SEC Commissioner Luis A. Aguilar emphasized in a public comment that “cybercrime represents a very real, and very serious threat” to small and midsize businesses (“SMBs”) and recommended potential solutions to fight cybercriminals despite SMBs’ typically limited resources.
Commissioner Aguilar explained that SMBs constitute easier targets than larger organizations due to a lack of: (i) sufficient in-house expertise to deal with cyberattacks; (ii) written policies in place to respond to a data breach; (iii) financial resources; and (iv) “taking cybersecurity as seriously as they should.”
Commissioner Aguilar suggested that consideration be given to the following means of assisting SMBs with respect to cyber:
- government-provided educational programs addressing cybersecurity, such as the development of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity;
- identifying ways of fostering economies of scale for cybersecurity solutions, such as: (i) tax credits for vendors to reward cost-effective cybersecurity solutions tailored to the unique needs of SMBs; (ii) a cyber-insurance market with the government acting as a reinsurer “during its adolescence”; or (iii) establishing a program, “akin to the National Flood Insurance Program, to help buttress the private market in the event of catastrophic, wide-spread attacks”;
- government assistance to provide additional resources to mount a legitimate cyber defense; and
- government support to law enforcement agencies to target the “100 top-tier authors of malware.”
Commissioner Aguilar concluded that “A vibrant and dynamic partnership between the public and private sectors could do much to level the playing field” for SMBs.
Commissioner Aguilar’s remarks were originally published in the autumn 2015 edition of the Cyber Security Review.
Lofchie Comment: Commissioner Aguilar’s proposals to help SMBs can be roughly divided into two types: (i) those programs in which the government is to itself conduct an activity and (ii) those programs where the government is to award or compensate others. In the first category, we would put (a) providing educational programs and (b) going after bad guys. In the second category, we would put (a) providing tax credits for cyber programs developed to assist SMBs and (b) providing insurance akin to flood insurance.
The first set of these seems a much better use of the government’s resources; certainly, no one other than the government can go after bad guys. The second set seems well-intentioned, but is not that easy to implement. How is the government really to practically determine which cyber programs are best suited for small businesses? As to the notion of a national insurance program, it is not hard to imagine it being impossible to administer and becoming a financial disaster if payouts are required.
To put all this differently, the questions raised by Commissioner Aguilar’s proposals are not actually about policy goals: we would all hopefully agree that cybercrime is a bad thing, and that assistance to SMBs in avoiding becoming victims of cybercrime is a good thing. So the questions that are raised are (a) what can government reasonably achieve here (can it really determine which cybersecurity programs are truly deserving of tax breaks?) and (b) how should the government spend its money accordingly (relating to cyber-insurance)?