The National Institute of Standards and Technology’s (NIST) recently published their latest draft of the preliminary cybersecurity framework—a set of voluntary standards that companies can adopt to boost cyber security.
The draft framework, which NIST was directed to develop by the Obama administration, was published after input from thousands of critical infrastructure organizations, academics, security specialists and the insurance industry—including Willis.
The framework is part of an attempt to protect critical industries—such as financial institutions and power grids, from potentially crippling cyber attacks or national security threats, without enacting overly restrictive and costly laws. Essentially, the framework aims to turn current “best practices” into accepted standards that can be applied to reduce threats. Perhaps more importantly, the framework intends to be nimble—a living, breathing document—that can evolve to keep pace with the rapidly moving risks.
Setting the Standard
The draft framework proposes five core functions in keeping information and systems safe:
- Identify risks
- Protect systems
- Detect attacks
- Respond to incidents
- Recover afterwards
Specifically, the framework lays out guidance for companies on techniques to influence their cyber risk “outcomes.”
The framework also addresses best practices on the communication of cyber risk across organizations and provides “implementation tiers” to allow companies to benchmark their risk management practices. The benchmarking standards include determining the acceptable level of risk, developing measures of risk tolerance and maturity of risk management practices, creating a target risk profile and a framework core—a set of specific practices which are to be developed and followed.
In Willis’ view the framework is a great start because it features the input of industry groups. It will likely improve further when the final version is issued in February. Even though it lacks specific requirements the draft framework aligns with many current network and cyber risk audit standards currently used. In addition, the framework could develop into a strong resource for companies and industries that have yet to implement a cyber risk audit.
Collaboration or Regulation
Some improvements to the framework may need to be made to provide specific baseline standards and differentiation for industry verticals. Much will depend upon the process that NIST and the Department of Homeland Security put in place to encourage companies to share data. If consensus standards are not developed we may see the DHS take a more aggressive approach via regulation—an approach that may not be constructive.
During Willis’ discussions with NIST at the White House on August 26th and in subsequent discussions with Senate staff, Willis was informed that it is the intention of the White House to hand the Framework over to the DHS, but it’s not clear exactly what role they would play. There was also discussion around the industry that some organizations might get a safe harbor from litigation if they follow the framework. From our discussions with legislators, we do not believe this safe harbor will be in the final version of the framework.
Industry reaction to the framework thus far has been guardedly positive largely because many firms’ have been able to influence the framework standards to align with many currently accepted practices.
As with any new set of guidelines, adoption remains the true test of success. We expect those industries in the critical sectors who already have audit standards in place similar to the framework, to be the first to abide by the framework standards. Beyond that, pressure from government departments and the U.S. Securities and Exchange Commission, combined with the threat of regulation and litigation is likely to increase compliance with the final framework standards.