by Sabastian V. Niles, Marshall L. Miller, and Jeohn Salone Favors
Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs. In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.” As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors.
The updated Framework, entitled Version 1.1, is intended to clarify and refine (rather than replace) NIST’s original 2014 Cybersecurity Framework, Version 1.0, and builds on the original version’s five core cybersecurity functions—Identify, Protect, Detect, Respond, and Recover—and tiered implementation system. Instead of a “one-size-fits-all” approach, the Framework continues to be a flexible platform that can be customized to address the particular cybersecurity risks faced by any company.
Of broader import, the updated Framework encourages companies to integrate cybersecurity objectives into strategic planning and governance structures and to ensure that cybersecurity is a central part of overall risk management. In terms of other specific changes, Version 1.1 provides new guidance on how to use the Framework to conduct self-assessments of internal and third-party cybersecurity risks and mitigation strategies, includes an expanded discussion of how to manage cyber risks associated with third parties and supply chains, advances new standards for authentication and identity proofing protocols, and addresses how to apply the Framework to a wide range of contexts, such as industrial controls, the use of off-the-shelf software, and the Internet of Things.
Though use of the Framework is voluntary for private sector entities and not intended to impose heightened regulatory burdens, the Federal Trade Commission has adopted and utilized the Framework as a benchmarking tool to assess the reasonableness (or inadequacy) of select companies’ responses to cybersecurity breaches in enforcement actions. In a similar vein, the Securities and Exchange Commission has itself utilized the Framework and endorsed it as an aid to guide corporate cybersecurity policies, disclosures, and risk management.
As the NIST Framework continues to develop into an important benchmark for cybersecurity policies and programs, public companies should review the updated Framework and consider how to use it to improve cybersecurity risk oversight and management (see the cybersecurity sections of our March 2018 memo (PDF: 283 KB) on Risk Management and the Board of Directors for additional recommendations).
Sabastian V. Niles is a partner, Marshall L. Miller is of counsel, and Jeohn Salone Favors is an associate at Wachtell, Lipton, Rosen & Katz.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.