Insurance, grants, publicity and research and cost recovery are some of the measures being considered by the United States administration to lure infrastructure companies into its cybersecurity framework fold, the White House said this week.
A cybersecurity executive order was issued by US president Barack Obama in February this year, and calls for a baseline framework to reduce "cyber risk to critical infrastructure" to be developed by the country's National Institute of Standards (NIST).
Now, Michael Daniel, who is a special assistant to the president and the administration's current cybersecurity coordinator, said that feedback from government agencies such as the Departments of Homeland Security, Commerce and Treasury points to eight areas of recommended incentives to support the voluntary adoption of the government's framework.
Cybersecurity insurance is among the measures proposed, with the goal of building underwriting practices that promote adoption of cyber risk-reducing measures and risk-based pricing. This is to foster a competitive cyber insurance market, Daniel said.
Reduced tort and indemnity liability for infrastructure companies in the framework programme, along with higher burden of proof or creating a federal legal privilege to preempt state disclosure requirements, are also being considered.
Regulatory relief and streamlining is also under consideration, to make compliance easier.
Federal grants will be developed as an incentive, and provision of preferential treatment to those seeking technical assistance that participate in the voluntary programme is also on the table.
Daniel said that the agencies involved in the report recommend that rate recovery for price regulated industries and utilities that invest to be compliant with the government's cybersecurity programme should be discussed, to see if it can be permitted by regulators.
Research into cybersecurity and public recognition of participants in the programme are other incentive measures considered, Daniel said.
At this stage, none of the above suggestions are official government policy, just an initial examination of how to incentivise critical infrastructure companies into adopting the cybersecurity framework, Daniel noted.