The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School

Transcription

1 The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School MARCH 31, Venable LLP 1

2 EO 13636: Improving Critical Infrastructure Cybersecurity Directs to NIST to develop a Cybersecurity Framework to reduce cyber risks to critical infrastructure. 7(a) Directs DHS to establish a voluntary program to support adoption of the Framework by owners and operators of Critical Infrastructure. 8(a) Directs DHS to coordinate establishment of a set of incentives to promote participation in this program. 8(d) 2

3 Where We Are Final Framework (version 1.0) issued February 12, DHS Critical Infrastructure Cyber Community (C 3 ) Voluntary Program launched the same day May 14, 2014: agencies responsible for regulating security of critical infrastructure must propose prioritized, risk-based, efficient, and coordinated actions... to mitigate cyber risk if they have previously determined that current regulatory requirements are insufficient. 10(b) 3

4 Basics of the Cybersecurity Framework Leverages existing cybersecurity best practices (ISO 27001/2, SP800-53, COBIT, ISA 99, etc.) Controls divided into five core functions Identify Protect Detect Respond Recover Each function has categories, sub-categories, and informative references. Tiers represent how orgs view and respond to risk; profiles facilitate customization and improvement 4

5 Notable Changes from Prelim. Version Removal of separate privacy appendix; integration of methodology into the body of the Framework Increased focus on business case for cyber risk management ( bottom line, overinvestment, business needs, economies of scale ) Increased focus on flexibility Tweaking of subcategories 5 Removal of IP-specific control Removal of PII control Addition of language on network segregation

6 Framework Goals Provide a prioritized, flexible, repeatable, performance-based, and cost effective approach to managing cybersecurity risk. Provide a common language and mechanism for risk assessment and risk management Ensure senior executive level engagement in the cybersecurity risk management process communicating mission priorities, available resources, and overall risk tolerance incorporating cybersecurity risk assessment into overall enterprise risk management 6

7 Incentives For now, technical assistance via C 3. Federal financial incentives not close to fruition in near term DHS/White House have stated that safety is its own incentive Expectation is that market-based incentives will develop organically (better access to insurance, trustmark-like certifications, etc.) Legislation needed to expand availability SAFETY Act? 7

8 Impact on Business Implementation of Framework is left to entity s discretion, but some expectations are made explicit: [O]rganizations responsible for Critical Infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk. In performing a self-assessment, an organization may determine that it has opportunities to (or needs to) improve. Security concerns must be managed in a manner commensurate with risk 8

9 Liability Some have identified potential for emerging tort liability for insufficient cybersecurity practices Critical Infrastructure may be held to more stringent standard due to higher expected impact of attacks Corporate boards may be subject to shareholder suits following breaches/attacks Could serve as basis for regulations or enforcement actions (section 10 of EO) Appears voluntary for now 9

10 Other Concerns Will there be certification/audit requirements to qualify for some incentives? How will insurers make use of the Framework? Will agencies base new regulations on the Framework per section 10 of the EO? Availability of quality incentives, esp. liability limitation 10

11 The SAFETY Act The SAFETY Act (Support Anti-Terrorism by Fostering Effective Technologies Act) Enacted as part of the Homeland Security Act of 2002, Public Law (Title VIII, Subtitle G, Secs ) Implementing regulation at 6 C.F.R. Part 25 Intended to encourage the development and deployment of anti-terrorism technologies by creating systems of risk and litigation management Technologies include: Products, devices, equipment Services both supporting and standalone services Cyber-related items Information technologies and networks Integrated Systems 11

12 Scope of the Act Applies to an act of terrorism, which may include cyber terrorism An act of terrorism is defined by DHS as: Unlawful Causes harm, including financial harm, to a person, property, or entity, in the United States ; and Uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States Includes attacks committed by domestic terrorists May include attacks on foreign soil, if harm is to a person, property or entity in the United States 12

13 Levels of SAFETY Act Protection Certification - High degree of confidence in continued effectiveness Designation - Proven effective Developmental, Testing and Evaluation Designation ( DTED ) - Additional evidence needed to prove effectiveness 13

14 Benefits of Protections Certification - All the benefits of Designation - Government Contractor Defense Designation - Liability cap at a pre-determined insurance level - Exclusive jurisdiction in Federal court - Consolidation of claims - No joint and several liability for noneconomic damages - Bar on noneconomic damages unless plaintiff suffers physical harm - No punitive damages and prejudgment interest - Plaintiff s recovery reduced by collateral sources DTED - Same as Designation, but for a shorter duration (3 yrs) 14

15 Obtaining SAFETY Act Protections The Applicant s Role Internal Assessment of Technology - Document -Enhance Prepare Application Submit Application to OSAI Completeness Review (30 days) OSAI/DHS s Process Technical & Economic Review / Requests for Information DHS Decision OSAI/DHS Review Time = 120 days (total) 15

16 contact information Brian Zimmet, Partner t David DeSalle, Partner t Jason Wool, Associate t