Why more cybersecurity laws have not meant lower cyber losses

Over the last decade, cyber incidents have become a persistent threat to a range of targets, from critical infrastructure to individual households. From ransomware attacks to supply‑chain compromises to phishing campaigns, cyber threats cascaded across all areas. During the same period, states ramped up cybersecurity legislative efforts, introducing over 2,700 cybersecurity bills and passing over 700.

This raises a more precise question: Are states introducing more cybersecurity bills primarily in response to rising cyber complaints and losses, or are broader forces, such as policy diffusion, economic exposure, and shifting legislative agendas, also shaping that activity? 

This commentary offers a preliminary analysis by pairing data from two sources: state-level cybersecurity legislation activity sourced from the National Conference of State Legislatures (NCSL) website, and state-level victimization and loss metrics from the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3). The goal is to examine whether legislative effort is a simple function of increased offensive cyber activity or of several variables.

Although NCSL has long cataloged state data-security and breach-notification statutes, it elevated cybersecurity as a distinct legislative agenda with the creation of its Executive Task Force on Cybersecurity in 2016. This institutional turn coincides with a period of global ransomware outbreaks—such as WannaCry (May 2017) and NotPetya (June 2017), and major consumer-facing incidents such as Equifax’s data breach (September 2017)—that made cybersecurity risks clearer to the general public. 

NCSL’s creation of a cybersecurity task force in 2016 marked the point when cybersecurity became an arena for state policy rather than a narrow technical issue left to IT departments and lawyers. High-profile cyber shocks made the threat politically visible, while federal initiatives such as the National Institute of Standards and Technology’s Cybersecurity Framework (released in 2014) gave lawmakers a vocabulary for talking about preparedness, risk management, and incident response. 

Taken together, these developments created both political and technical urgency, making the mid-2010s a particularly important moment for examining how states began responding to cyber risk.

What’s in the dataset

The NCSL data tracks cybersecurity-related bills introduced across U.S. states and select territories. Between 2016 and 2024, the dataset contains 2,724 bills. Bills are coded by status (adopted/enacted, failed, pending, vetoed). The cyber incident component uses IC3 state-level totals of complaints (a proxy for victimization) and reported losses (financial impact). 

Table 1. Descriptive snapshot: Legislation vs. IC3 state totals (selected years)

Metric	2014	2023	Change (2014→2023)
Cybersecurity bills introduced	24	551	23x
IC3 losses (state-attributable), $ billions	0.64	10.92	17x
IC3 complaints (state-attributable)	223,113	516,449	2.3x
Avg loss per complaint (state-attributable), $	2,875	21,139	7.4x

Table 1 suggests that the central change over this period is not simply that cyber incidents became more common, but that they became more costly. Legislative activity expanded rapidly, but the sharper movement is in loss severity: between 2016 and 2023, bills introduced rose from 140 to 551, while reported IC3 losses rose from $1.1 billion to $10.9 billion, far outpacing the growth in complaints. Also, losses have outpaced victim counts. In the IC3 state totals, reported losses rose from $1.1 billion in 2016 to $10.9 billion in 2023, which shows nearly a tenfold increase. At the same time, complaints roughly doubled (from 260,402 to 516,449). The result is most likely an escalation in the severity of incidents, since the average loss per complaint increased from roughly $4.2K to $21.1K. 

Figure 1. Cybersecurity bills introduced (state totals).

Figure 1 suggests that the growth in bills introduced is driven at least in part by salient losses. State cybersecurity bills rise quickly from the mid-2010s, level off sometime between 2019 and 2021, dip in 2022, then spike sharply to a peak in 2023 before falling in 2024. One plausible explanation for the punctuated rather than continuous upward trend in state bills introduced is ordinary agenda dynamics: New policy problems often attract an initial burst of stand-alone bills before lawmakers shift attention to the next urgent technological issue, including more recent debates around generative artificial intelligence (AI). 

Another explanation lies in the political process itself, specifically in the diffusion of cyber concerns across multiple policy domains. What we may be observing is not simply a pause in cyber lawmaking, but a broader diversification of both cyber threats and the legislative responses to them. As digital governance broadened, cyber concerns migrated into election security, critical infrastructure, privacy and consumer protection, social media and child safety, financial technology and cryptocurrency, procurement, and workforce development.

Figure 2. Reported losses and complaints in IC3 state totals, 2011–2023 (billions USD).

A deeper look at losses and complaints clarifies the kind of cyber problem states are facing: not just more victimization, but increasingly costly victimization.

Figure 2 shows that complaints and losses in the IC3 database do not move together at the same rate. Complaints rise over time and jump sharply around 2020, but losses accelerate much more dramatically, especially after 2020. In other words, the cyber problem is not only becoming broader; it is becoming more financially severe. IC3 complaint counts are uneven, with a dramatic jump in 2020, a pullback, and a rebound by 2023. The figures suggest that threats arise both from attacks targeting many small victims and from a growing number of costlier incidents.

One small but telling feature of the series is the visible jump in complaints around 2020 without an equally dramatic jump in losses, which may reflect the social conditions of the pandemic: more people at home, more exposure to online scams, and possibly more reporting.

Figure 3. Average loss per IC3 complaint (state totals), 2011–2023.

Figure 3 reports average losses per complaint over time, a measure of attack severity. Average loss per complaint rises over time and increases sharply after 2021, reaching roughly $21,000 by 2023. This pattern is consistent with a shift toward higher‑value crime types, as well as potentially better capture of large‑loss events in reporting. 

This pattern has an important policy implication. It implies that outcomes should be disaggregated: Policies that reduce incident counts might not reduce losses if the residual incidents are more financially damaging. That means a state can face a “worse” cyber environment even if complaint growth itself looks moderate, because each successful incident causes more damage.

To answer whether the size of the economy motivates the introduction and adoption of cyber-related bills, it is necessary to look at individual states.

Figure 4. Top 10 states by reported losses in 2023 (IC3 state totals).

Figure 4 shows that the largest states account for the highest losses: California alone exceeds $2.1 billion, followed by Texas (~$1.0 billion) and Florida (~$0.9 billion). Any story about state cybersecurity outcomes is, in part, a story about where exposure, population, and high-value targets are concentrated. 

Figure 5. Top 5 states by number of bills in 2014-2024.

Figure 6. Bottom 5 states by number of bills in 2014-2024.

Figure 5 shows that the top loss states in 2023 are dominated by very large, high-exposure states such as California, Texas, Florida, and New York. But the top states for enacted cybersecurity bills between 2014 and 2024 are Virginia and Maryland, followed by Florida, California, and Texas. Legislative intensity is not just a simple function of population or victim totals. These states tend to be larger, with larger tech sectors and economies, making cybersecurity a denser governance priority, likely reflecting institutional capacity and policy entrepreneurship rather than the scale of losses alone.

The bottom-five chart (Figure 6)  reinforces this idea. Wisconsin, Alaska, Nebraska, South Dakota, and Wyoming have very few enacted stand-alone cybersecurity bills. These states also have smaller populations and economies, which may mean lower absolute exposure, less legislative capacity, or a greater tendency to address cyber risk through administrative action rather than stand-alone statutes. But the contrast does underscore that states are not responding uniformly to a common digital threat. Some are legislating heavily; others much less so.

There are several important caveats to consider when reviewing these statistics. IC3 annual reports also provide national totals that include complaints outside the state‑attributable subset. For context, the IC3 2023 report summarizes losses of $12.5 billion from 880,418 complaints, and the IC3 2024 report reports losses of $16.6 billion from 859,532 complaints. When interpreting figures based on state totals, the correct unit is dollars, and the correct claim concerns state‑attributable losses, not the full national total.

Observational statistics need to be treated with caution because of unique measurement and reporting dynamics. Because IC3 data are self‑reported or complaint‑based, changes in reporting behavior, awareness campaigns, or the composition of crime types can shift totals even without underlying changes in risk. Much of the cyber risk, and even incidents, could go unnoticed.

The substance of the bills themselves indicates at least some outcome-policy mismatch. Much of the IC3‑reported losses are driven by fraud and social engineering. Many state cybersecurity laws, however, focus on government network security, critical infrastructure preparedness, incident response, procurement, or breach notification, which are all important targets, but not always the direct drivers of victim losses in IC3.

In cybersecurity, there are no permanently secure systems, only systems that are better or worse prepared to absorb and recover from attack. The real measure of progress, then, may be less whether incidents disappear than whether the harm they cause becomes smaller, shorter, and easier to contain. As we move into the future, when cybercrime can be one of the most prevalent forms of crime, we need to focus on how to recover from incidents. 

This analysis suggests that state cybersecurity lawmaking is shaped by several forces at once: the rising severity of cyber harm, political diffusion across adjacent technology-policy domains, and differences in state economic exposure and governing capacity. The data do not show that additional legislation automatically results in lower losses or fewer complaints. Instead, they suggest that states often legislate in response to visible threats, institutional pressures, and broader policy trends, while the harms measured by IC3 are driven in large part by fraud, social engineering, and other losses that many stand-alone cybersecurity laws do not directly target. 

If this analysis is correct, then the central challenge going forward is not simply to pass more cyber legislation but to build the kind of capacity that makes systems more resilient: better prevention where possible, faster recovery when attacks succeed, and smaller, more containable harms when they do.

The post Why more cybersecurity laws have not meant lower cyber losses appeared first on Reason Foundation.

Source: https://reason.org/commentary/why-more-cybersecurity-laws-have-not-meant-lower-cyber-losses/