Carrot or Stick? States Try Incentives to Increase Cybersecurity

Several states are offering legal safe harbors to businesses that follow industry-recommended cybersecurity frameworks, in a carrot-not-stick approach intended to encourage better defenses.

Societies are only as cyber-secure as their weakest links, prompting state governments to ensure — even incentivize — organizations of all stripes are well defended. As they work to push businesses into better cyber practices, some states have been re-examining the tools available and embracing an approach focused on incentives — not regulation.

A panel at the upcoming RSA Conference will dive into several states’ efforts to entice businesses to implement certain cybersecurity strategies in exchange for some protection should they be sued over data breaches.

“It’s a promising model,” said Center for Internet Security (CIS) Senior Vice President and Chief Evangelist Tony Sager, who will participate in the panel. “This provides some lessons, both for other states, but also what could be done at the federal level.” SOURCE