Cybersecurity best practices in USA

Best practice

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

The NIST Cybersecurity Framework provides voluntary cybersecurity standards for protecting private sector computer networks owned or operated by critical infrastructure entities. NIST issued the first version of the Cybersecurity Framework in February 2014, and released an updated version in mid-2018.

The Framework is divided into three parts: Framework Core, Implementation Tiers and Framework Profile. The Framework Core is designed to identify key cybersecurity activities common across all critical infrastructure networks. These are activities that companies should address when creating programs to protect critical computer systems and that identify best practices for communicating risks throughout an organisation. Specifically, the Framework Core consists of five functions designed to provide company decision-makers with a strategic view of cybersecurity risk management: identify, protect, detect, respond and recover.

For each function, the Framework identifies existing technical standards from NIST and other standards bodies to serve as ‘informative references’ in support of the technical implementation of the functions.

The Implementation Tiers provide context on how an organisation views cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigour and sophistication in cybersecurity risk management practices based on the business needs of the organisation.

The Framework Profile is intended to help organisations ‘establish a roadmap’ for prioritisation of organisational efforts to reduce cybersecurity risks. Organisations are encouraged to focus on identifying and eliminating gaps between the ‘Current Profile’, which identifies cybersecurity outcomes currently being achieved, and the ‘Target Profile’, which indicates the outcomes needed to achieve cybersecurity risk management goals.

How does the government incentivise organisations to improve their cybersecurity?

There have been numerous legislative proposals to develop incentives for organisations to improve their cybersecurity, including tying adoption of standards to incentives such as grants and streamlined regulation, or using tax credits, but, so far, these initiatives have not been passed or implemented.

The Cybersecurity Act of 2015 included several significant provisions designed to facilitate the sharing of cybersecurity threat data among the government and private sector companies. Among other things, the Act provided liability protection for private sector entities to:

• monitor their own information systems, the information systems of other entities (with authorisation) and information on those information systems;
• operate ‘defensive measures’ applied to entities’ own information systems or the information systems of other entities (with authorisation); and
• share and receive cyberthreat indicators or defensive measures from other entities, with no duty to warn or act based on information received.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

There are several cybersecurity standards applicable to specific industries. Of note are:

• the NIST Cybersecurity Framework, a voluntary standard for promoting cybersecurity. It can be accessed at www.nist.gov/cyberframework;
• for financial institutions, the FFIEC has issued an Information Security Handbook , which is an audit guide for reviewing financial institutions’ security practices, effectively providing best practices to protect against security breaches. It can be accessed at http://ithandbook.ffiec.gov/it-booklets/information-security.aspx;
• the PCI-DSS, standards applicable to merchants or vendors that process payment card data. Version 3.2 went into effect on 1 February 2018. Version 3.2.1, issued in May 2018, includes clarifying edits. Version 3.2.1 can be found at www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf; and
• the DFARS contains a set of standards applicable to certain defence contractors, and mandates the use of cybersecurity-related contract clauses in all DoD contracts. This rule, which includes requirements with respect to security controls and cyber incident reporting, has been highly criticised by industry as being overly burdensome. The rule can be found at 48 CFR subpart 204.73.

Are there generally recommended best practices and procedures for responding to breaches?

Guidance from NIST and other independent organisations generally recommend several key actions immediately after learning of a data security breach. Communication is of particular importance, both among company leadership and with key constituencies. Effective breach response often includes an incident response team made up of forensic experts and key personnel who can address legal, public relations, investor relations and SEC, insurance, IT, audit and customer concerns. Most breaches require a coordinated effort to gather the facts through forensic analysis. At the same time, company leaders may need to develop a strategy to respond to the incident. Outside experts often serve important roles in this regard. External counsel can help guide the response to a breach and can structure a forensic investigation in a manner that preserves legal privileges. Outside forensic experts may be necessary to bring special skills to the response and to ensure that company personnel have appropriate resources to address the situation. The FTC has also recently issued data breach response guidance, which outlines suggested steps for securing operations, fixing vulnerabilities and notifying appropriate parties. The Department of Justice (DOJ) recently issued an updated version of its guidance on ‘Best Practices for Victim Response and Reporting of Cyber Incidents’, which includes a Cyber Incident Preparedness Checklist. This guidance updates the original version (issued in April 2015) to integrate changes in law, technology, organisational practices and the use of third parties in data management and incident response.

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

The Cybersecurity Act of 2015 includes several significant provisions designed to facilitate the sharing of cybersecurity threat data between the government and private sector companies.

The Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance programme is a voluntary cybersecurity information-sharing programme between DoD and eligible DIB companies. Companies in the programme receive certain threat information in return for sharing information regarding network intrusions that could compromise critical DoD programmes and missions. The programme is aligned with the incident reporting requirements in the DFARS rule.

Several industries have developed information sharing and analysis centres (ISACs) designed to share intelligence on cyber incidents, threats, vulnerabilities and associated responses present throughout the industries. The National Council of ISACs recognises the following centres: automotive; aviation; communications; defence industrial base; downstream natural gas; electricity; emergency management and response; financial services; health; healthcare supply chain; information technology; maritime; multi-state; national defence; oil and natural gas; real estate; research and education; retail; surface transportation, public transportation and over-the-road bus; and water.

Organisations may also choose to voluntarily share information with federal and state law enforcement and DHS to aid in the investigation and prosecution of criminal cybersecurity attacks.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

DHS, the Federal Bureau of Investigation and DoD have all established information-sharing programmes aimed at encouraging the private sector to share information about cyberthreats, such as indicators of compromise. Likewise, the NIST Framework is intended to be a voluntary, industry-led standard that applies to all critical infrastructure sectors. In developing the framework, NIST issued a draft framework, engaged with stakeholders at cybersecurity framework workshops and solicited feedback and suggestions for the final framework. NIST continues to update and improve the framework as industry provides feedback on implementation, and engaged in a similar process of stakeholder engagement and draft publications prior to publishing an update to the Framework in mid-2018. Additionally, the Cybersecurity Act of 2015 enacted several significant provisions designed to facilitate the sharing of cybersecurity threat data among the government and private sector companies.

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance for cybersecurity breaches is available in the United States, and is becoming far more common for companies to have, particularly in the wake of judicial opinions finding that general insurance policies do not cover cybersecurity breaches. The breadth of cybersecurity threats and liability risks covered by insurance offerings vary. For example, some policies cover only more traditional cyberattacks, while others cover attacks such as fraudulently induced wire transfers. Similarly, some policies focus their coverage on the costs of notifying individuals and defending litigation in the wake of a breach, with insurance companies now often offering separate endorsements to cover regulatory and payment card brand fines, ransomware payments and other emerging areas of costs in the wake of a breach. DHS has worked with public and private sector stakeholders to examine the current cybersecurity insurance market and develop solutions to advance its capacity to incentivise better cyber risk management.