The recent string of well-publicized data breaches has demonstrated that cyber criminals are targeting companies of all sizes and in all industries. Even companies with the most sophisticated security systems admit that the hackers are usually one step ahead of them. The unsophisticated amateur hackers have now been joined by professional cybercriminals and foreign government-sponsored mercenaries intent on stealing confidential and other proprietary information. It is therefore understandable that cybersecurity is now a corporate governance issue that is at the top of the list of concerns for most boards of directors, executives and legal departments. Most companies have had little in the way of government regulations or industry standards to guide them on what they should be doing to protect their own data and the data they handle belonging to customers, vendors and clients.
However, on February 12, 2014, the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, published a 41-page“Framework for Improving Critical Infrastructure Cybersecurity” (Framework) in response to President Obama’s 2013 Executive Order calling for such a framework. The Framework was created to identify best practices and assessment tools to help critical infrastructure companies develop and implement guards against cybersecurity risks. However, it will likely become a de facto “standard of care” that companies will be judged against in defending claims relating to data breaches, including class actions. Companies that suffer data breaches should expect to be questioned by regulatory authorities and plaintiff lawyers about whether they considered and adopted the best practices contained in the Framework.
The Framework encourages companies to take a risk based approach to creating and managing cybersecurity and creates a method for companies to determine both where they currently are in terms of managing cybersecurity risks and where they want to be. Companies are encouraged to address the following five core functions as they work to either create or strengthen their cybersecurity program:
Identify (conduct a cyber-readiness assessment based on type of data held and level of risk company is willing to assume)
Protect (analyze access control, use of protective technology and training)
Detect (review security monitoring and detection processes)
Respond (implement or update data breach response plan)
Recover (inventory, classify and risk rank critical systems and assets)
Each of these five main functions has additional corresponding action items including best practices, policies and processes that should to be considered when creating or updating a cybersecurity program.
NIST recognizes that there is not a one-size fits all approach to managing cybersecurity since companies will have unique risks and different risk tolerances. However this Framework provides a way for companies, regardless of industry, size or sophistication, to create a cybersecurity program or improve an existing program.
Finally, expect to see future modifications to the Framework based on industry feedback and ongoing changes to the threat environment.