| ISA Policy Positions | House Republican Cybersecurity Task Force Recommendations |
| Menu of Market Incentives | Menu of Market Incentives |
| Develop menu of Incentives tied to voluntary adoption of proven-successful standards | “Congress should adopt a menu of voluntary incentives to encourage private companies to improve cybersecurity” |
| Incentives Menu | Incentives Menu |
| Liability Protection (Standards) – The Federal Government could create limited liability protections for … those certified against recognized industry best practices.
Streamlined Regulation – “frameworks that address information security, such as [SOX, HIPAA, GLB,] etc., along with state regimes, could be analyzed to create a unified compliance mode for similar actions and to eliminate any wasteful overlaps…” Promotion of Cyber Insurance Taxes & Grants – Develop or tie tax incentives for those adopting standard that have been proved effective; Grants for those developing best practices and technologies |
Liability Protection (Standards) – “[R]egulated entities would be granted limited liability protection in the instance of a breach if they meet or exceed mandated standards.”
Streamlined Regulation – If a company was found compliant with the new standard, would satisfy the information security/privacy protections of SOX, HIPAA, GLB etc. Promotion of Cyber Insurance Taxes & Grants – Congress should consider expanding or extending existing tax credits…to apply to cyber investments and tie grants to practice adoption |
| The Public-Private Partnership | The Public-Private Partnership |
| Codify the structures and prescriptions enumerated in the NIPP, HSPD-7, and other docs | “Industries with identified critical infrastructures should have full and complete participation in the development of cybersecurity standards and best practices.” |
| Analysis (Gap Analysis) of Current Standards/Regs | Analysis (Gap Analysis) of Current Standards/Regs |
| Gap Analysis and Cost-Effectiveness Analysis in collaboration with NIPP structures | Gap Analysis and Cost-Effectiveness Analysis in collaboration with agencies and private sector |
| Prerequisite for New Regulation | Prerequisite for New Regulation |
| Follow EO 13563 – Incentives first coupled with Cost-Benefit Analysis | Only when warranted, must be targeted and undergo Cost-Benefit Analysis |
| Regulation CANNOT Keep Up | Regulation CANNOT Keep Up |
| “…there is virtually unanimous agreement that any regulations specific enough to assure improved cyber security would become outdated soon after their enactment.” | “Threats and practices change so quickly that government-imposed standards cannot keep up.” |
| Critical Infrastructure Designation | Critical Infrastructure Designation |
| Private Sector Collaboration
Least Inclusive, Clear Definition Required Risk-Based, Result in Catastrophe |
Private Sector Collaboration
Least Inclusive – Should only apply to critical functions, not entities Risk-based, Result in Catastrophe |
| Information Sharing | Information Sharing |
| Voluntary business-to-business and business-to-government
Safe Harbors/Liability Protections for sharing information FOIA Exemption and Protection from Regulatory Use Anti-Trust Exemption |
Voluntary – B2B, B2G
Safe Harbors/Liability Protections for sharing information FOIA Exemption and Protection from Regulatory Use Anti-Trust Exemption |