A letter from the CISOs of 45 powerful global companies could provide crucial backing for world governments looking to reduce cybersecurity regulations and their accompanying hassles for businesses.
The CISO letter, sent to members of the Group of Seven nations and the Organization for Economic Cooperation and Development, urges governments to use those high-level forums to “focus on greater alignment of cybersecurity regulations.”
The signatories — including tech giants, large banks, major hospital chains and influential health-care firms — want to see consistent implementation of existing rules, more collaboration on future rules, faster threat intelligence-sharing and more corporate engagement.
The broad list of the letter’s signatories reflects widespread frustration across industries about the international morass of conflicting and redundant cyber rules, as well as the private sector’s belief that the moment for harmonization has finally arrived.
“It is helpful that these CISOs in different industries are highlighting the universal problems they are seeing with compliance burden,” Ari Schwartz, managing director of cybersecurity services at Venable, told Cybersecurity Dive. “When companies have to do multiple assessments and audits to show alignment with the same controls, it is a waste of resources that could be going to actual security.”
The Biden administration launched an effort to tackle cyber regulatory harmonization through the Office of the National Cyber Director, and that effort is likely to continue under the Trump administration, which has vowed to cut regulations across the board. Lawmakers in the U.S. share the executive branch’s concerns about confusing and overlapping rules.
Other countries likely share the United States’ worries about the security impacts of regulatory compliance.
“I think there is sympathy with that point from most governments around the world,” Schwartz said.
CISOs from major companies
The letter’s signatories include major U.S. firms like Amazon Web Services, Honeywell, Marriott, Eli Lilly and Mastercard, but they also include foreign titans like Enbridge, Siemens, Swisscom and Danske Bank.
The companies urged governments to use the OECD as a forum for cooperation on regulatory harmonization, noting that current mechanisms for this cooperation “remain nascent.”
Ideally, they said, the OECD would “convene relevant stakeholders, including industry and other nongovernmental representatives, once or twice a year,” and develop an “action plan” to implement world leaders’ harmonization vows and provide them with “regular progress updates.”
The firms also suggested specific ways to harmonize rules, from reciprocity agreements to international standards to expanded authorizations for third-party audits.
“This letter adds some specificity on to what governments can do to maintain their sovereignty and address this issue,” Schwartz said, “which is the right approach to getting some action here.”
Confusion and wasted resources aren’t the only issues worrying the letter’s signatories. In its own blog post, Microsoft warned that regulatory divergence “also limits the ability of governments and private sector entities to share threat intelligence efficiently, weakening collective cyber resilience.”
