Cybersecurity Investments Are No Longer Optional


This article was licensed through Dow Jones Direct. The article was originally published on The Wall Street Journal.

A mix of regulation, investor demands and insurance requirements is pushing companies to elevate the oversight of cybersecurity, officials from the U.S. and other countries say.

While some companies in specific critical infrastructure sectors, such as energy and banking, must already comply with certain cybersecurity requirements, greater investment in digital defenses is needed across the board, said Brandon Wales, executive director at the Cybersecurity and Infrastructure Security Agency.

“There are companies that already have to address this level of cybersecurity and demonstrate this level of cybersecurity investment. But I think, over time, this should become standard for every publicly traded company,” Mr. Wales said, speaking Tuesday at the WSJ CIO Network Summit.

A string of attacks on companies of all sizes and across all sectors in recent years has prompted governments to increase pressure on the private sector to increase its resilience to cyber threats. Ransomware, in which hackers demand payment to unlock data and systems, is a national security threat, officials have said, for its potential to disrupt infrastructure and supply chains.

Since the beginning of the year, CISA has promoted a “Shields Up” campaign designed to raise cybersecurity awareness in the face ofwhat it says are mounting threats from Russia’s war in Ukraine. This includes ensuring basic protections such as multifactor authentication are in place to thwart opportunistic attacks that don’t require much sophistication.

Cyber officials are signaling a growing impatience with companies that fail to use adequate defenses and are later hacked. In ransomware attacks, in particular, said Lindy Cameron, chief executive of the U.K. National Cyber Security Centre, some companies are all too ready to pay to restore their data, which in turn feeds the issue.

“Too often I think it’s a cop-out, frankly—too often an organization wasn’t prepared, or actually, there’s not a good-faith effort to recover,” Ms. Cameron said at a cybersecurity conference in Washington, D.C., this month.

In the public sector, governments are being forced to ensure that their defenses are up to scratch. Both Florida and North Carolina this year forbade their respective government agencies from making ransomware payments.

Insurers increasingly require would-be buyers of cyber coverage to prove they are as protected as they can be against hackers. Organizations with weaker cybersecurity capabilities face increased premiums and restricted coverage.

Customers and shareholders are also adding to company nerves around cyber incidents, Mr. Wales said. Class-action lawsuits following data breaches are now commonplace and can prove expensive for companies that suffer hacks. In one of the highest profile incidents, a 2017 attack at credit-ratings company Equifax Inc. resulted in a $700 million settlement with state attorneys general and various federal agencies, with $425 million set aside to compensate consumers.

“Over time, that pressure will grow,” he said.

Arne Schönbohm, president of Germany’s Federal Office for Information Security, known as BSI, said his agency is pursuing a more direct approach to ensuring critical infrastructure operators are fulfilling cybersecurity requirements. That is, auditing and testing companies.

“I’m not in the business of believing. I’m in the business of knowing, so therefore we want to call and test independently because we don’t trust that alone,” he said at the Washington conference.

The corporate board is a strong check on a company’s cybersecurity strategy, CISA’s Mr. Wales said, a philosophy behind draft rules from the U.S. Securities and Exchange Commission for disclosing cyber risk.

Those rules include expectations that the board will have a degree of oversight of cybersecurity, and provisions requiring companies to disclose which directors, if any, have cyber expertise.

“It starts with the boards and with the C-suite to push this, and make it part of the culture in the same way that other risks are now fully addressed,” Mr. Wales said.


James Rundle

The Wall Street Journal