The drafting of the Framework was fueled by former Head of Homeland Security, Janet Napolitano’s warning that a “cyber 9/11 could happen imminently.” In recent years cyberattacks on this country’s financial industry and resource infrastructure, as well as on private banks and companies, have dramatically increased in frequency and severity.
The National Institute of Standards and Technology (“NIST”) recently released a draft of its Preliminary Cybersecurity Framework (the “Framework”), which was initially proposed in President Obama’s executive order from February.
2013. The purpose of the Framework is to provide guidelines to companies on how to best protect their networks against hackers, and if necessary, quickly respond to cybersecurity breaches. Ultimately, the Framework seeks to turn today’s best cybersecurity practices into standard practice. The Framework seeks to encourage companies to prioritize cyberthreats in the same way they prioritize financial and safety risks. The Framework is divided into five core functions: identify, protect, detect, respond and recover. Companies are encouraged to identify the potential cyber risks they may face, establish protective measures against those threats and to create methods that will allow the company to efficiently detect, respond to and recover from cyberattacks if and when they occur. The Framework is intended to complement, not replace, any existing cybersecurity programs.
This Framework is applicable to public and private companies, particularly those that are vital to U.S. security, though its adoption is purely voluntary. Since the Framework is not mandatory, it is not legally binding. Nevertheless it may raise the bar for in-house counsel, preventing claims of deniable plausibility. Historically, cybersecurity was an issue that CEOs left exclusively to IT workers and so consequently if a company suffered a cyberattack CEOs were able to point the finger at the IT department. However, the implementation of the Framework will likely prevent CEOs’ ability to shield themselves from liability. The Framework sets a minimum standard of care when it comes to cybersecurity, which means that board members and chief information officers (CIOs) will need to collaborate in order to ensure a company is in full compliance. Furthermore, adoption of the Framework could become a federal contracting requirement. Additional incentives being offered by the government to encourage adoption of the Framework include lower cybersecurity insurance rates, priority consideration for grants, and optional public recognition.
Overall, the pros of the Framework are that it is the result of a collaborative approach to drafting and that it provides companies considerable flexibility when it comes to implementation. This flexibility is necessary as cybersecurity is often industry sector and business specific. Unfortunately, compliance with the Framework will likely generate an enormous amount of paperwork for CIOs since the proposed rules provides minimal clarity as to priorities. The Framework also includes liability shields that many consider to be controversial, such as reduced tort liability, limited indemnity and the creation of a federal legal privilege that would preempt state disclosure requirements. The final Framework will be issued this month, so stay tuned.