness and could be a differentiating factor in S&P Global Ratings’ risk and governance assessments, which contribute to its view on issuer creditworthiness.
Additionally, the European Union (EU) and the U.S. have taken the lead in introducing and enforcing cyber regulations, and their practices are influencing the formulation of laws in other regions. These governments have proven willingness to impose regulations and levy fines against transgressors. Their lead is likely to influence the formulation and enforcement of regulation in other regions over the coming years, as countries will tighten regulations and implement new rules.
The data identified that “cyber criminality, which accounts for most cyber attacks, is growing and is increasingly sophisticated both in terms of tactics and technology. That is enabling criminals to increase both the cadence of their activity and to monetize their activities more aggressively. The number of cyber breaches, defined as an incident that results in confirmed disclosure of data to an unauthorized party, has more than doubled in the past five years, and become increasingly costly.”
The research also revealed that governments have met the increasing cyber threat with a growing raft of legislation that seeks to protect critical infrastructure and consumer data, force organizations to bolster cyber defenses, and ensure greater disclosure of cyber events and cyber-risk factors. “This drive to legislate cyber-risk management has been led by larger developed countries, most of which have enacted regulation covering data privacy and critical infrastructure.”
S&P Global said that increased cyber regulation, coupled with more vigorous enforcement, could exacerbate cyber risks’ negative bias by adding new fines and other sanctions to the potential damage resulting from cyber issues. New rules could also necessitate further investment in systems and technology.
For example, regulations already in place, including GDPR in Europe and CCPA and HIPAA in the U.S., require timely disclosure of a cyber attack to regulators and affected individuals. “That makes investment in effective detection systems crucial to avoiding penalties–though the same systems can also deliver benefits in terms of avoiding excessive damage following a breach,” the report identified.
Investment in new systems may also be required to satisfy regulations designed to protect critical infrastructure, improve national security coordination, and inform financial markets. Critical infrastructure and security rules, such as CIRCIA in the U.S. and NIS2 in Europe, typically require disclosure to central agencies within a defined period and include penalties for entities that fail to meet the minimum standards.
Cyber regulation could also indirectly weigh on organizations’ operations, liquidity, and profitability. These new cyber security standards could lengthen and complicate product approval for developers and manufacturers, as has been the case in the U.S. where section 3305 of the regulation for medical devices has put the onus on device makers to patch and update products. Increased regulatory emphasis on security by design could expose organizations to responsibility for damage incurred due to the exploitation of security flaws in their products or services.
The research also determined an increasing burden of care concerning data protection could weigh on sectors that regularly collect and use personal data, such as e-commerce, retail, telecommunications, healthcare, and financial services. Greater restrictions on access to some consumer data could adversely impact business models or service/product functionality. Due to an increase in the cost of cyber insurance in response to wider and more complex regulations and a greater threat of penalties and litigation. Insurers are also likely to respond by raising their minimum cyber hygiene standards for policyholders, further increasing cyber-related costs for issuers.
S&P Global identified that new cyber regulations, and the evolution of existing rules, mean regulators will inevitably drive changes in the way that organizations manage cyber risk, including by dictating norms of preparedness, reporting, and how cyber incidents are addressed. “That will prove burdensome. Cyber preparedness budgets are likely to grow due to increased complexity and new investment needed to comply with regulations and mitigate the risk of regulatory censure. We expect cyber risk management average share of companies’ I.T. budgets to grow from current levels of about 10%,” it added.
“Yet new regulation and enforcement could prove beneficial in addressing risks to creditworthiness. Rules that improve cyber hygiene and reduce the potential for significant losses should strengthen companies, both at an individual level and by raising the standards of the ecosystems in which they operate,” the research added. “New penalties coupled with increased governance and disclosure requirements could incentivize companies to accelerate cyber investments and reduce the risk associated with cyber events.”
Meanwhile, a backdrop of more frequent and costly cyber incidents, and regulations requiring companies to bolster prevention, disclosure, and responsiveness, support the case for cyber risk preparedness to increasingly become a differentiating factor in credit quality assessment.
On Monday, the U.S. Department of Homeland Security (DHS) announced the availability of US$374.9 million in grant funding for the Fiscal Year (FY) 2023 State and Local Cybersecurity Grant Program (SLCGP). Now in its second year, the SLCGP cybersecurity grant program is specifically for state, local, and territorial (SLT) governments across the country to help them strengthen their cyber resilience. Additional funding empowers state and local governments to combat advanced cyber threats, demonstrating the administration and commitment by Congress to cybersecurity.
Related
