Why global harmonisation of cybersecurity would be music to everyone's ears

Cyberattacks pose a growing threat to the integrity of sectors that are critical to our economic and social well-being. Cybersecurity threats have increased by over 358% in recent years, outpacing societies’ ability to effectively prevent or respond to them. There is an urgent need for cooperation between government and business leaders to align global cyber regulations that safeguard data and privacy.

However, global cybersecurity and privacy regulations – while well-intentioned and seeking to contribute positively to the daily onslaught of emerging cyber threats – give limited consideration to harmonisation between countries. The result, unfortunately, is discordant and confusing, like each section of an orchestra playing in a different key.

This creates complex and costly processes for compliance obligations across industries and makes it difficult for new innovators to become cybersecure. And if this is confusing for companies, how can consumers be sure they can trust new digital services?

Under current cybersecurity regulations, companies must juggle a variety of competing laws across jurisdictions regarding required retention periods for data, for example. There are also conflicting definitions of what constitutes a cybersecurity incident and what should trigger a notification to regulators and consumers.

In today’s ultra-transparent world, notification of an incident in one country is easily picked up and seen by those in other countries – potentially causing confusion and eroding trust. Additionally, increasing prescriptiveness among cybersecurity regulations and laws that don’t align has contributed to the development of disparate solutions across the industry. This impacts interoperability and impedes open systems and innovation.

Western Union, like many global companies, does business in over 200 countries and territories, so its regulatory landscape is vast. Significant time and effort are spent ensuring the company not only aligns with best practice frameworks such as NIST and ISO, but also incorporates the requirements from applicable laws and regulations. Through the alignment of common standards and practices, companies create an internal consensus on their level of cyber risk and resilience.

Digital ecosystems are only as strong as their weakest member, however, so what about external consensus? There are three areas where global harmonisation of cybersecurity regulations could make us safer and enhance our access to innovative products and services:

Work is already underway to harmonise cybersecurity regulation. In the EU, for example, the Digital Operational Resilience Act (DORA) seeks to bring order and consistency to regulations across EU countries in disciplines such as risk management, cybersecurity, incident reporting and third-party oversight. While the focus of DORA is operational resilience, this harmonisation of law, expected to be published at the end of 2022, will bring about many of the benefits of interoperability, innovation and financial inclusion, while also increasing consumer protection.

And in the US financial services industry, the member states of the Conference of State Bank Supervisors (CSBS) launched One Company, One Exam in 2021. This allows for one examination of a company in which multiple regulators can participate or access the results. Since a single exam often requires gathering hundreds of pieces of evidence, this efficiency is music to a company’s ears. The collaboration by regulators from multiple states also fosters learning opportunities for examiners about what other states are legislating, as well as subject matter expertise on cybersecurity and privacy.

To address the lack of harmonisation, the non-profit Cyber Risk Institute’s Financial Services Cybersecurity Profile – which is built on the 2020 recommendations of the World Economic Forum’s Fintech Cybersecurity Consortium – has consolidated over 2,300 regulations from global financial services hubs into less than 280 diagnostic statements. This has helped incentivise cybersecurity best practice by giving large financial institutions one framework to rely on and creating economic opportunities for new innovators.

Beyond the financial services sector, more than 400 public and private sector leaders from the Forum’s Council on the Connected World are working to identify key governance gaps across the Internet of Things (IoT) ecosystem and develop a holistic policy response.

The world is witnessing record levels of cyberattacks and this is in part due to the lack of a global consensus to address systemic cybersecurity challenges and improve digital trust. There is clearly a will to harmonise regulations across competing interests, nationally and regionally. The next step – the global harmonisation of cybersecurity and privacy regulations – would benefit everyone by lowering risk, reducing costs and furthering innovation.