The National Institute of Standards and Technology (NIST) Cybersecurity Framework
On February 12, 2014, NIST released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (“NIST Framework”). The NIST Framework followed an Executive Order from the Obama Administration that called for its creation in February 2013. While use of the NIST Framework is voluntary, the federal government and others, including insurance companies, have been actively exploring ways to incentivize participation. The final version of the NIST Framework is the result of a year-long development process with significant public comment and working sessions with private sector and data security stakeholders. The NIST Framework can be used by a business as a risk management tool. It can help assess the risk of a cyber-attack, protect against attacks, and detect intrusions as they occur. According to NIST, the NIST Framework complements, but does not replace existing risk management processes and cybersecurity programs. It can, however, be used to assess and improve (if necessary) the already existing security practices. The NIST Framework may become a de facto standard for determining whether or not a business has adequate data security safeguards in place. In fact, in May 2017, then President Trump issued an executive order specifically requiring U.S. governmental agencies to use the NIST framework. Additionally, the proposed NIST Cybersecurity Framework Assessment and Auditing Act, which passed out of the House Science Committee in March but has not yet reached the House floor, would task the NIST with verifying that agencies have proper cyber protections in place and reporting on those agencies which do not. In the meantime, it is clearly worth considering the NIST Framework when adopting any extensive data security program since it may be viewed by some insurance companies as a prerequisite to coverage. Following the standards described in the NIST Framework might also serve as a defense against any FTC charge of inadequate data security.
56
Made with FlippingBook - Online Brochure Maker