Why more cybersecurity laws have not meant lower cyber losses

Staff Editor 2026-05-29
Why more cybersecurity laws have not meant lower cyber losses

Why more cybersecurity laws have not meant lower cyber losses

https://reason.org/commentary/why-more-cybersecurity-laws-have-not-meant-lower-cyber-losses/

Publish Date: 2026-05-29 06:00:00

Source Domain: reason.org

Over the last decade, cyber incidents have become a persistent threat to a range of targets, from critical infrastructure to individual households. From ransomware attacks to supply‑chain compromises to phishing campaigns, cyber threats cascaded across all areas. During the same period, states ramped up cybersecurity legislative efforts, introducing over 2,700 cybersecurity bills and passing over 700.

This raises a more precise question: Are states introducing more cybersecurity bills primarily in response to rising cyber complaints and losses, or are broader forces, such as policy diffusion, economic exposure, and shifting legislative agendas, also shaping that activity? 

This commentary offers a preliminary analysis by pairing data from two sources: state-level cybersecurity legislation activity sourced from the National Conference of State Legislatures (NCSL) website, and state-level victimization and loss metrics from the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3). The goal is to examine whether legislative effort is a simple function of increased offensive cyber activity or of several variables.

Although NCSL has long cataloged state data-security and breach-notification statutes, it elevated cybersecurity as a distinct legislative agenda with the creation of its Executive Task Force on Cybersecurity in 2016. This institutional turn coincides with a period of global ransomware outbreaks—such as WannaCry (May 2017) and NotPetya (June 2017), and major consumer-facing incidents such as Equifax’s data breach (September 2017)—that made cybersecurity risks clearer to the general public. 

NCSL’s creation of a cybersecurity task force in 2016 marked the point when cybersecurity became an arena for state policy rather than a narrow technical issue left to IT departments and lawyers. High-profile cyber shocks made the threat politically visible, while federal initiatives such as the National…

Source

More Stories

Why more cybersecurity laws have not meant lower cyber losses

Why more cybersecurity laws have not meant lower cyber losses

Staff Editor 2026-05-29
ENISA report shows cybersecurity gains across EU critical sectors …

ENISA report shows cybersecurity gains across EU critical sectors …

Staff Editor 2026-05-29
Cegecom joins forces with cybersecurity specialist F3C Systems in Luxembourg

Cegecom joins forces with cybersecurity specialist F3C Systems in Luxembourg

Staff Editor 2026-05-29

Why more cybersecurity laws have not meant lower cyber losses

Staff Editor 2026-05-29
Why more cybersecurity laws have not meant lower cyber losses

Why more cybersecurity laws have not meant lower cyber losses

https://reason.org/commentary/why-more-cybersecurity-laws-have-not-meant-lower-cyber-losses/

Publish Date: 2026-05-29 06:00:00

Source Domain: reason.org

Over the last decade, cyber incidents have become a persistent threat to a range of targets, from critical infrastructure to individual households. From ransomware attacks to supply‑chain compromises to phishing campaigns, cyber threats cascaded across all areas. During the same period, states ramped up cybersecurity legislative efforts, introducing over 2,700 cybersecurity bills and passing over 700.

This raises a more precise question: Are states introducing more cybersecurity bills primarily in response to rising cyber complaints and losses, or are broader forces, such as policy diffusion, economic exposure, and shifting legislative agendas, also shaping that activity? 

This commentary offers a preliminary analysis by pairing data from two sources: state-level cybersecurity legislation activity sourced from the National Conference of State Legislatures (NCSL) website, and state-level victimization and loss metrics from the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3). The goal is to examine whether legislative effort is a simple function of increased offensive cyber activity or of several variables.

Although NCSL has long cataloged state data-security and breach-notification statutes, it elevated cybersecurity as a distinct legislative agenda with the creation of its Executive Task Force on Cybersecurity in 2016. This institutional turn coincides with a period of global ransomware outbreaks—such as WannaCry (May 2017) and NotPetya (June 2017), and major consumer-facing incidents such as Equifax’s data breach (September 2017)—that made cybersecurity risks clearer to the general public. 

NCSL’s creation of a cybersecurity task force in 2016 marked the point when cybersecurity became an arena for state policy rather than a narrow technical issue left to IT departments and lawyers. High-profile cyber shocks made the threat politically visible, while federal initiatives such as the National…

Source

More Stories

Why more cybersecurity laws have not meant lower cyber losses

Why more cybersecurity laws have not meant lower cyber losses

Staff Editor 2026-05-29
ENISA report shows cybersecurity gains across EU critical sectors …

ENISA report shows cybersecurity gains across EU critical sectors …

Staff Editor 2026-05-29
Cegecom joins forces with cybersecurity specialist F3C Systems in Luxembourg

Cegecom joins forces with cybersecurity specialist F3C Systems in Luxembourg

Staff Editor 2026-05-29

Terms and Conditions - Privacy Policy