On March 1, 2023, the White House issued its National Cybersecurity Strategy. It is a relatively quick read, as the contents are familiar and focus more on broad goals than concrete details. However, organizations should not let the Strategy’s familiarity lull them into complacency. For one thing is becoming increasingly clear — Our National Cybersecurity Strategy is in many respects becoming a National Cyber-Liability Strategy. Organizations be forewarned!
The U.S. government has made no secret of the fact that new cybersecurity regulations are on their way in just about every sector imaginable (including financial, transportation, communications, health, and more). The recent National Cybersecurity Strategy continues to embrace this approach while also emphasizing the need to “streamline” our regulations and “harmonize” them with the laws of other countries where feasible. Worthy, but not necessarily groundbreaking, goals.
More impactful, however, is the following cyber-liability language contained in Pillar Three of the Strategy (“Shape Market Forces to Drive Security and Resilience”):
We must hold the stewards of our data accountable for the protection of personal data . . . and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies. . . . We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software . . . . Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers . . . .
This is important. This is analogous to a Radar Speed Sign located 100 yards ahead of a hidden police car. The government is announcing loud and clear that organizations must improve their cybersecurity practices and live up to their duty of care now, or a price will be paid by those organizations later.
Fortunately, the National Cybersecurity Strategy also provides some clues for organizations hoping to improve their cybersecurity compliance and avoid negative government attention. For example, Pillar Two of the Strategy (“Disrupt and Dismantle Threat Actors”) prioritizes the need for swift information-sharing by private sector entities after a cyber incident. While this concept is not new, it is accompanied by the following uniquely specific snippet:
Private sector partners are encouraged to come together and organize their efforts through one or more nonprofit organizations that can serve as hubs for operational collaboration with the Federal Government. . . . Using virtual collaboration platforms, members of the cell would share information bidirectionally and work rapidly to disrupt adversaries. The Federal Government will rapidly overcome barriers to supporting and leveraging this collaboration model, such as security requirements and records management policy.
In my opinion, this section of the National Cybersecurity Strategy is perhaps its most impactful to the private sector. Not only is the government fully embracing the importance of a public-private partnership in fighting cyber-threats, but it also appears to be hinting that information-sharing will be a critical part of its cyber-liability analysis going forward. In other words, just as the government examines an organization’s compliance culture when deciding whether to prosecute or fine an entity for violating OFAC regulations and other laws, we predict the government will consider an entity’s participation in organized information-sharing efforts when deciding whether or how much to penalize a company for insufficient cybersecurity. Put another way, we forecast that post-incident information sharing is likely to become a measure of corporate compliance in the eyes of DOJ.
Another hopeful clue appears later in the document, in a brief paragraph entitled “Explore a Federal Cyber Insurance Backstop.” This section of the Strategy reports that the government is assessing the need for a Federal insurance response to “support the existing cyber insurance market.” Although it is not the first time this has been said and details remain scant, this language reveals that the government may provide some cyber-liability relief in the future for those organizations flattened by a cyber-incident.
We of course have much more to learn about the government’s future cybersecurity regulations and expectations. But for now, organizations would be wise not to ignore the blinking Radar Speed Sign. It is time for entities in all sectors to conduct an honest and critical self-assessment of their cybersecurity tools and protocols as well as their ability quickly to gather, understand, and report information in the event of a cyber-incident. Organizations should also consult with experts in an effort to understand what constitutes “reasonable precautions” and would satisfy the “duty of care” in this arena. As the National Cyber-Liability Strategy makes clear, an organization’s best hope of minimizing cyber-liability is dutiful preparation.