The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School



Similar documents
Liability Management Evolving Cyber and Physical Security Standards and the SAFETY Act

The SAFETY Act: Providing Critical Liability Protections for Cyber and Physical Security Efforts

Field/Customer FAQs. What is the SAFETY Act?

NIST Cybersecurity Framework What It Means for Energy Companies

Big Data As a Threat? An Alternative Approach to Cybersecurity

CYBERSECURITY RISK MANAGEMENT

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

Framework for Improving Critical Infrastructure Cybersecurity

Why you should adopt the NIST Cybersecurity Framework

Legislative Language

Trends in Data Breach and CybersecurityRegulation, Legislation and Litigation. Part I

PROTIVITI FLASH REPORT

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Framework for Improving Critical Infrastructure Cybersecurity

How To Write A Cybersecurity Framework

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Risk Management in Practice A Guide for the Electric Sector

The NIST Cybersecurity Framework

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

DEPARTMENT OF HOMELAND SECURITY

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Why you should adopt the NIST Cybersecurity Framework

No. 33 February 19, The President

Billing Code: 3510-EA

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

2015 "Best Law Firms" ALL TIER REPORT. Holland & Hart LLP

Cyber Risk Management Guidance for FHFA Regulated Entities

An Overview of Large US Military Cybersecurity Organizations

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Working with the FBI

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Legislative Language

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework & A Tale of Two Criticalities

FINRA Publishes its 2015 Report on Cybersecurity Practices

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Cyberprivacy and Cybersecurity for Health Data

Logging In: Auditing Cybersecurity in an Unsecure World

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Medical Liability Task Force

NIST Unveils Preliminary Cybersecurity Framework

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Business Continuity for Cyber Threat

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Georgia Board for Physician Workforce

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

Vendor Risk Management Financial Organizations

DEPARTMENT OF HOMELAND SECURITY

Cyber-Insurance Metrics and Impact on Cyber-Security

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

Middle Class Economics: Cybersecurity Updated August 7, 2015

CYBERSECURITY EXAMINATION SWEEP SUMMARY

How To Protect Your Data From Being Hacked

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

CForum: A Community Driven Solution to Cybersecurity Challenges

Building Security In:

Department of Homeland Security Information Sharing Strategy

Cyber Risks in the Boardroom

The Comprehensive National Cybersecurity Initiative

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Building Insecurity Lisa Kaiser

Transcription:

The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School MARCH 31, 2014 2013 Venable LLP 1

EO 13636: Improving Critical Infrastructure Cybersecurity Directs to NIST to develop a Cybersecurity Framework to reduce cyber risks to critical infrastructure. 7(a) Directs DHS to establish a voluntary program to support adoption of the Framework by owners and operators of Critical Infrastructure. 8(a) Directs DHS to coordinate establishment of a set of incentives to promote participation in this program. 8(d) 2

Where We Are Final Framework (version 1.0) issued February 12, 2014. DHS Critical Infrastructure Cyber Community (C 3 ) Voluntary Program launched the same day May 14, 2014: agencies responsible for regulating security of critical infrastructure must propose prioritized, risk-based, efficient, and coordinated actions... to mitigate cyber risk if they have previously determined that current regulatory requirements are insufficient. 10(b) 3

Basics of the Cybersecurity Framework Leverages existing cybersecurity best practices (ISO 27001/2, SP800-53, COBIT, ISA 99, etc.) Controls divided into five core functions Identify Protect Detect Respond Recover Each function has categories, sub-categories, and informative references. Tiers represent how orgs view and respond to risk; profiles facilitate customization and improvement 4

Notable Changes from Prelim. Version Removal of separate privacy appendix; integration of methodology into the body of the Framework Increased focus on business case for cyber risk management ( bottom line, overinvestment, business needs, economies of scale ) Increased focus on flexibility Tweaking of subcategories 5 Removal of IP-specific control Removal of PII control Addition of language on network segregation

Framework Goals Provide a prioritized, flexible, repeatable, performance-based, and cost effective approach to managing cybersecurity risk. Provide a common language and mechanism for risk assessment and risk management Ensure senior executive level engagement in the cybersecurity risk management process communicating mission priorities, available resources, and overall risk tolerance incorporating cybersecurity risk assessment into overall enterprise risk management 6

Incentives For now, technical assistance via C 3. Federal financial incentives not close to fruition in near term DHS/White House have stated that safety is its own incentive Expectation is that market-based incentives will develop organically (better access to insurance, trustmark-like certifications, etc.) Legislation needed to expand availability SAFETY Act? 7

Impact on Business Implementation of Framework is left to entity s discretion, but some expectations are made explicit: [O]rganizations responsible for Critical Infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk. In performing a self-assessment, an organization may determine that it has opportunities to (or needs to) improve. Security concerns must be managed in a manner commensurate with risk 8

Liability Some have identified potential for emerging tort liability for insufficient cybersecurity practices Critical Infrastructure may be held to more stringent standard due to higher expected impact of attacks Corporate boards may be subject to shareholder suits following breaches/attacks Could serve as basis for regulations or enforcement actions (section 10 of EO) Appears voluntary for now 9

Other Concerns Will there be certification/audit requirements to qualify for some incentives? How will insurers make use of the Framework? Will agencies base new regulations on the Framework per section 10 of the EO? Availability of quality incentives, esp. liability limitation 10

The SAFETY Act The SAFETY Act (Support Anti-Terrorism by Fostering Effective Technologies Act) Enacted as part of the Homeland Security Act of 2002, Public Law 107-296 (Title VIII, Subtitle G, Secs. 861-65) Implementing regulation at 6 C.F.R. Part 25 Intended to encourage the development and deployment of anti-terrorism technologies by creating systems of risk and litigation management Technologies include: Products, devices, equipment Services both supporting and standalone services Cyber-related items Information technologies and networks Integrated Systems 11

Scope of the Act Applies to an act of terrorism, which may include cyber terrorism An act of terrorism is defined by DHS as: Unlawful Causes harm, including financial harm, to a person, property, or entity, in the United States ; and Uses or attempts to use instrumentalities, weapons or other methods designed or intended to cause mass destruction, injury or other loss to citizens or institutions of the United States Includes attacks committed by domestic terrorists May include attacks on foreign soil, if harm is to a person, property or entity in the United States 12

Levels of SAFETY Act Protection Certification - High degree of confidence in continued effectiveness Designation - Proven effective Developmental, Testing and Evaluation Designation ( DTED ) - Additional evidence needed to prove effectiveness 13

Benefits of Protections Certification - All the benefits of Designation - Government Contractor Defense Designation - Liability cap at a pre-determined insurance level - Exclusive jurisdiction in Federal court - Consolidation of claims - No joint and several liability for noneconomic damages - Bar on noneconomic damages unless plaintiff suffers physical harm - No punitive damages and prejudgment interest - Plaintiff s recovery reduced by collateral sources DTED - Same as Designation, but for a shorter duration (3 yrs) 14

Obtaining SAFETY Act Protections The Applicant s Role Internal Assessment of Technology - Document -Enhance Prepare Application Submit Application to OSAI Completeness Review (30 days) OSAI/DHS s Process Technical & Economic Review / Requests for Information DHS Decision OSAI/DHS Review Time = 120 days (total) 15

contact information Brian Zimmet, Partner bmzimmet@venable.com t 202.344.4510 David DeSalle, Partner dmdesalle@venable.com t 202.344.4504 Jason Wool, Associate jwool@venable.com t 202.344.4511 www.venable.com 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information