Why global harmonisation of cybersecurity would be music to everyone's ears
Global harmonisation of cybersecurity regulations could reduce compliance cost and complexity for companies and consumers. Image: Unsplash / @samthewam24
- Cybersecurity regulations have become complicated, costly and difficult to secure due to the web of national and regional regulations that have developed in recent years.
- There are three areas where global harmonisation of cybersecurity regulations could make us safer: data protection, innovation and interoperability, and cost.
- The US and EU have shown different jurisdictions can co-operate to reduce compliance cost and complexity for companies and consumers. This should be replicated on a global level.
Cyberattacks pose a growing threat to the integrity of sectors that are critical to our economic and social well-being. Cybersecurity threats have increased by over 358% in recent years, outpacing societies’ ability to effectively prevent or respond to them. There is an urgent need for cooperation between government and business leaders to align global cyber regulations that safeguard data and privacy.
However, global cybersecurity and privacy regulations – while well-intentioned and seeking to contribute positively to the daily onslaught of emerging cyber threats – give limited consideration to harmonisation between countries. The result, unfortunately, is discordant and confusing, like each section of an orchestra playing in a different key.
This creates complex and costly processes for compliance obligations across industries and makes it difficult for new innovators to become cybersecure. And if this is confusing for companies, how can consumers be sure they can trust new digital services?
What does the problem look like in practice?
Under current cybersecurity regulations, companies must juggle a variety of competing laws across jurisdictions regarding required retention periods for data, for example. There are also conflicting definitions of what constitutes a cybersecurity incident and what should trigger a notification to regulators and consumers.
In today’s ultra-transparent world, notification of an incident in one country is easily picked up and seen by those in other countries – potentially causing confusion and eroding trust. Additionally, increasing prescriptiveness among cybersecurity regulations and laws that don’t align has contributed to the development of disparate solutions across the industry. This impacts interoperability and impedes open systems and innovation.
Western Union, like many global companies, does business in over 200 countries and territories, so its regulatory landscape is vast. Significant time and effort are spent ensuring the company not only aligns with best practice frameworks such as NIST and ISO, but also incorporates the requirements from applicable laws and regulations. Through the alignment of common standards and practices, companies create an internal consensus on their level of cyber risk and resilience.
Digital ecosystems are only as strong as their weakest member, however, so what about external consensus? There are three areas where global harmonisation of cybersecurity regulations could make us safer and enhance our access to innovative products and services:
1) Developing consistent and enhanced data protection
- Global standards ensure a common understanding of requirements rather than jurisdictional interpretations of law.
- Consistent application of data protection methods and procedures reduces risk and builds trust across borders and supply chains.
- Data duplication can be minimised by having fewer national data residency laws – less data proliferation means lower risk of data compromise.
2) Increasing innovation and interoperability
- Global inclusion is fostered when technical hurdles are lowered, allowing more interoperability.
- Inclusion feeds innovation by engaging the great minds and entrepreneurs around the world to participate in the global technological ecosystem.
- Interoperable architectures enable and facilitate privacy and security by design.
3) Reducing cost
- Alignment with global standards will reduce the complexity of implementing security and privacy controls.
- Compliance exams could be streamlined through standard artifacts that meet the needs of all interested parties.
- The need for costly data residency requirements driven by security or privacy will be lessened.
Harmonisation of cybersecurity regulations in action
Work is already underway to harmonise cybersecurity regulation. In the EU, for example, the Digital Operational Resilience Act (DORA) seeks to bring order and consistency to regulations across EU countries in disciplines such as risk management, cybersecurity, incident reporting and third-party oversight. While the focus of DORA is operational resilience, this harmonisation of law, expected to be published at the end of 2022, will bring about many of the benefits of interoperability, innovation and financial inclusion, while also increasing consumer protection.
And in the US financial services industry, the member states of the Conference of State Bank Supervisors (CSBS) launched One Company, One Exam in 2021. This allows for one examination of a company in which multiple regulators can participate or access the results. Since a single exam often requires gathering hundreds of pieces of evidence, this efficiency is music to a company’s ears. The collaboration by regulators from multiple states also fosters learning opportunities for examiners about what other states are legislating, as well as subject matter expertise on cybersecurity and privacy.
How is the Forum tackling global cybersecurity challenges?
Some early steps in the right direction
To address the lack of harmonisation, the non-profit Cyber Risk Institute’s Financial Services Cybersecurity Profile – which is built on the 2020 recommendations of the World Economic Forum’s Fintech Cybersecurity Consortium – has consolidated over 2,300 regulations from global financial services hubs into less than 280 diagnostic statements. This has helped incentivise cybersecurity best practice by giving large financial institutions one framework to rely on and creating economic opportunities for new innovators.
Beyond the financial services sector, more than 400 public and private sector leaders from the Forum’s Council on the Connected World are working to identify key governance gaps across the Internet of Things (IoT) ecosystem and develop a holistic policy response.
The world is witnessing record levels of cyberattacks and this is in part due to the lack of a global consensus to address systemic cybersecurity challenges and improve digital trust. There is clearly a will to harmonise regulations across competing interests, nationally and regionally. The next step – the global harmonisation of cybersecurity and privacy regulations – would benefit everyone by lowering risk, reducing costs and furthering innovation.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Digital Communications
Related topics:
The Agenda Weekly
A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.
More on CybersecuritySee all
Rob Rashotte
October 30, 2024