New US cybersecurity framework issued: in wake of cyber attacks and lawsuits, how should organisations respond?

Download document:

New US cybersecurity framework issued: in wake of cyber attacks and lawsuits, how should organisations respond? - .PDF file.

The US National Institute of Standards and Technology (NIST) recently released version 1.0 of the ‘Framework for Improving Critical Infrastructure Cybersecurity’. The framework was developed in partnership with the private sector and provides a set of voluntary, risk-based measures that can be used by organisations to address cybersecurity risk. Already hailed as a useful resource by leaders in the private and public sectors, the framework is likely to become an influential benchmark in all industries for assessing the reasonableness of an organisation’s cybersecurity programme. As such, it is also likely that the framework will be referenced in regulatory proceedings, commercial and government contracts and litigation filed following data security breaches. This alert summarises the framework’s key elements and suggests practical strategies organisations can use to assess whether and how to use the framework.

On 12 February 2013, US president Barack Obama signed the executive order (EO) on improving critical infrastructure cybersecurity, which, among other things, directed NIST to develop a cybersecurity framework that would ‘help owners and operators of critical infrastructure identify, assess and manage cyber risk’, while incorporating voluntary consensus standards and industry best practices. ‘Critical infrastructure’ is defined extremely broadly in the EO as ‘systems and assets, whether physical or virtual, so vital to the US that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters’.

In developing the framework, NIST held multiple workshops, met with representatives from the private and public sectors and received hundreds of public comments on the preliminary framework it released in October 2013. The final framework was announced by the president on 12 February 2014 and presented at a White House event headlined by the secretaries of Homeland Security and Commerce and three chief executive officers…

Click on the link below to read the rest of the Hogan Lovells briefing.