As we’ve written approximately inside the past, the SAFETY Act has the capacity to help organizations mitigate their hazard from cyber-terrorism. As formerly referred to, the statute has never been completely tested in courts, so the total contours of its safety remain unsure. Nonetheless, the benefits of SAFETY Act approval can also enlarge nicely beyond the ones mandated with the aid of Congress: to the right agency, SAFETY Act approval may be a vast market differentiator and, inside the right circumstances, might be a powerful device in litigation even if the Act does now not itself observe.
This is the very last installment in a 3-component series. Be sure to examine element one, which describes how the SAFETY Act applies to cybersecurity; and element, which breaks down some of the primary concepts of SAFETY Act protection, consisting of potentially eligible technology and the blessings of SAFETY Act approval.
Reputational Considerations
Although the SAFETY Act was exceeded in 2002, its use continues to be in relative infancy, especially cybersecurity. As a result, groups have an opportunity to distinguish themselves as cybersecurity leaders by way of looking for and acquiring SAFETY Act approval. That approval can be a prestigious credential from the USA Department of Homeland Security (“DHS”), reflecting a employer’s management in cybersecurity high-quality practices. For organizations in industries with an extended risk of cyberterrorism – together with financial services, infrastructure, strength, sports activities, and enjoyment – SAFETY Act approval ought to act as a commercial enterprise differentiator to the public, clients, shareholders, and the market.
On the turn facet, as increasingly corporations undertake robust cybersecurity practices and are searching for overview and approval from the DHS, SAFETY Act approval can come to be a brand new gold standard in cybersecurity pleasant practices. Companies that forget about their cybersecurity rules run the threat of struggling reputational harm associated with peers achieving SAFETY Act designation simultaneously as they have got now not, similarly to exposing themselves to a cybersecurity event.
Litigation and Enforcement Considerations
As the MGM case regarding the October 2017 shooting at the Mandalay Bay Hotel highlights, litigation protection based totally on the SAFETY Act raises some unresolved troubles. However, even if a cybersecurity occasion is not declared an “act of terrorism” by way of the Secretary of Homeland Security, SAFETY Act designation may be a precious device in constructing a litigation defense and responding to government and media scrutiny.
By searching for and obtaining SAFETY Act approval, an organization and its management team establish a strong record that they took commercially affordable steps to mitigate cybersecurity risks. That record will talk volumes on the question of whether the enterprise exercised reasonable care, in addition to whether or not the corporation’s officers and directors glad their fiduciary obligations. And although the litigation management provisions of the SAFETY Act do not exist without delay practice, DHS’s seal of approval is powerful evidence to rebut claims of negligence – in addition to spinoff claims – in litigation, regulatory concerns, or maybe investigations inside the law enforcement context.
Business Considerations
Finally, SAFETY Act approval has the capability for added advantages as properly. SAFETY Act approval using DHS can also lessen insurance expenses and enhance the underwriting profile for a company because it establishes that the organization meets properly-respected objective benchmarks for cybersecurity.
And for agencies looking to reinforce or evaluate their cybersecurity systems, regulations, and practices, the SAFETY Act approval procedure is exexercisesect cyber-hygiene. It gives a sturdy incentive to study current practices and invest in enterprise-first-class practices. In pursuing DHS approval, an employer conducts a complete self-audit followed through an in-depth assessment with comments from DHS, which offers precious perception into the strengths and weaknesses of an enterprise’s cybersecurity application as the enterprise progresses through DHS’s rigorous evaluation procedure.
Conclusion
We will preserve to cover the MGM case, DHS regulations, and different traits involving the SAFETY Act, specifically because it regards cybersecurity, which is still a crucial component of company hazard control for organization managers and forums throughout an expansion of industries.