To help companies combat the escalating global cybersecurity crisis, the National Institute of Standards and Technology (“NIST”) released the long-anticipated Framework for Improving Critical Infrastructure Cybersecurity (“Framework”) on February 12, 2014, pursuant to President Obama’s Executive Order 13636. The White House hopes the Framework will “enhance the security and resilience of the Nation’s critical infrastructure” through the promotion and implementation of “a voluntary risk-based. . .set of industry standards and best practices to help organizations manage cybersecurity risks.” The federal government is exploring various sector-based incentives for compliance with the Framework, including limitations on liability and preferential treatment with respect to the delivery of government services or funding.

The Framework applies to organizations within the Nation’s sixteen critical infrastructure sectors, (e.g., chemical companies, energy companies, financial institutions, and healthcare organizations), and offers important guidance for other organizations looking to protect themselves against the growing threat of data breaches. As NIST Director Peter Gallagher recently emphasized, when it comes to cybersecurity, “[i]f you’re waiting for this to settle down before you do anything about it, you’re going to miss the train.” Regardless of the sophistication and maturity of your organization’s current cybersecurity program, the new Framework should not be ignored – it is expected that both regulators and courts will view the Framework as the new benchmark against which to measure an organization’s cybersecurity program notwithstanding its “voluntary” label.

The Framework offers a risk-based approach to help organizations not only assess their existing cybersecurity policies and procedures, but also to develop an incident response plan that mitigates the significant legal, financial, and reputational risks that can follow data breaches. The Framework is composed of three parts:

• Framework Core – a set of cybersecurity activities common across critical infrastructure sectors. The Framework Core comprises five “Functions” and various categories within each Function designed to identifycybersecurity risks, protect an organization from a cybersecurity event, detect a cybersecurity event, respond to a cybersecurity event, and recover from a cybersecurity event.
• Framework Profile – cybersecurity targets or goals that an organization has achieved or hopes to achieve. Profiles are also used to identify opportunities for improving cybersecurity by comparing “Current” Profiles to “Target” Profiles.
• Framework Implementation Tiers – describe the degree to which an organization’s cybersecurity risk management practices exhibit certain optimal characteristics that indicate an organization’s ability to prepare for and respond to a cybersecurity event.

Compliance with the Framework is expected to reduce an organization’s exposure to cybersecurity threats. As recent high-profile data breaches have shown, it appears that an ounce of prevention may very well be worth a pound (or two) of cure.

To view the full NIST Cybersecurity Framework, click here.

We welcome your questions about the Framework or any other aspect of cybersecurity risk. For more information, please contact J.T. Malatesta at jmalatesta@maynardcooper.com or Sarah Glover at sglover@maynardcooper.com.

For more information on Maynard’s Cyber Liability and Data Management Practice Group, please see the practice group’s website.