Regulatory Interactions and the Design of Optimal Cybersecurity Policies

This report investigates the design of optimal cybersecurity policies. Our analysis focuses on incentives and explores how regulations can bring the private decisions of profit-maximising firms into line with the objectives of society as a whole. In so doing, we pay explicit attention to important regulatory interactions between cybersecurity, data privacy and competition. This is a crucial part of evaluating the welfare-desirability of any cybersecurity policy: in order to maximise social welfare, regulation must not only correct market failures in the area of cybersecurity but, at the same time, avoid exacerbating market failures in the related areas of data privacy and competition. These areas are intuitively closely connected since the sensitive consumer data that a firm’s cybersecurity strategy aims to protect are simultaneously the subject of data sharing agreements between firms (the data privacy issue) and the source of market power for dominant firms in several important sectors (the competition issue).We approach this question from several methodological directions. Firstly, we discuss the extent to which the UK’s existing regulatory framework accounts for relevant interactions. Secondly, we conduct a qualitative analysis of this regulatory landscape, drawing on primary data collected from interviews and workshops. Thirdly, we begin our evaluation of the policy recommendations that emerge from these interviews and workshops by reviewing the existing literature in the area of cybersecurity regulation. Finally, we extend the literature by presenting the results of two original theoretical contributions that, for the first time, incorporate regulatory interactions into the analysis of cybersecurity regulations. These theoretical results allow us to evaluate in more detail the various policy recommendations that are highlighted by our qualitative analysis. In particular, they suggest that a more prescriptive approach to cybersecurity and data privacy regulation may be needed, and that cybersecurity concerns need to be closely integrated into any competition remedies that are based on compulsory data sharing by dominant ?rms. The report closes with an overview of some important directions for future research in this area. [Executive Summary]