With cyberattacks prompting litigation, regulatory inquiries, and reactions from customers and media outlets on an almost daily basis, companies of every type are considering what they should be doing now to address the risks of cyber intrusions and data security breaches.

A resource recently issued by the United States federal government reflects considerable input and support from the private sector and is thus likely to be influential internationally as a benchmark for corporate cybersecurity practices. The National Institute for Standards and Technology led the development of the “Framework for Improving Critical Infrastructure Cybersecurity” (Framework), which was announced by President Obama on 12 February and provides a comprehensive menu of measures that can be used by organizations to address cybersecurity risk. In this alert, we describe this new resource and its implications for companies and suggest steps organizations can take now to assess whether to use it to manage cyber risk.

Key takeaways include:

  • Because the Framework is comprehensive and uses technology-neutral terms, it provides a “common language” for cybersecurity that can be used by everyone in an organization, from the board of directors to management to IT. 
  • Adopting the Framework involves significant governance, legal, policy, and other management decisions.
  • An organization that decides to use the Framework can choose which elements it will implement. It would be prudent, however, to document the risk-based rationale underlying its approach to using the Framework. 
  • Although the Framework is voluntary, organizations should expect to see wide-ranging efforts by the U.S. government to encourage its use, for example via government procurement requirements and industry regulatory outreach.
  • Similarly, organizations should expect to see references to the Framework and its concepts start to appear in commercial transactions such as vendor agreements. 
  • If an organization is already subject to data security or privacy regulations, it is important, from the start, to identify whether and how the Framework can complement and ideally support existing compliance programs. 
  • The privacy implications of cybersecurity activities, such as monitoring or information-sharing, are explicitly addressed by the Framework, which provides a methodology for how organizations can address privacy in that context.

Organizations, particularly those that could be considered critical infrastructure as that term is broadly defined, should take the time now to become familiar with the Framework and determine how to respond to its release.

Click here for an in-depth analysis of the new U.S. cybersecurity Framework.