A recently released World Economic Forum (WEF) report on cyber information sharing calls attention to how “The COVID‑19 pandemic has led to rapid digital transformation in many workforces and sectors, further increasing the dependency of our global economy on digital infrastructure.”
According to WEF: “Trusted, secure and scalable cyber information sharing needs to be a foundational platform on which all participants of the digital ecosystem can rely.”
WEF is right to call for a need for more collective action across the private sector and between the private and public sectors around information sharing. It also points correctly to two key challenges:
- Lack of clear incentives: Without tangible short‐term incentives in place organizations are not likely to prioritize cybersecurity information sharing.
- Insufficient and fragmented public policy: GDPR has been a step forward but it alone is not enough, and the US has not followed in the footsteps of the EU yet.
There should be market-based incentives to be ‘good’ at cyber and to also disclose cyber performance against standard reporting metrics like those that exist for all other major business risks. We are working on the incentives piece by demonstrating through the cyber governance indices that markets reward good performance and punish bad performance.
In the report, WEF rightly calls cyber “one of the most systemically important issues facing the world today”. Yet the transparency and disclosure around the risks are woefully inadequate.
Earlier this year, Paul Rosenzweig of the R Street Institute called in Lawfare for cyber metrics that are "transparent, auditable, practical, scalable and widely agreed upon. This is now possible. The US Cyber Solarium Commission has put forward recommendations for disclosure in the US, and the SEC has issued guidance that represents steps in the right direction. But follow-through and more decisive action is needed from policymakers and regulators alike.