• Cybersecurity regulations have become complicated, costly and difficult to secure due to the web of national and regional regulations that have developed in recent years.
  • There are three areas where global harmonisation of cybersecurity regulations could make us safer: data protection, innovation and interoperability, and cost.
  • The US and EU have shown different jurisdictions can co-operate to reduce compliance cost and complexity for companies and consumers. This should be replicated on a global level.

Cyberattacks pose a growing threat to the integrity of sectors that are critical to our economic and social well-being. Cybersecurity threats have increased by over 358% in recent years, outpacing societies’ ability to effectively prevent or respond to them. There is an urgent need for cooperation between government and business leaders to align global cyber regulations that safeguard data and privacy.

However, global cybersecurity and privacy regulations – while well-intentioned and seeking to contribute positively to the daily onslaught of emerging cyber threats – give limited consideration to harmonisation between countries. The result, unfortunately, is discordant and confusing, like each section of an orchestra playing in a different key.

This creates complex and costly processes for compliance obligations across industries and makes it difficult for new innovators to become cybersecure. And if this is confusing for companies, how can consumers be sure they can trust new digital services?

What does the problem look like in practice?

Under current cybersecurity regulations, companies must juggle a variety of competing laws across jurisdictions regarding required retention periods for data, for example. There are also conflicting definitions of what constitutes a cybersecurity incident and what should trigger a notification to regulators and consumers.

In today’s ultra-transparent world, notification of an incident in one country is easily picked up and seen by those in other countries – potentially causing confusion and eroding trust. Additionally, increasing prescriptiveness among cybersecurity regulations and laws that don’t align has contributed to the development of disparate solutions across the industry. This impacts interoperability and impedes open systems and innovation.

Western Union, like many global companies, does business in over 200 countries and territories, so its regulatory landscape is vast. Significant time and effort are spent ensuring the company not only aligns with best practice frameworks such as NIST and ISO, but also incorporates the requirements from applicable laws and regulations. Through the alignment of common standards and practices, companies create an internal consensus on their level of cyber risk and resilience.

Digital ecosystems are only as strong as their weakest member, however, so what about external consensus? There are three areas where global harmonisation of cybersecurity regulations could make us safer and enhance our access to innovative products and services:

1) Developing consistent and enhanced data protection

  • Global standards ensure a common understanding of requirements rather than jurisdictional interpretations of law.
  • Consistent application of data protection methods and procedures reduces risk and builds trust across borders and supply chains.
  • Data duplication can be minimised by having fewer national data residency laws – less data proliferation means lower risk of data compromise.

2) Increasing innovation and interoperability

  • Global inclusion is fostered when technical hurdles are lowered, allowing more interoperability.
  • Inclusion feeds innovation by engaging the great minds and entrepreneurs around the world to participate in the global technological ecosystem.
  • Interoperable architectures enable and facilitate privacy and security by design.

3) Reducing cost

  • Alignment with global standards will reduce the complexity of implementing security and privacy controls.
  • Compliance exams could be streamlined through standard artifacts that meet the needs of all interested parties.
  • The need for costly data residency requirements driven by security or privacy will be lessened.

Harmonisation of cybersecurity regulations in action

Work is already underway to harmonise cybersecurity regulation. In the EU, for example, the Digital Operational Resilience Act (DORA) seeks to bring order and consistency to regulations across EU countries in disciplines such as risk management, cybersecurity, incident reporting and third-party oversight. While the focus of DORA is operational resilience, this harmonisation of law, expected to be published at the end of 2022, will bring about many of the benefits of interoperability, innovation and financial inclusion, while also increasing consumer protection.

And in the US financial services industry, the member states of the Conference of State Bank Supervisors (CSBS) launched One Company, One Exam in 2021. This allows for one examination of a company in which multiple regulators can participate or access the results. Since a single exam often requires gathering hundreds of pieces of evidence, this efficiency is music to a company’s ears. The collaboration by regulators from multiple states also fosters learning opportunities for examiners about what other states are legislating, as well as subject matter expertise on cybersecurity and privacy.

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.

Since its launch, the centre has driven impact throughout the cybersecurity ecosystem:

Contact us for more information on how to get involved.

Some early steps in the right direction

To address the lack of harmonisation, the non-profit Cyber Risk Institute’s Financial Services Cybersecurity Profile – which is built on the 2020 recommendations of the World Economic Forum’s Fintech Cybersecurity Consortium – has consolidated over 2,300 regulations from global financial services hubs into less than 280 diagnostic statements. This has helped incentivise cybersecurity best practice by giving large financial institutions one framework to rely on and creating economic opportunities for new innovators.

Beyond the financial services sector, more than 400 public and private sector leaders from the Forum’s Council on the Connected World are working to identify key governance gaps across the Internet of Things (IoT) ecosystem and develop a holistic policy response.

The world is witnessing record levels of cyberattacks and this is in part due to the lack of a global consensus to address systemic cybersecurity challenges and improve digital trust. There is clearly a will to harmonise regulations across competing interests, nationally and regionally. The next step – the global harmonisation of cybersecurity and privacy regulations – would benefit everyone by lowering risk, reducing costs and furthering innovation.