The increasing obstacles around digital regulatory compliance are a challenge for organizations and regulators alike.
This is particularly the case in the area of cybersecurity law. A variety of regulations — both jurisdictional and sectoral — pose varying compliance requirements to covered entities while regulators must surmise whether a potential violation falls under their authority.
With an eye toward U.S. cyber regulatory harmonization, agencies including the White House Office of the National Cyber Director are working toward a balance that satisfies the goals of covered entities and regulators. During a recent R Street Institute webinar, U.S. Sen. Gary Peters, D-Mich., outlined his proposed Streamlining Federal Cybersecurity Regulation Act and how the potential harmonization framework achieves harmonization goals with the ONCD playing a leading role.
The legislation aims to "establish an interagency harmonization committee within the ONCD," according to Peters. He added the proposal "would allow us to bring all regulators to the table and ensure that we produce real outcomes that can help coordinate cybersecurity approach across the federal government."
The regulator viewpoint
The ONCD's current cyber regulatory efforts have been through the Cybersecurity Forum for Independent and Executive Branch Regulators, the federal interagency working group that provides voluntary standards for organizations aiming to increase general digital compliance. ONDC Cyber Policy and Programs Director Elizabeth Irwin said a key part of Peters' proposed legislation is the use of the independent regulatory commission that could cover a large scope of the cyber landscape.
"If your goal is cross-sector harmonization then you need everyone at the table. That's our perspective," Irwin said, adding that the ONCD is hoping to alleviate some of the challenges both regulators and regulated entities face by finding "a minimum floor" to establish "what is good cybersecurity across all critical infrastructure sectors."
The White House recently published the National Cybersecurity Strategy Implementation Plan to protect critical infrastructure and national security. Irwin said the guidelines directly follow the ONCD's goal of improving regulatory harmonization through a broad approach.
The balancing act
One issue within the complex cyber landscape is the diminished focus on the founding principles of security, according to Columbia University Senior Research Scholar Jason Healy. The interplay between privacy and security is one area where this occurs, specifically when embedding security principles into privacy-by-design practices.
"We tend to look for controls or put things in place that are more expensive for us to implement than it is for the adversaries to bypass. So, I put regulatory harmonization … in that structure," Healy said. He claimed current regulatory efforts are often "compliant checklist, inefficient, and ineffective for companies."
To gain a deeper understanding of stakeholder perspectives on agencies' work on comprehensive regulations, the ONCD published a request for feedback that garnered 86 responses and found organizations were struggling with compliance burdens. The input found stakeholder desires for regulations to be sector-specific and determined by each sector’s regulatory standards.
Identifying key concepts of cybersecurity to narrow down the needs of individual sectors is an approach backed by many organizations. U.S. Chamber of Commerce Cyber Policy and Operations Vice President Vincent Voci said the chamber is focusing on two workstreams for cyber incident reporting and baseline cybersecurity requirements, with the end goal being "a coherent non-fragmented harmonious regulatory framework."
Also from the RFI feedback, some stakeholders argued a minimum baseline would not fit the individual needs of each sector while others indicated standards carrying more basic regulatory compliance requirements might help lower compliance expenses.
With the existing standards, organizations spend an estimated 1.3-3.3% of the company's total wage bill on compliance, according to research published by the CATO Institute. "I think one of the most common things that we hear from our members is ... 'help us comply once' like it is very expensive to do," Voci said.
Healy said harmonized and simplified standards could be a solution for the organizations facing uphill costs. He said, "If we can have this good set of harmonized effective standards that they can do once and report simply then we’re meeting what the government needs, and we can meet the public policy purpose for which we’re doing this, which is to buy down cyber security risk that impacts the rest of us at a lower cost."
Lexie White is a staff writer for the IAPP.