The likelihood of meaningful federal cybersecurity legislation in 2020 remains suspect. Yet, developments in 2019 show that cybersecurity regulation is headed toward a Sarbanes-Oxley model with or without congressional input. The Sarbanes-Oxley Act (SOX) had a significant effect on corporate governance in the United States by requiring public companies to strengthen audit committees, perform internal controls tests, and make directors and officers personally liable for the accuracy of financial statements. For SOX certifications, the act requires that an organization’s senior officer personally certify the accuracy of the company’s financial reports. A false certification can implicate personal liability. Regulation of cybersecurity is taking a similar approach.

Cyber regulations promulgated by the New York Department of Financial Services (NY DFS), 23 NYCRR Part 500, in 2017 were among the first to require personal certification of a senior officer to compliance of the regulations’ requirements. In 2019, cybersecurity regulation veered further toward the Sarbanes-Oxley model, materializing in numerous Federal Trade Commission (FTC) orders, and in a significant, but little spoken about, rule change in the financial services industry when the Securities and Exchange Commission required members of the National Securities Clearing Corporation (NSCC) to undertake cybersecurity confirmations. Growing passage of the model law for insurance data security in multiple states, including Delaware, also incorporates the certification requirement.