Organizations of all types are increasingly subject to data theft and loss, whether the asset is customer information, intellectual property, or sensitive company files. The federal government and, thus, its private contractors have long relied upon the National Institute for Standards and Technology (within the Commerce Department) to develop standards and guidance for information protection. One of the most important of these is the fairly recent Cybersecurity Framework, which helps provide structure and context to cybersecurity. Private-sector organizations should be motivated to implement the NIST CSF not only to enhance their cybersecurity, but also to lower their potential risk of legal liability.
While the NIST has been active for some time, the CSF arose from the Cybersecurity Enhancement Act of 2014, passed in December of that year. As part of the government’s effort to protect critical infrastructure, in light of increasingly frequent and severe attacks, the Cybersecurity Enhancement Act directed the NIST to “…on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure.” The “voluntary, consensus-based, industry-led” qualifiers meant that at least part of NIST’s marching orders were to develop cybersecurity standards that the private sector could, and hopefully would, adopt.
Nearly two years earlier, then-President Obama issued Executive Order 13636, kickstarting the process with mandates of:
- a set of standards, methodologies, procedures, and processes that align policy, business, and technical approaches to address cyber risks;
- a prioritized, flexible, repeatable, performance-based, and cost-effective approach to help owners and operators of critical infrastructure:
- identify, assess, and manage cyber risk;
- identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations; and
- be consistent with voluntary international standards.
The private sector—whether for-profit or non-profit—benefits from an accepted set of standards for cybersecurity. Beyond the gains of benchmarking existing practices, organizations have the opportunity to leverage the CSF (or another recognized standard) to their defense against regulatory and class-action claims that their security was subpar. Fundamentally, there is no perfect security, and for any number of reasons, there will continue to be theft and loss of information. But if an organization has a solid argument that it has implemented, and maintains safeguards based on the CSF, there is a much-improved chance of more quickly dispatching litigation claims and allaying the concerns of regulators.
For firms already subject to a set of regulatory standards, it is important to recall that the NIST CSF:
- Complements, and does not replace, an organization’s existing business or cybersecurity risk-management process and cybersecurity program.
- Is voluntary and complements, rather than conflicts with, current regulatory authorities (for example, the HIPAA Security Rule, the NERC Critical Infrastructure Protection Cyber Standards, the FFIEC cybersecurity documents for financial institutions, and the more recent Cybersecurity Regulation from the New York State Department of Financial Services).
- Leverages existing standards, guidance, and best practices, and is a good source of references (e.g., NIST, ISO, and COBIT).
- Is designed to be inclusive of, and not inconsistent with, other standards and best practices.
As cyberattacks and data breaches increase, companies and other organizations will inevitably face lawsuits from clients and customers, as well as potential inquiries from regulators, such as the Federal Trade Commission. The FTC, as one example, has an impressive record of wins against companies for lax data security, but still has investigated and declined to enforce against many more. In the litigation context, courts will look to identify a standard of care by which those companies or organizations should have acted to prevent harm. While the NIST CSF is still relatively new, courts may well come to define it as the minimum legal standard of care by which a private-sector organization’s actions are judged.