ISA Policy PositionsHouse Republican Cybersecurity Task Force Recommendations
Menu of Market IncentivesMenu of Market Incentives
Develop menu of Incentives tied to voluntary adoption of proven-successful standards“Congress should adopt a menu of voluntary incentives to encourage private companies to improve cybersecurity”
Incentives MenuIncentives Menu
Liability Protection (Standards) – The Federal Government could create limited liability protections for … those certified against recognized industry best practices.

Streamlined Regulation – “frameworks that address information security, such as [SOX, HIPAA, GLB,] etc., along with state regimes, could be analyzed to create a unified compliance mode for similar actions and to eliminate any wasteful overlaps…”

Promotion of Cyber Insurance

Taxes & Grants – Develop or tie tax incentives for those adopting standard that have been proved effective; Grants for those developing best practices and technologies

Liability Protection (Standards) – “[R]egulated entities would be granted limited liability protection in the instance of a breach if they meet or exceed mandated standards.”

Streamlined Regulation – If a company was found compliant with the new standard, would satisfy the information security/privacy protections of SOX, HIPAA, GLB etc.

Promotion of Cyber Insurance

Taxes & Grants – Congress should consider expanding or extending existing tax credits…to apply to cyber investments and tie grants to practice adoption

The Public-Private PartnershipThe Public-Private Partnership
Codify the structures and prescriptions enumerated in the NIPP, HSPD-7, and other docs“Industries with identified critical infrastructures should have full and complete participation in the development of cybersecurity standards and best practices.”
Analysis (Gap Analysis) of Current Standards/RegsAnalysis (Gap Analysis) of Current Standards/Regs
Gap Analysis and Cost-Effectiveness Analysis in collaboration with NIPP structuresGap Analysis and Cost-Effectiveness Analysis in collaboration with agencies and private sector
Prerequisite for New RegulationPrerequisite for New Regulation
Follow EO 13563 – Incentives first coupled with Cost-Benefit AnalysisOnly when warranted, must be targeted and undergo Cost-Benefit Analysis
Regulation CANNOT Keep UpRegulation CANNOT Keep Up
“…there is virtually unanimous agreement that any regulations specific enough to assure improved cyber security would become outdated soon after their enactment.”“Threats and practices change so quickly that government-imposed standards cannot keep up.”
Critical Infrastructure DesignationCritical Infrastructure Designation
Private Sector Collaboration

Least Inclusive, Clear Definition Required

Risk-Based, Result in Catastrophe

Private Sector Collaboration

Least Inclusive – Should only apply  to critical functions, not entities

Risk-based, Result in Catastrophe

Information SharingInformation Sharing
Voluntary business-to-business and business-to-government

Safe Harbors/Liability Protections for sharing information

FOIA Exemption and Protection from Regulatory Use

Anti-Trust Exemption

Voluntary – B2B, B2G

Safe Harbors/Liability Protections for sharing information

FOIA Exemption and Protection from Regulatory Use

Anti-Trust Exemption