The UK's Financial Services and Markets Act, passed recently and set to take effect in 2024, requires banks to reimburse victims of authorized push payment (APP) scams. These scams trick customers into sending funds to criminals posing as legitimate organizations, such as their bank or the police. In just the first half of 2023, such scams resulted in losses of £293 million ($373 million) for UK banks, with 77% of such cases originating from digital or online sources.
Until now, banks have had no legal obligation to compensate victims of these kinds of schemes. Thanks to the new act, however, customers will be protected by consistent minimum standards, and the industry will have clear guidance to follow. The regulation is indicative of a wider trend that is seeing regulators starting to place responsibility for customer losses on the companies whose online services they were using.
Customer Protection — Why Now?
The cyberthreat landscape has changed a lot in recent years, with attack surfaces broadening and attackers becoming more aggressive and resourceful. The advent of artificial intelligence has brought with it many advantages, but also new and more sophisticated risks as threat actors harness AI, making online scams such as digital impersonation easier to perpetrate and more convincing. With this in mind, it makes sense for the U.S.' National Institute of Standards and Technology (NIST) to say that cybersecurity is everyone's responsibility.
In the past, businesses have often avoided responsibility over customer security issues, particularly when users agree to terms and conditions that essentially indemnify the service provider from such liabilities. However, regulatory bodies are starting to hold businesses accountable for customers' online security, while empowering consumers to be more proactive when it comes to securing their personal data and digital assets. This dual-pronged approach to consumer protection reflects a user-centric view of cybersecurity that's spreading rapidly across the industry.
Time to Act: Manufacturing Consumer Security
In March 2023, the Biden administration released its National Cybersecurity Strategy 2023 document, which outlined the goals and methods pursued by the U.S. government to address cyberthreats. One of the key strategies mentioned is shaping market forces to "drive security and resilience."
"To build the secure and resilient future we want, we must shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk," the document states. The U..S government is seeking to involve those most able to impact the cybersecurity landscape positively — device manufacturers and CIOs of federal bodies in particular. The aim here is to promote practices that bolster the digital ecosystem's protection and resilience — and that can't be a bad thing.
Instead of relying on third-party cybersecurity solutions to address the threats surrounding digital devices, emerging regulations target those that can provide cyber protection from the get-go.
The Internet of Things Cybersecurity Improvement Act of 2020, for one, empowers CIOs (of federal government organizations) to stop the procurement or renewal of contracts for internet of things (IoT) devices, if such devices fail to meet NIST standards. While this won't outlaw products with security issues, it does put obligating pressure on device manufacturers and software developers to make sure products they release align with security standards.
On the other hand, the Consolidated Appropriations Act of 2023 includes a provision that provides statutory authority to the U.S. FDA to regulate medical device cybersecurity. It seeks to ensure that only safe and secure products are made available on the market, forcing manufacturers to be responsible for their products' cybersecurity.
These kinds of regulations — increasingly common as they are — aim to ensure consumers and end users are reasonably assured of the security of digital products made available to them. Said regulations give increased weight to consumer welfare, imposing greater responsibility on manufacturers and others who can play a role in ensuring cyber protection.
End Users: Still the Weakest Link
Although IoT, and in particular medical devices, need to be safe to use, prioritizing customer security is not limited to ensuring that consumers get and use safe products, but also entails consumer empowerment. People remain the biggest chink in the cybersecurity armor, and anyone can become a point of vulnerability.
Back in August 2023, the Federal Communications Commission (FCC) proposed a cybersecurity labeling program for IoT devices. Although there is no word yet on when it will go into effect, the program comprises labels that tell consumers which products are deemed adequately secure as per the relevant regulation, so that they can purchase accordingly. The proposal aims to help consumers make better-informed decisions as they buy IoT products, which have risen in prominence in many areas.
Like the IoT Cybersecurity Improvement Act, this voluntary labeling measure does not guarantee that products that fall short in their security will no longer be available on the market. However, it at least attempts to provide consumers with useful information before they buy something, in a move similar to the EU's energy efficiency label. This labeling system proved very successful in awareness-raising: A report by the European Commission found that 79% of consumers considered the label when buying energy-efficient products.
Reconciling Compulsory and Voluntary Protection
The measures we have discussed thus far may seem disconnected from each other. The 2020 and 2023 U.S. government acts compel manufacturers to take specific actions to ensure security, like the UK's legislation that obligates banks to compensate their customers. However, the FCC proposal's labels would be voluntary, not obligatory, on the part of device producers.
Nonetheless, these distinct approaches both reflect a more consumer-leaning attitude in cybersecurity overall and a readiness to make businesses play a greater role in their customers' online safety.
Time to Stop Shifting the Burden of Responsibility
Consider the threat of website impersonation, for example. (Full disclosure: my company, Memcyco, provides a solution to protect companies and their customers from these kinds of attacks.) Traditionally, the burden of vigilance and security has been placed on customers through scam-awareness advocacy, though such approaches quickly reach their limits. Notably, there are no laws that make it impossible for cybercriminals to clone websites for their phishing attacks. These clones are generally not considered illegal until they are used for criminal ends or if the owner of the cloned website files a DMCA claim. Website operators are not obliged to actively watch out for these clones nor to have them taken down.
It is only in recent years that new regulation has placed some responsibility for addressing website impersonation with the business in question. The UK's Financial Services and Markets Act with which we began this article, for example, includes in its coverage those who lose money through a digital impersonation of the bank's site. Across the board, companies — in this case the bank in question — are being forced to play a bigger role in confronting the issue.
Penalty-based regulatory solutions for cybersecurity certainly help, but they are not enough. That's why it is also advisable for businesses to derive inspiration from the FCC's voluntary cybersecurity proposal, which aims to inform and educate consumers to help themselves fend off cyberthreats. There are both compulsory and voluntary aspects that work synergistically here to create a cybersecurity situation that, while far from perfect, remains sensible and realistic in the context of today's landscape.
By Force and by Choice: The Goldilocks Zone of Consumer Protection
To conclude, the increased prioritization of consumer protection in recent cybersecurity measures is not just about compelling device manufacturers and enterprises to ensure that their customers are properly secured against threats. It also involves consumer enablement and education, especially when it comes to detecting dangers for themselves and responding accordingly.
This combination of compulsory and voluntary protection is what will best arm users with the knowledge to detect threats to their online safety themselves, yet also safeguard them if there are threats they don't see. I look forward to seeing more such measures that both protect and empower the consumer in the near future.
About the author:
Israel Mazin is the co-founder, CEO, and chairman of Memcyco, a website impersonation detection and protection solution and the only one to offer real-time customer protection. Mazin, from Tel Aviv, got his start working for the IDF's central computing system unit, providing data processing services for all arms and the general staff. In 1990, Mazin founded Memco Software, a now-defunct open-operating system security software company. In 1998, Memco was acquired by Platinum Technology in a stock-for-stock pooling of interests, valued at just over $400 million. In 1999, Platinum was acquired by CA for $3.5 billion. After the acquisition, he moved on to establish GAMA Property. Later on, he co-founded Shadow Technologies with Eli Mashiah, the company hosting and managing the-shadow.com. Ever since, Mazin has been investing in high-tech startups, and in 2021 he co-founded Memcyco.
