New Cyber Regulations a Plus but Not a Complete Solution to the Risk

Evolving US cyber legislation and regulations are a positive step in addressing cyber risks but by themselves aren't likely to eliminate cyber attacks, which are expected to increase in size, volume, and sophistication around the world, according to Fitch Ratings.

Citing a recent presidential executive order on cyber security, bipartisan bills introduced in the US House of Representatives, and bills in numerous state legislatures addressing cyber security and privacy, Fitch said such steps are useful in establishing minimum standards.

But, the rating agency said, the impact of cyber regulations will vary by sector. Less-regulated sectors, including nonfinancial corporations, will be more affected by increased regulatory oversight than sectors such as banks and insurance, which are already highly regulated, Fitch said. "Over the longer term, we see more regulation related to cyber security as broadly beneficial, as this will require sectors that have lagged on cyber security to increase investments against this risk," Fitch said.

"While increased cyber-security regulations should be positive, the proliferation of uncoordinated or piecemeal cyber-security regulations and laws can actually make managing cyber risk both more difficult in terms of compliance, cost, and transparency," Fitch said. "Cyber risk is unique in that attackers operate globally, and therefore global coordination on cyber-security standards and enforcement are critical for long-term success to combat this growing risk."

The rating agency said it views legislation mandating layered controls and cyber basics such as network segmentation, multifactor authentication, encryption, identity and access management, and cyber-incident reporting as positive for bolstering cyber hygiene.

The increase in cyber attacks and their severity could become a credit issue, Fitch said, with the rating agency evaluating major incidents within the context of each issuer's credit profile.