Abundant regulation is reshaping the telecommunications landscape

Regulation tends to be more reactive than proactive. With connectivity to almost everything increasing, the telecommunications industry is ripe for more regulation. Over the last year, new compliance standards have largely focused on three broad categories: cybersecurity, reliable connectivity and consumer transparency. Companies need to be nimble to comply with the shifting regulatory landscape and avoid potential penalties—and they need to stay informed on multiple fronts, as significant regulation can come from local, state, federal or even international bodies.

Keeping up with cyberthreats

Telecommunications provides the backbone for how we conduct business and daily tasks in our personal lives. Unfortunately, cybersecurity breaches are starting to feel like never-ending déjà vu. In fact, in the RSM US Middle Market Business Index Special Report: Cybersecurity 2024, 28% of middle market executives reported suffering a data breach in the previous year, tying a record high in RSM’s research. Potential vulnerabilities increase exponentially on a daily basis, as connectivity—and the attack surface—expands within smart devices ranging from cutting-edge advancements like self-driving cars to mundane household items like vacuums.

In February 2024, the Federal Communications Commission (FCC) launched the U.S. Cyber Trust mark, a major step to encourage companies to increase focus on cybersecurity concerns related to smart devices. The mark is a voluntary program, anticipated to be developed with third parties under the guidance of the FCC and the National Institute of Standards and Technology. While the exact usage requirements have not yet been determined, the intent is to signify a safer, more resilient product to customers. Early adopters of the Cyber Trust mark stand to benefit by differentiating themselves in the market as a safer alternative at a time when data breaches are the norm.

The cost of falling behind

Bad actors can access a company’s network through a plethora of nodes. However, they can find an entry point simply by posing as an employee and requesting a password reset. According to an IBM study, 30% of initial access vectors in 2023 were through valid accounts. IBM noted that “in this era, the focus has shifted towards logging in rather than hacking in, highlighting the relative ease of acquiring credentials compared to exploiting vulnerabilities or executing phishing campaigns.”

If the hackers are successful, the outcomes can be devasting—frequently leaving management with the difficult choice between paying a ransom or rebuilding its entire tech stack from the ground up. The chart below summarizes U.S. data breaches and the average cost of those breaches from 2006 to 2023. Data-compromising events at U.S. companies grew nearly tenfold over that period, costing on average 2.7 times as much in 2023 compared to 2006. Of the total cost in 2023, IBM estimates only 29% related to lost business, while the remaining 71% was due to detection, escalation, post-breach response and notification.

Given the growing threat and cost to businesses, regulators have taken aim to ensure prompt, efficient public disclosure. For example, in August 2023, the U.S. Securities and Exchange Commission implemented a new rule that requires public companies to disclose cybersecurity incidents within four days.

Going even further, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is likely to implement guidance later this summer that will require all critical infrastructure operators to report breaches within 72 hours and ransom payments within 24 hours of payment. Of the over 300,000 covered entities, CISA estimates that approximately 90% are small businesses. CISA further estimated compliance could cost businesses an estimated $1.4 billion over an 11-year period for data retention and labor to review and report on incidents.

While the increased reporting guidelines are a bright spot for consumers, identifying breaches has not become any easier for companies. According to a 2023 IBM study, the mean time to identify and the mean time to contain a breach have changed little since 2019.

A recent Harvard Business Review article recommends incorporating cybersecurity into everyone’s job description, because making it part of the culture will help combat potential entry points from the bottom up. The article also recommends conducting regular audits and having a C-level executive dedicated to security, such as a chief information security officer.

Consistent connectivity coast to coast

Reliable connectivity has long been a goal of the federal government. The Biden administration has set aside over $90 billion in funds to increase broadband connectivity throughout the U.S., including through the $42.5 billion Broadband Equity, Access and Deployment (BEAD) Program. In addition, in March 2024, the FCC revised the definition of broadband for the first time since 2015. The new definition requires a minimum download speed of 100 megabits per second (Mbps) and a minimum upload speed of 20 Mbps (previously 25 Mbps and 3 Mbps, respectively).

The increased baseline means that, to advertise as broadband, internet service providers (ISPs) must not only meet the new speed standards, but also ensure they meet those standards when receiving funding to connect unserved and underserved communities.

Additionally, the FCC is set to reinstate net neutrality later this year. ISPs have sought to understand the exact requirements, as ambiguity exists around whether individual states, such as California, will go further than the FCC in establishing rules regarding net neutrality. Providers must perform due diligence to ensure they stay within the revised guideline wherever they do business.

Consumer transparency

Beginning April 10, 2024, ISPs with more than 100,000 subscriber lines need to publish labels detailing fees, similar to the nutrition labels displayed on packaged food and beverage items. Smaller providers have until Oct. 10, 2024, to publish the labels. These new FCC rules aim to provide transparency by forcing providers to list all fees on bills. While the goal is consumer transparency, the rules could lead to further competition and price wars in the already tight ISP market, driving margins and earnings down.

Differentiating by staying ahead of the game

As the federal government continues to catch up with the rapidly changing telecommunications world, more regulation is almost a certainty. Combating cybersecurity risks and addressing domain over satellite and space-based communications are expected areas of focus.

Companies that are quick to adopt regulation will not only avoid negative consequences, including financial penalties, but could emerge as leaders in key areas such as cybersecurity or transparency for consumers. Cultivating a culture around trust and clarity in communications will be a differentiator, but failing to do so could be costly to the bottom line and leave a lasting stain on brand reputation.