The U.K.’s Financial Services and Markets Act 2023 will require banks to reimburse victims of authorized push payment scams starting October 2024. APP scams trick customers into sending funds to criminals posing as legitimate organizations, such as their bank or the police. In just the first half of 2023, such scams resulted in losses of about £293 million (about $372 million), with 77 percent of such cases originating from online sources.
Until now, banks have had no legal obligation to compensate victims of these kinds of schemes. Thanks to the new Act, however, customers will be protected by consistent minimum standards, and the industry will have clear guidance to follow. The regulation is indicative of a wider trend that is seeing regulators starting to place responsibility for customer losses on the companies whose online services they were using.
3 cybersecurity trends expected for 2024
According to Google, you can expect these issues to begin or continue this year.
- Scammers will use AI to enhance their game, but victims will also use AI to protect themselves.
- Trends in malware development will change, making it stealthier.
- Attackers will continue to target zero-day vulnerabilities, or taking advantage of issues in a system before they’re patched.
A Shift Toward User-Centric Cybersecurity
The cyber threat landscape has changed a lot in recent years, with attack surfaces broadening and attackers becoming more aggressive and resourceful. The advent of artificial intelligence has brought with it many advantages, but also new and more sophisticated risks as threat actors harness AI, making online scams such as digital impersonation easier to perpetrate and more convincing. With this in mind, it makes sense for the U.S.’ National Institute of Standards and Technology to say that cybersecurity is everyone’s responsibility.
In the past, businesses have often avoided responsibility over customer security issues, particularly when users agree to terms and conditions that essentially indemnify the service provider from such liabilities. Regulatory bodies, however, are starting to hold businesses accountable for customers’ online security, while empowering consumers to be more proactive when it comes to securing their personal data and digital assets. This dual pronged approach to consumer protection reflects a user-centric view of cybersecurity that’s spreading rapidly across the industry.
Manufacturers’ New Obligation to Protect Consumers
In March 2023, the Biden administration released its National Cybersecurity Strategy 2023 document, which outlined the goals and methods pursued by the US government to address cyber threats. One of the key strategies mentioned is shaping market forces to “drive security and resilience.”
The U.S. government is seeking to involve those most able to impact cybersecurity positively, device manufacturers and chief information officers of federal bodies in particular. The aim here is to promote practices that bolster the digital ecosystem’s protection and resilience — and that’s a good thing.
Across the board, companies are being forced to play a bigger role in confronting the issue.
Instead of relying on third-party cybersecurity solutions to address the threats surrounding digital devices, emerging regulations target those that can provide cyber protection from the get-go.
The Internet of Things Cybersecurity Improvement Act of 2020, for one, empowers CIOs of federal government organizations to stop the procurement or renewal of contracts for IoT devices if such devices fail to meet NIST standards. While this won’t outlaw products with security issues, it does put pressure on device manufacturers and software developers to make sure products they release align with security standards.
On the other hand, the Consolidated Appropriations Act of 2023 includes a provision that provides statutory authority to the U.S. FDA to regulate medical device cybersecurity. It attempts to ensure that only safe and secure products are made available on the market, forcing manufacturers to be responsible for their products’ cybersecurity.
These kinds of regulations, increasingly common as they are, strive to ensure consumers and end users are reasonably assured of the security of digital products made available to them. Said regulations give increased weight to consumer welfare, imposing greater responsibility on manufacturers and others who can play a role in ensuring cyber protection.
How Voluntary Cybersecurity Measures Work
Although IoT, and in particular medical devices, need to be safe to use, prioritizing customer security is not limited to ensuring that consumers get and use safe products, but also entails consumer empowerment. People remain the weakest spot in the cybersecurity armor, and anyone can become a point of vulnerability.
Back in August 2023, the United States Federal Communication Commission proposed a cybersecurity labeling program for IoT devices. Though there is no word yet on when it will go into effect, the program comprises labels that tell consumers which products are deemed adequately secure as per the relevant regulation, so that they can purchase accordingly. The proposal endeavors to help consumers make better informed decisions as they buy IoT products, which have risen in prominence in many areas.
Like the IoT Cybersecurity Improvement Act, this voluntary labeling measure does not guarantee that products that fall short in their security will no longer be available on the market. It at least, though, attempts to provide consumers useful information before they buy something, in a similar move to the E.U.’s energy efficiency label. This labeling system proved successful in awareness-raising: A report by the European Commission found that 79 percent of consumers considered the label when buying energy-efficient products.
Reconciling Compulsory and Voluntary Protection
The measures we have discussed thus far may seem disconnected from each other. The 2020 and 2023 U.S. government Acts compel manufacturers to take specific actions to ensure security, like the U.K.’s legislation that obligates banks to compensate their customers. However, the FCC proposal’s labels would be voluntary, not obligatory, on the part of device producers.
Nonetheless, these distinct approaches each reflect a more consumer-leaning attitude in cybersecurity and a readiness to make businesses play a greater role in their customers’ online safety.
Consider the threat of website impersonation for example. Traditionally, the burden of vigilance and security has been placed on customers through scam-awareness advocacy, though such approaches quickly reach their limits. Notably, there are no laws truly stopping cybercriminals from cloning websites for their phishing attacks. These clones are generally not considered illegal until they are used for criminal ends or if the owner of the cloned website files a DMCA claim. Website operators are not obliged to actively watch out for these clones nor to have them taken down.
It is only in recent years that new regulation has placed some responsibility for addressing website impersonation with the business in question. The U.K.’s Financial Services and Markets Act, for example, includes in its coverage those who lose money through a digital impersonation of the bank’s site. Across the board, companies are being forced to play a bigger role in confronting the issue.
Penalty-based regulatory solutions for cybersecurity certainly help, but they are not enough. That’s why it is also advisable for businesses to derive inspiration from the FCC’s voluntary cybersecurity proposal, which aims to inform and educate consumers to help themselves fend off cyber threats. There are both compulsory and voluntary aspects that work synergistically here to create a cybersecurity situation that, while far from perfect, remains sensible and realistic in the context of today’s landscape.
The Goldilocks Zone of Cybersecurity
The increased prioritization of consumer protection in recent cybersecurity measures is not just about compelling device manufacturers and enterprises to ensure that their customers are properly secured against threats. It also involves consumer enablement and education, especially when it comes to detecting dangers for themselves and responding accordingly.
This combination of compulsory and voluntary protection is what will best arm users with the knowledge to detect threats to their online safety themselves, yet also safeguard them if there are threats they don’t see. I look forward to seeing more such measures, that both protect and empower the consumer, in the near future.