Cisco Systems, Microsoft and four other global organizations today announced the creation of the Coalition to Reduce Cyber Risk (CR2), aimed at encouraging governments to be more open when creating cyber risk management standards, guidelines and regulations covering the private sector.
Other members are Mastercard, AT&T, American bank JP Morgan Chase and British bank HSBC.
One of its first acts is to release a white paper called “Cybersecurity Policy for Resilient Economies: A Global, Cross-Sector Approach,” which urges governments to keep an eye open to best practices in the security industry from around the world as well as what other countries are doing.
“Governments can leverage, learn from and improve existing best practices and standards with demonstrated positive impacts rather than developing one-off and potentially fragmented untested and burdensome requirements. Moreover, public-private co-operation is critical to promoting alignment across government approaches to cyber security risk management to the greatest extent possible, recognizing that different cultural norms or government priorities will make absolute harmonization unlikely. However, aligning the approach and substance of cyber security risk management policies and ensuring compatibility provides tremendous value to all stakeholders.”
As organizations publicly report more cyber breaches, regulators are toughening their security requirements of companies they oversee. For example, in February the U.S. Securities and Exchange Commission (SEC) set new standards for cyber security disclosure of publicly-traded companies listed on American exchanges.
On its web page the CR2 notes that around the world governments are creating initiatives and strengthening requirements over the private sector to increase cybersecurity. “Despite often useful objectives, the number of and lack of cohesion across these efforts is generating a significant risk of conflicting or competing security requirements. Conflicting and competing requirements not only increase costs for companies, diverting security resources toward compliance, but also, and more importantly, could hinder the economic growth enabled by open markets and the security of essential cyber capabilities.”
If global regulations, including those related to cybersecurity risk management, fragment or conflict, “cross-border flows of resources will be disrupted, negatively impacting economic growth and potentially curtailing the progress that has been made.”
On the other hand, the site says, “some alignment of the foundational approaches to risk management” would help to advance security without creating undue compliance costs, and create continuity and predictability for global as well as local enterprises. In addition, it says, shared learning and exchange across governments and enterprises would reap a lot of security benefits.
“In today’s global, interdependent economy, improving cybersecurity requires organizations to work not only within their enterprise but also with partners, customers, and governments,” Tom Burt, Microsoft’s corporate vice president for customer security and trust, said in a statement. “CR2 will bring these stakeholders together to advance security while also enabling the tremendous economic and societal benefits of digital transformation.”
Eric Wenger, Cisco’s director of cyber security and privacy policy, said the company looks forward to working with governments to advance standards-based, compatible frameworks for more effective cyber risk management.