Self-interest, not regulation, will drive cybersecurity


14 March 2016
ACCA report on cybersecurity

Self-interest rather than regulation is the future of cybersecurity, and this is because technology is evolving at such a rate that any legislation would be out of date before it is signed in to law.

The Association of Chartered Certified Accountants (ACCA) shared this perspective on cybersecurity in its report entitled “Constant Forward Motion: The evolving phenomenon of cybersecurity regulation and the race to keep up”. In it, ACCA examined the growing cybersecurity threat to businesses and the problems lawmakers have because of the pace of technological evolution.

Jason Piper, ACCA head of Business Law noted that data is being used in all sorts of ways, for example, to predict purchasing and money transfer patterns, and criminals can use this information to commit fraud.

For businesses, the basic rule of thumb is that “if there is value in the data to a criminal then there is value in protecting it”. And for the authorities, the big question is, “How do you regulate? Is it better to prescribe hard law or soft law?”

According to Piper, both have advantages and disadvantages but ultimately the problem that lawmakers have is that anything they pass into law is likely to be archaic very quickly and they could spend the whole time “running to catch up”.

“The answer,” said ACCA, “is an appeal to the enlightened self-interest of business to protect itself, combined with a recognition from all involved that existing principles of consumer protection and business regulation can and should be adapted to respond to the new threat.”

It pointed out that businesses have a self-interest in protecting information because it is valuable and confers a commercial advantage. They also have a public duty to protect information over which they have custody, which has value to customers and other third party owners. “If associates or customers rely upon data that the business holds, or the consequences of that data, a failure to secure the data properly can open up extensive liabilities for consequential loss and damage.”

However, the focus on business self-interest does not absolve authorities from any responsibility to act. Governments and other authorities have a role to play in disseminating best practice and guidance, and the most effective use of public funds is in the raising of knowledge of businesses about the best options for defence and preparedness. “Broad guidance aimed at ensuring outcomes, rather than prescriptive regulation governing underlying actions, will offer the required flexibility,” said ACCA.

Another useful area where governments can focus their energies is in the development of certification and assurance regimes for business, so that stakeholders can be confident that those businesses with which they interact are adequately protected. While it may appear difficult to strike a balance between “the specificity of regulation and broad application”, especially when it comes to supranational guidance, ACCA noted instances where a domestic lead taken by a key nation in the context of international trade has had a broader “trickle down” effect. It cited the example of the UK Bribery Act 2010 and US financial crime legislation.

As ACCA concluded, “A combination of credible assurance and authorisation regimes and the enlightened self-interest of well-educated businesses will offer a more responsive and adaptable model for consumer and business confidence in cybersecurity than would any attempt to create prescriptive legislative standards.”