CybersecurityNIST’s voluntary cybersecurity framework may be regarded as de facto mandatory

Published 3 March 2014

The National Institute of Standards and Technology’s (NIST) voluntary cybersecurity frameworkissued in February establishes best practices for companies that support critical infrastructure such as banking and energy. Experts now warn that recommendations included in the framework may be used by courts, regulators, and even consumers to hold institutions accountable for failures that could have been prevented if the cybersecurity framework had been fully implemented by the respective institution.

The National Institute of Standards and Technology’s (NIST) voluntary cybersecurity framework issued in February establishes best practices for companies that support critical infrastructure such as banking and energy. Experts now warn that recommendations included in the framework may be used by courts, regulators, and even consumers to hold institutions accountable for failures that could have been prevented if the cybersecurity framework had been fully implemented by the respective institution.

It is by law voluntary. But it is going to mutate over time into a de facto or quasi mandatory standard,” said Paul Rosenzweig, founder of Red Branch Consulting and formerly deputy assistant secretary for policy at DHS. “For one thing, regulators may adopt it and tort lawyers that sue banks may view it as a floor.”

Though the framework is voluntary by law, American Banker reports that the financial sector expects regulators to incorporate the cybersecurity framework in their requirements for financial institutions, likely by cross-referencing it to the privacy and security obligations under the Gramm-Leach-Bliley Act of 1999. The White House has already instructed the Treasury Department to offer incentives for industry adoption of the framework, and also for regulators to identify divisions between the framework and their statutory authorities within ninety days of the framework’s release.

The banking industry has praised the framework because of its consistency with current cybersecurity regulations, including current cybersecurity laws under Gramm-Leach-Bliley. Cybersecurity regulations on financial institutions “are probably the most stringent among all the critical infrastructures already,” said Doug Johnson, vice president for risk management policy at the American Bankers Association. Johnson believes that the new cybersecurity framework will validate some of the existing processes that the financial sector currently employ.

Insurance Networking News notes that some industry experts are concerned that the cybersecurity framework will be used as a benchmark in courts should the effectiveness of a bank’s cybersecurity initiatives be called into question. “In the event of a breach that harms its customers, those customers are likely to claim that the institution was negligent. The NIST framework will likely be used by the courts to determine what is reasonable commercial practice,” said Stewart Baker, a partner at Steptoe & Johnson and the first assistant secretary for policy at the Department of Homeland Security. “If the institution has not followed the standard, it will have the burden of showing why its security was reasonable,” said Baker.

Since the framework was created with industry best practices in mind, its recommendations may be recognized as industry standards in litigation. “I don’t think that is such a bad thing for the financial services industry because financial institutions for over a decade now have been operating under the Gramm-Leach-Bliley security rule. In the process of complying with that rule, financial institutions have adopted practices and procedures that very closely mirror what is being adopted in this framework,” said Gerald Ferguson, a partner at BakerHostetler.

It should be noted that NIST refers to the cybersecurity framework as “version 1.0,” implying that the framework is likely to be updated and revised to meet future standards. According to NIST, the updates will ensure the framework meets the needs of critical infrastructure owners and operators in a dynamic and challenging environment.