Hearing Wrap Up: Duplicative and Inconsistent Regulations Are Harming Industry Cybersecurity Capabilities; Harmonization is Needed - United States House Committee on Oversight and Accountability

WASHINGTON—The Subcommittee on Cybersecurity, Information Technology, and Government Innovation held a hearing titled, “Enhancing Cybersecurity by Eliminating Inconsistent Regulations.” Members discussed how companies operating in critical areas like energy, financial services, transportation and the defense industrial base are subject to conflicting or inconsistent federal regulations, forcing them to divert resources away from the prevention of cyberattacks and toward ineffective compliance measures. Members emphasized that cybersecurity regulatory harmonization is needed to redress the problem.

Key Takeaways:

The lack of harmonization and reciprocity across federal cybersecurity regulations has led to increased compliance costs and administrative burden for industry.

John Miller—Senior Vice President of Policy and General Counsel at the Information Technology Industry Council—emphasized the lack of harmony in cybersecurity regulations and the industry consensus to fix this: “The deluge of cybersecurity incident notification regulations perfectly illustrates the scope of the over-regulation problem and serves as a reminder that, to date, while we have studied the issue for years, not much has been done to drive actionable solutions – to actually harmonize cybersecurity regulatory requirements…when we layer on the reality that most companies are also encountering conflicting or duplicative cybersecurity regulations at the state level and internationally, it reveals why the status quo is untenable for companies large and small alike.”

Companies have been forced to allocate time and resources towards compliance due to duplicative and inconsistent regulations, redirecting resources that could be used for enhancements to cybersecurity, such as IT upgrades.

Maggie O’Connell—Director of Security, Reliability, and Resilience at the Interstate Natural Gas Association of America—discussed how: “Federal agencies considering cybersecurity regulations should leverage these lessons learned and proactively discuss how their proposals may impact existing regulations in the safety, security, and operational space. The more the federal government can consistently develop and apply regulations, the more operators will be able to understand and implement those requirements, definitions, and objectives, which will allow them to focus more effectively on addressing cyber threats and mitigations.”
Patrick Warren—Vice President of Regulatory Technology at the Bank Policy Institute—shared an alarming statistic that “according to a recent survey of large financial institutions, several firms reported their cyber teams now spend more than 70 percent of their time on regulatory compliance activities.”

Member Highlights:

Subcommittee Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace (R-S.C.) asked what the outcome would be if duplicative and inconsistent regulations were reigned in.

Chairwoman Mace: “Would you be able to invest more in cybersecurity enhancements like IT upgrades if the compliance burden of inconsistent, duplicative regulations was reduced? Would you have the resources to be able to invest more than what you are today?”

Mr. Miller: “I mean based on everything that we’ve heard from our companies, they would definitely have more resources to invest in cybersecurity and producing better cybersecurity outcomes if they did not have to spend as many resources on complying with duplicative or inconsistent regulatory regimes.”

Rep. Eric Burlison (R-Mo.) inquired what the experience has been in dealing with unharmonized regulations and the ramifications that overlapping requirements can cause.

Rep. Burlison: “What specifically is affecting your industry that we might be a to address? Are they laws? Rules? What are they?”

Mr. Warren: “Incident reporting is a challenge for our sector as well but another place where overlapping and duplication occurs is in the supervisory environment where one financial regulator will examine a firm on a given topic, say identity and access management, and shortly after that examine concludes, another regulator will come in and examine the exact or similar topic that pulls on the same cyber personnel and is sort of a consistent examination obligation for them rather than their day to day security responsibilities.”