The White House recently issued a report outlining potential incentives that may be available to companies that adopt the voluntary cybersecurity framework currently being developed by the National Institute of Standards and Technology (the “Framework”). Both the incentives program and the Framework are being developed pursuant to the February executive order aimed at improving the cybersecurity of America’s critical infrastructure (read our prior coverage of the executive order here). Although they have not yet been adopted, the incentives recommended by federal agencies provide insight into the benefits the federal government may offer in exchange for adopting the Framework.
According to the report, the Departments of Homeland Security, Commerce, and Treasury (the “Agencies”) recommended the following to incentivize the private sector to adopt the Framework:
- Grants – Adoption of the Framework may become one of the weighted criteria for federal critical infrastructure grants.
- Process Preference – Companies that adopt the Framework may receive preference in receiving government services, such as technical assistance provided to critical infrastructure companies.
- Liability Limitation – The Agencies suggested reduction of tort liability, limited liability, higher burdens of proof, or the creation of a federal legal privilege that preempts state disclosure requirements for those companies that adopt the Framework.
- Optional Public Recognition – Companies adopting the Framework may have the option of receiving public recognition for doing so.
- Rate Recovery for Price Regulated Industries – Utilities may be allowed to recover cybersecurity investments related to adoption of the Framework.
In addition to the incentives, the Agencies recommended inclusion of the insurance industry in development of the Framework to “build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing.” They also recommended that the Framework and the voluntary adoption program “interact in an effective manner with existing regulatory schemes” and recommended that the government emphasize research and development of solutions to cybersecurity needs that are not currently addressed by commercial solutions.
The White House report stressed the preliminary nature of the Agencies’ recommended incentives. However, critical infrastructure companies should review them because they will likely impact the final incentives that will be offered to companies that adopt the Framework. The Framework is scheduled for completion in February 2014, at which point the White House will begin finalizing the incentive program.
To read the White House report, “Incentives to Support Adoption of the Cybersecurity Framework,” click here.