A voluntary cyber security framework proposed for critical U.S. infrastructure ultimately could help protect noncritical data and lead to expanded cyber coverage by insurers.

Meanwhile, insurers have been asked to provide incentives to encourage wider acceptance of the proposed guidelines.

In its proposal last month, the National Institute of Standards and Technology responded to President Barack Obama's executive order in May that was a component of a broader effort to strengthen the cyber security of the nation's critical infrastructure.

The framework NIST proposed discusses five core functions in keeping information and systems safe: Identify such risks, protect systems, detect attacks, respond to incidents and recover afterwards.

“From the beginning, the president envisioned this as a voluntary effort that would be based on consensus standards and industry best practices to the extent possible,” NIST Director Patrick Gallagher said in a statement. “From the beginning, we wanted to make sure that this was something that would be flexible and able to be tailored to the needs of individual businesses and organizations.”

President Obama's executive order preceded a May congressional report, which concluded that despite the U.S. electric grid being targeted by numerous cyber attacks every day, most utilities comply only with mandatory cyber security standards set by the Atlanta-based North American Electric Reliability Corp. and have failed to implement voluntary measures proposed previously.

%%BREAK%%

In a meeting last week, President Obama and executives from eight companies — MasterCard Inc., Symantec Corp., Northrup Grumman Corp., Lockheed Martin Corp., Intel Corp., Bank of America Corp., Pepco Holdings Inc. and Visa Inc. — discussed how to encourage the framework's adoption, and the difficulties involved in helping small and medium-size companies adopt best practices, the White House said in a statement.

“Both companies and government officials also expressed the strong desire to have Congress pass information sharing legislation that protects privacy and civil liberties,” the White House said in the statement.

Legislation intended to protect the nation's critical infrastructure failed to win Congressional approval earlier this year amid privacy advocates' concerns about protecting personally identifiable information.

Joseph M. Rigby, chairman, president and CEO of Washington-based energy delivery company Pepco who attended the meeting with the president, said that his firm has volunteered to be among the first utilities to apply the NIST-proposed framework. In a statement, he said individual states should support the framework and provide prompt recovery of investments made for cyber security.

The NIST guidelines are a “good first step in framing the cyber security conversation,” said Jack Whitsitt, principal analyst with the Energy Sector Security Consortium Inc., a Clackamas, Ore.-based industry group. “There's a lot of coordination and communication involved in improving cyber security nationally, and having a common framework will be critical to that.”

%%BREAK%%

“This is designed for critical-infrastructure entities only, al-though it provides very good guidance to others of what at least the NIST believes is appropriate for security measures,” said Michael R. Overly, a partner with law firm Foley & Lardner L.L.P. in Los Angeles.

“It may formalize somewhat practices that in many places may already be in place” and “raise the bar” for other entitles that do not have advanced information security practices in place, said David N. Fagan, a partner with Covington & Burling L.L.P. in Washington.

“It's a great start to put a voluntary framework together” and a “good way to develop the standards,” said Christopher Keegan, New York-based senior vice president of national resource errors and omissions and e-risk at Willis North America Inc.

However, Kevin Kalinich, Chicago-based national managing director at Aon Risk Solutions, said the framework “was intended to have great flexibility, which was supposed to be a strength, but it's also a weakness because it doesn't say what you need to do to meet a specific threshold.”

Observers say incentives must be provided to encourage adoption of these guidelines, which was the purpose of an August White House meeting between federal officials and insurance brokers.

“Any time anything is voluntary, you've got to incentivize somebody to adopt it, and the administration has been trying to think about ways of what could be those incentives, and on the top of the (administration's) list was cyber insurance.” said Ben Beeson, a London-based partner with Lockton Cos. L.L.P., who attended the meeting.

%%BREAK%%

Rather than products narrowly focused on data breaches, the industry should — and ultimately will — develop products that have the scope of earthquake coverage should there be a major cyber-related disaster, observers say.

“We think that the analysis (of the risk) needs to be broader and deeper and not just limited to cyber insurance experts, but broadened to catastrophic, black swan-type of experts that are more familiar with thinking in terms of a Superstorm Sandy or in terms of the Japanese nuclear plant issue,” said Mr. Kalinich.

There may be $200 million to $300 million in cyber coverage available currently, but it would be “somewhat problematic” whether there is sufficient capacity available to cover 20 such cyber attacks at $300 million each, said Joe DePaul, managing director for cyber risk services with Arthur J. Gallagher Risk Management Services Inc. in Parsippany, N.J.. “At some point I think that will be available.”

Among concerns about the voluntary standards is they could increase firms' potential liability.

“Shareholders are going to look at that framework and ask, "How do we measure up against that framework?'” said Mr. Beeson.

“Companies should be looking at this document from a legal risk perspective” because of the current environment in which there is litigation over security practices, said Gerald J. Ferguson, a partner with Baker & Hostetler L.L.P. in New York.

Once the public comment period is complete, release of the final document is set for February 2014.