Time for Congress to act on cyber security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsurance.com/article/20150329/NEWS06/303299997/time-for-congress-to-act-on-cyber-security

Repeated cyber security breaches finally have focused congressional
attention on how best to deal with this exploding exposure. As we report on
page 1, a Senate panel recently held the first-ever hearing on cyber
insurance. It was an event void of partisan fireworks. Lawmakers are
seriously considering private insurance as a market-driven way to encourage
companies to take steps to mitigate their risk.

We certainly welcome the congressional focus on the issue, and the fact
that legislators are looking to the market for some solutions. Now it's
time to transform that focus into action.

We think there are two things Congress should move on quickly that would
help companies better manage their cyber security risks and by doing so,
could encourage the expansion of the cyber insurance marketplace.

The first is simple. Right now, there are about 50 different state and
other governmental requirements for reporting cyber security breaches. The
sheer number both slows down reporting and adds to costs. This situation
begs for a single federal reporting standard. After all, cyber criminals
don't respect international borders, let alone state lines. Adopting a
single standard is nothing less than common sense.

The second action is more complicated, but nonetheless doable. Congress
needs to agree on a system whereby private entities can share cyber breach
information with each other and the federal government without fear of
being subject to unwarranted liability. Crafting such a system also must
take into account legitimate privacy concerns. Nobody wants personally
identifiable information or trade secrets to be disclosed.

Fortunately, several bills designed to accomplish those goals already have
been introduced in Congress. While no bill will satisfy everyone entirely,
getting something reasonable on the books should allay both privacy
concerns and corporate fears of expanded liability.

There appears to be growing bipartisan support for tackling the issues
surrounding cyber security. The time to act is long overdue. There's no
reason to put off action until the next major cyber security breach. Such a
breach is inevitable, but having a framework in place to allow quicker
reporting of the incident and easier sharing of information about it only
can make the risk more manageable.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!