The proposed voluntary cyber security framework for critical U.S. infrastructures will act as a blueprint for plaintiffs attorneys seeking rationale for filing lawsuits against companies, and will require firms to be on top of their cyber security procedures in 2014.
But the proposal issued in October by the National Institute of Standards and Technology in response to President Barack Obama's executive order in May should also prove a valuable guide even for companies not considered part of the critical infrastructure, experts say. The final version of the guidelines is anticipated in February.
The proposed NIST framework incldues five core functions in keeping information and systems safe: identify such risks; protect systems; detect attacks; respond to incidents; and recover afterward.
“The good aspect” of the NIST standards is it creates minimum standards and encourages information sharing, said Robert Parisi, network security and privacy practice leader at Marsh Inc. in New York. “I think it has potential for being a very positive influence on how people look at cyber information and security.”
The NIST and other guidelines have a positive effect because “to the extent you can adopt or adapt a standard, at least you can tell how you're doing and you can tell your management and you can tell your board, "Here's the standard,'” said Alan E. Brill, senior managing director of secure information services at New York-based Kroll Associates Inc.
But Tim Francis, Hartford, Conn.-based enterprise cyber lead for Travelers Cos. Inc., said that while companies will be examining the proposed guidelines in light of their particular security posture, that does not mean that following them “reduces the potential for liability” if there is a breach.
Kevin Kalinich, Chicago-based national managing director at Aon Risk Solutions, said, “The framework may not be mandatory, and it may not have specifics for every type of industry,” but now “plaintiffs attorneys have a roadmap” to ask if companies have followed this framework and, if they have not, why not.
Richard J. Bortnick, a shareholder with law firm Christie, Pabarue & Young P.C. in Philadelphia, said even before its formal adoption, as it now stands the NIST proposal “will become the formula for best practices, and companies that fail to adhere to the recommended best practices are going to leave themselves vulnerable to privacy class actions.”
Experts say a related concern is the U.S. Securities and Exchange Commission's October 2011 publication of publicly traded firms' responsibilities to disclose to investors any material cyber risks or loss events.
Michael Born, Kansas City, Mo.-based vice president and account executive, global technology and privacy practice, with Lockton Cos. L.L.C., referred to reports that SEC Chairman Mary Jo White has asked her staff to brief her on compliance with the guidance.
“Some recent comments by the SEC have indicated that they don't believe companies are sufficiently paying attention or giving enough weight to that guidance, and whenever the SEC says anything like that we tend to think they're moving toward making it more mandatory,” Mr. Born said. This means more mandatory requirements could arise around this issue in 2014, he said.
More generally, Mr. Parisi said: “One of the things that we certainly expect to see is the continued awareness around business interruption issues.
“Technology is becoming much more of any issue in companies' day-to-day operation, “and that's something people are starting to take real recognition of,” he said.
Company executives are “going to take a harder look at it this year,” he said.