February 17, 2014

One Size Will Not Fit All – The Cybersecurity Framework Recently Released can be a Two-Edged Sword

Written By

On February 12, 2014, the National Institute of Standards and Technology released the Framework for Improving Critical Infrastructure Cybersecurity. The Framework is intended to act as a set of industry standards and best practices for managing cybersecurity risks and was envisioned in the Executive Order issued by the President in February of 2013.  By its terms, the Framework is to apply to businesses which are part of the country’s critical infrastructure sector.  However, it is not completely clear what types of businesses make up the “critical infrastructure” sector.  Mentioned among these critical infrastructure sectors are communications, critical manufacturing, energy, finance health care and information technology, although the Framework arguably provides best practices standards for all.  Compliance with the Framework is voluntary.

The Framework, however, is just that and is not “one-size-fits-all,” but a guidebook for determining risks and risk tolerance in individual organizations. In addition, the Framework is expected to be updated – the recently released document is version 1.0.

Framework Core

The Framework Core presents a framework for outcomes and is not a checklist. It is akin to project management analysis.  The five functions to organize cybersecurity activities are:


Two-Edged Sword

The Framework provides a structure of analysis for plans and activities that, if followed in a meaningful way (and the steps taken documented), would go a long way to show reasonable security and procedures are in place and could, in fact, limit consequences of a breach. Likely no one is immune to data breaches – compliance with policies and plans determined using the Framework analysis could mitigate losses and damages in the event of lawsuit arising out of a cybersecurity event.  Also, apparently coming later are government provided incentives to promote participation in the Framework and related programs.  The incentives are contemplated in the Executive Order, but are not yet established.  Possible types of incentives which have been mentioned include cybersecurity insurance grants, liability limitation, streamlined regulation and public recognition.

The other side of the coin is that failure to follow the Framework analysis could result in a determination that the procedures in place do not rise to the commercially reasonable standard likely resulting in additional liability.

Last, be aware that public assertions or advertising concerning adoption or use of the Framework must be accurate. The Federal Trade Commission (FTC) has taken an interest in cybersecurity and data protection and has brought numerous actions against companies claiming compliance with the European Union Safe Harbor for data transfer alleging these companies were not actually in compliance with the terms of the safe harbor.

In any event, use of the Framework to determine risks and put policies and plans in place may be a prudent course and save expenses later.