American companies are ignoring critical cyber-risks, so the White House is looking to persuade as many as possible to accept its Cybersecurity Framework, the biggest government cybersecurity effort in years, perhaps decades.
While some companies are signing up, many others are reticent to adopt this risk management plan, worried over high costs and complexity. To persuade them, the White House, the National Institute of Standards and Technology, the Department of Homeland Security and other agencies, have kicked around ideas – from regulation (not currently on the table) to public recognition, liability limitations or perhaps lower insurance rates for compliant companies. In launching the new framework, government cyberofficials are repeating the protracted, painful process they have used since the 1990s: going company to company to meet the managers who seem closest to the problem – network administrators or chief information security officers. Less often, they have pursued CEOs, and very rarely, board directors.
There is a simpler way – the road to Omaha.
The government’s cybersecurity effort should recall that unseen risks in a company affect (and may alarm) shareholders most of all. Since the administration believes companies are ignoring critical risks, the White House should therefore convince these investors by starting with the most famous one of all, Warren Buffett.
If the Sage of Omaha, renowned for careful risk assessment, were to understand and declare the value of the new Cybersecurity Framework to secure companies from dangers they now are ignoring, every other investor, corporate board director and executive would take notice. Perhaps not even President Obama could command such attention on the issue.
From Omaha, White House officials should visit Sacramento for a chat with perhaps the original activist investor: CalPERS, the California Pension system. With $250 billion invested in companies, CalPERS routinely uses its minority stakes to press for change in those companies it feels are taking risks that hurt their long-term value. Fifteen years ago, it was CalPERS that helped focus the minds of corporate America when it asked companies whether they were ready for the Y2K rollover. It can do the same now to pressure companies to use the framework and reduce their cyber-risks.
Other activist investors that could help sound the alarm include BlackRock, TCI and Carl Icahn. The government might recruit other nations' sovereign wealth funds that have U.S. holdings.
Not all risks, of course, are in shareholders' interest to fix. Especially for companies in the critical infrastructure sectors (say chemical plants), the risk from a truly disruptive cyber attack could be too expensive to fix (or seemingly too remote) for shareholders to take seriously. In such an event, a stronger approach, potentially involving regulation, might make sense, but only after a serious effort using existing governance mechanisms.
Shareholders have the most to lose if a company ignores any risk; convince them and they can convince the board. Institutional shareholders, like CalPERS, have stakes in dozens or hundreds of companies, so convincing them scales far more easily than going company by company. Better yet, it uses the existing governance mechanisms of capitalism, rather than inventing a potential new regime with the Department of Homeland Security or new regulation at its heart.
Give capitalism a chance to work. It is not yet time for extraordinary new regulations, just ordinary American innovation.