America s New Cybersecurity Framework: Help or New Source of Exposure?



Similar documents
FDIC Updates Guidance on Payment Processor Relationships

PROTIVITI FLASH REPORT

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Building Security In:

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

New York s New Wage Theft Law: What It Means, and What To Do Now

United States Sanctions: General Considerations for Minority Investment

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

IRS Issues Proposed Regulations on Tax Return Preparer Penalty Rules Under Sections 6694 and 6695

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework

history on an employment application, and four states Hawaii, Massachusetts, Minnesota, and Rhode Island also ban such inquiries.

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Framework for Improving Critical Infrastructure Cybersecurity

The Dodd-Frank Wall Street Reform and Consumer Protection Act: Impact, Issues and Concerns in Implementing the Volcker Rule

SEC Adopts Rules Mandating Internet Delivery of Proxy Materials

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Revisiting Advance Notice Bylaws in Light of Recent Delaware Decisions

Retailers in California Face New Scrutiny of Credit Card Transactions in Light of Pineda v. Williams- Sonoma Stores, Inc., 51 Cal.

Cyber Risks in the Boardroom

a modified work schedule; changes in start and/or end times for work; part-time employment; job sharing arrangements; working from home;

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

How To Understand And Manage Cybersecurity Risk

CFPB s First Final Rule Addresses International Remittance Transfers

NIST Cybersecurity Framework & A Tale of Two Criticalities

Best Practices for Bridge Financing Lenders in California

SEC Finalizes Investment Adviser Pay-to-Play Rules

Delaware Cyber Security Workshop September 29, William R. Denny, Esquire Potter Anderson & Corroon LLP

IRS Guidance on Modifications of Securitized Commercial Mortgage Loans Provides New Flexibility and Also Imposes New Requirements

New E-Discovery Rules: Is Your Company Prepared?

NIST Cybersecurity Framework What It Means for Energy Companies

Framework for Improving Critical Infrastructure Cybersecurity

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Cybersecurity Framework: Current Status and Next Steps

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

A New Headache For Employers: Whistleblower Claims Under the Affordable Care Act

Why you should adopt the NIST Cybersecurity Framework

Legislative Proposals for the Maryland Commission on Cyber Security Innovation and Excellence

Navigating the NIST Cybersecurity Framework

New General Counsel s Opinion No. 8 The FDIC Provides Clarity on Deposit Insurance and Assessments on Funds Underlying Stored Value Cards

FINRA Publishes its 2015 Report on Cybersecurity Practices

Which cybersecurity standard is most relevant for a water utility?

BECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS.

Changing Legal Landscape in Cybersecurity: Implications for Business

Happy First Anniversary NIST Cybersecurity Framework:

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

Effects of the Cancellation of Italian Companies from the Companies Register and the Succession of the Shareholders 1

How to Keep One s Registered Trademark from Becoming a.xxx Domain Name

Critical Manufacturing Cybersecurity Framework Implementation Guidance

Framework for Improving Critical Infrastructure Cybersecurity

Implementation of the AIFMD in Italy First Ground-Breaking Steps

Elder Financial Abuse on the Rise: What Financial Institutions Can Do to Address Increasing Regulatory Scrutiny Designed to Protect At-Risk Customers

How To Make Money From A Loan

FCC Adopts Controversial Net Neutrality Rules Governing Broadband Internet Access Services

70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?

Why you should adopt the NIST Cybersecurity Framework

Implementation of the Cybersecurity Executive Order

Applying Framework to Mobile & BYOD

Cyberprivacy and Cybersecurity for Health Data

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Cybersecurity Awareness for Executives

Delving Into FCC's 'Damn Important' Cybersecurity Report

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Cybersecurity Risk Factors: Five Tips to Consider When Any Public Company Might be The Next Target

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Cybersecurity The role of Internal Audit

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Dodd-Frank Act Provides Rewards for Whistleblowers Who Report FCPA Violations

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Business Continuity for Cyber Threat

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Managing cyber risks with insurance

Payment Card Industry Data Security Standards

Modalities for Cyber Security and Privacy Resilience: The NIST Approach

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

SEC Cybersecurity Findings May Establish De Facto Standard

Before the FEDERAL COMMUNICATIONS COMMISSION Washington, D.C Comments of CTIA The Wireless Association

Framework for Improving Critical Infrastructure Cybersecurity

what your business needs to do about the new HIPAA rules

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

PRIVACY & CYBERSECURITY

Mitigating and managing cyber risk: ten issues to consider

Information Security Management System for Microsoft s Cloud Infrastructure

OCIE CYBERSECURITY INITIATIVE

Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission. June 25, 2015

Happy First Anniversary NIST Cyber Security Framework:

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

FFIEC Cybersecurity Assessment Tool

Written Testimony of Michael Menapace. Sen. Jerry Moran, Sen. Blumenthal, and other members of the Subcommittee -

CYBER SOLUTIONS HANDBOOK

Trends in Data Breach and CybersecurityRegulation, Legislation and Litigation. Part I

Framework for Improving Critical Infrastructure Cybersecurity

Transcription:

America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013 alone, there were over 1,400 data breaches in the U.S. resulting in the exposure of an estimated 740 million records, costing an average of $5.5 million each. These breaches can tarnish reputations, cost millions in remedial damages, litigation defense, and lost business, and in some cases, doom companies. President Obama views these breaches of private data collections as a threat to the nation s critical data infrastructure. In 2012, he issued an Executive Order calling for the National Institute of Standards and Technology (NIST) to create a voluntary Cybersecurity Framework that could help improve national cybersecurity practices. Just over one year later, in February of this year, NIST released the final version of its Framework for Improving Critical Infrastructure Cybersecurity, which is aimed at improving cybersecurity practices for companies in critical infrastructure (e.g., the energy grid, financial institutions and telecommunications). In light of the recent spate of high-profile data breaches and resulting litigation, all businesses dealing with sensitive information (e.g., proprietary data and personal information), should be working to develop an affirmative plan to limit their exposure to cybersecurity threats and to reduce their liability in the event of a breach. The Framework should become a consideration along the way. While compliance is currently voluntary, and its terms are often vague, it is a helpful guidepost: it offers what may well evolve into de facto best practices for security and afford a defense in the event of regulatory investigations or litigation arising from a breach. Executive Order 13636: Improving Critical Infrastructure Cybersecurity Critics often have been quick to attack many bills addressing cybersecurity risks or data protection as too prescriptive in the substance of their requirements and insufficiently flexible to account for the varied ways in which business is and will be conducted in a digital environment. The Framework reflects that concern, focusing on process and risk-based analysis rather than on defined, one-sizefits-all substantive solutions. The 41-page Framework resulted from an extensive set of workshops and discussions by NIST with a wide range of stakeholders, including but not limited to cyber-businesses. NIST also released a companion Roadmap for Improving Critical Infrastructure Cybersecurity, which is intended to guide continued development of the Framework. The Roadmap emphasizes that it is a work in progress and that NIST will continue to solicit industry collaboration and input for future versions. Based on the 1

Roadmap, organizations should expect additional guidance in areas such as authentication, automated indicator sharing, conformity assessment and data analytics. A High-Level Roadmap: What You Should Know The Framework is designed to help organizations describe the strength of their current cybersecurity program, develop an adequate cybersecurity program to decrease risk of breaches, and identify and prioritize opportunities to reach their desired cybersecurity state. The Framework s risk-based approach is divided into three areas: the Framework Core, Implementation Tiers and Framework Profile. The Framework Core is the heart of the program. It consists of five high-level functions (identify, protect, detect, respond and recover) which are further divided into categories and subcategories that are associated with cybersecurity outcomes (i.e., understanding cybersecurity risks to operations) and the technical or management activities that support each outcome (i.e., identifying and documenting asset vulnerabilities). Each subcategory additionally includes a list of information references to existing standards, guidelines and practices. Companies may find the Core helpful in identifying the broad range of issues that their current cybersecurity policies should address, communicating these issues to executives, and locating existing guidelines for particular issues. The Implementation Tiers are intended to help an organization normalize its cybersecurity policies by selecting a Tier corresponding to how it views its own risks and risk management processes. The tiers range from ad hoc and reactive practices in Partial (Tier 1) to risk-informed and responsive practices in Adaptive (Tier 4). Organizations are urged to select the tier that best describes both their current and desired levels of cybersecurity in each Core category. Self-evaluation of an organization s current and target tiers can help to assess the strength of its current policies and associated risk tolerance for each category. The Framework Profile compares the outcomes and activities from the Framework Core with the assessment of an organization s current and target Implementation Tiers for each of the categories. Put another way, the Profile is intended to assist in applying and adjusting the Framework Core in accordance with the selected Implementation Tiers (i.e. taking a company from the Tier where it sees itself now to the target Tier). Organizations can use the Framework Profile to identify the specific outcomes and activities to prioritize in order to efficiently strengthen their cybersecurity programs. Implementing the Framework The Framework outlines a seven-step implementation plan to illustrate how an organization could use the Framework to create a new cybersecurity program or improve an existing program. The implementation plan clarifies how the Core, Tiers, and Profile can be used as part of a comprehensive cybersecurity policy: 1. Prioritize and Scope. Identify high-level objectives and priorities. Make strategic decisions regarding cybersecurity implementations. 2. Orient. Identify threats to, and vulnerabilities of, the systems and assets identified as priorities in step one. 3. Create a Current Profile. Develop a Current Profile by indicating which outcomes from the Framework Core are currently being achieved. 2

4. Conduct a Risk Assessment. Analyze the likelihood of a cybersecurity event and the impact that the event could have on the organization. 5. Create a Target Profile. Develop a Target Profile that focuses on the assessment of the organization s desired Framework Core outcomes. 6. Determine, Analyze, and Prioritize Gaps. Compare the Current Profile to the Target Profile to determine gaps. Create a prioritized action plan and determine the resources required to address those gaps. 7. Implement Action Plan. Determine what actions to take to address the gaps identified in the previous step. Monitor current cybersecurity practices against the Target Profile. More Process Than Substance If the Framework sounds nebulous, it s because it is. In many respects, it provides little substantive guidance for organizations interested in complying with and adopting its structure. That lack of granularity reflects a deliberate policy choice. As the Framework itself acknowledges, it is not a checklist of actions to perform or a one-size-fits-all approach because organizations have unique risks different threats, different vulnerabilities, different risk tolerances. Instead, the Framework is intended to complement an organization s risk management process and cybersecurity program. On balance, that decision likely was the only one NIST could make. What makes sense for a financial institution may not make sense for a public utility, and what makes sense for a public utility may not make sense for a health-care institution. Each industry, and each player within that industry, must balance the risks it faces with the value of the information it maintains, and each may come to a different conclusion as to what that calculation entails. Nevertheless, that justifiable concern with avoiding an overly prescriptive approach has left organizations with some uncertainty, and the Frameworks very existence creates new potential legal obligations and liabilities. For example, each organization must determine its own Current Profile or Target Profile (i.e., the level of cybersecurity an organization is currently achieving or desires to achieve). Organizations are instructed to consider [their] current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Similarly, the Framework does not establish a general goal Tier that organizations should strive to reach. Instead, it simply urges progression to higher Tiers when such a change would reduce cybersecurity risk and be cost effective. Moreover, the Framework Core is presented as a high-level overview aimed more at an organization s executives than at those actually implementing and assessing technical cybersecurity procedures. The Framework Core is therefore best approached as a series of questions that an organization should consider, instead of a to-do list to reduce cybersecurity risks. Potential Legal Exposure Of greatest note, perhaps, is that the Framework, although voluntary, may soon become mandatory for many companies. The President s executive order directing development of the Framework also instructed federal regulators of critical infrastructure entities to assess their existing authority to require implementation of the Framework by their regulated parties. Just who is critical and which 3

agencies ultimately exercise that authority remains to be seen, but we soon may witness transformation of the Framework into a mandatory procedure for many companies. Moreover, even those for whom the Framework remains voluntary may find themselves at risk of legal liability if they fail to follow the Framework. Regulators or private litigants may question the adequacy of the company s security precautions and, in the event of breach, defendants may start to find that the Framework has established a reasonable standard of care for purposes of liability. Some Takeaways Despite its generality, there are a few areas in which the Framework provides more concrete guidance for organizations wishing either to decrease their cybersecurity risks or limit their liability stemming from data breaches. These best practices are also consistent with some state regulations regarding the sharing of personal information, such as the California Shine the Light law, Cal. Civ. Code 1798.83, and state data breach notification laws. Additionally, organizations that handle credit card transactions may find that many of the recommended outcomes and activities are consistent with the Payment Card Industry Data Security Standard (PCI DSS) requirements that they have already implemented. First, several of the subcategories listed in the Framework Core identify cybersecurity assessments or policies that should be documented. To demonstrate consideration of and compliance with the Framework, companies should ensure that existing cybersecurity policies and assessments include several components: Asset vulnerabilities are identified and documented (ID.RA-1); Threats, both internal and external, are identified and documented (ID.RA-3); Organizational risk tolerance is determined and clearly expressed (ID.RM-2); Audit/log records are determined, documented, implemented, and reviewed in accordance with policy (PR.RT-1); and Newly identified vulnerabilities are mitigated or documented as accepted risks (RS.MI-3). Second, in addition to documenting compliance with particular Framework Subcategories, organizations should consider documenting compliance with the Framework s proposed seven-step implementation plan. The Framework s deliberate ambiguity regarding specific security measures renders it primarily instructive as a guide for the process that organizations should use to evaluate and improve their cybersecurity programs. That same ambiguity allows enterprises to determine what measures best suit their risk profile. In the event of a data breach, this documentation should help organizations demonstrate compliance efforts. Third, the Framework repeatedly emphasizes the need for constant re-assessment of cybersecurity policies. Several of the Subcategories explicitly call for periodic reassessment of policies and risks. Even more importantly, the primary difference between Tier 3 (Repeatable) and Tier 4 (Adaptive) is the continuous improvement through incorporating new information and the organization s ability to actively adapt to a changing cybersecurity landscape. In addition to reassessments after data breaches or attacks, organizations should consider re-evaluating their cybersecurity policies and procedures on a periodic basis. 4

Fourth, where additional data security protections are cost-prohibitive, organizations should consider documenting the expected implementation costs and benefits. Although the Framework provides only general guidance on how such cost benefit analysis should be conducted, the Framework s repeated emphasis that such a tradeoff is appropriate may provide protection if regulators or litigants later question the absence of particular security measures. The Cybersecurity Framework represents a first step in the federal government s attempt to establish a comprehensive data security framework. Although it is at this point completely voluntary, it provides an indication of the government s cybersecurity interests and suggests several areas of concern. Organizations should strongly consider documenting their compliance with the Cybersecurity Framework, in preparation for future regulations and as an additional protective measure in the event of a data breach. If you have any questions concerning these developing issues, please do not hesitate to contact any of the following Paul Hastings lawyers: San Francisco Thomas A. Counts 1.415.856.7077 tomcounts@paulhastings.com Elizabeth A. Dorsi 1.415.856.7209 elizabethdorsi@paulhastings.com Ryan C. Nier 1.415.856.7226 ryannier@paulhastings.com Washington D.C. Behnam Dayanim 1.202.551.1737 bdayanim@paulhastings.com Paul Hastings LLP www.paulhastings.com StayCurrent is published solely for the interests of friends and clients of Paul Hastings LLP and should in no way be relied upon or construed as legal advice. The views expressed in this publication reflect those of the authors and not necessarily the views of Paul Hastings. For specific information on recent developments or particular factual situations, the opinion of legal counsel should be sought. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions. Paul Hastings is a limited liability partnership. Copyright 2014 Paul Hastings LLP. IRS Circular 230 Disclosure: As required by U.S. Treasury Regulations governing tax practice, you are hereby advised that any written tax advice contained herein or attached was not written or intended to be used (and cannot be used) by any taxpayer for the purpose of avoiding penalties that may be imposed under the U.S. Internal Revenue Code. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information