Revamped Cybersecurity Guidance Is Map for Regulators, Companies

Expanded US Commerce Department cybersecurity guidance released this week could yield a sweeping “Rosetta Stone” of digital security for regulators, as well as a compliance blueprint for a wide array of entities with a history of questionable network security practices.

The department’s National Institute of Standards and Technology added new sections on corporate governance responsibilities and supply chain risks to its cybersecurity framework on Feb. 26 , which were previously limited to guidance on protecting critical infrastructure. The latest framework contains a litany of cybersecurity best practices and implementation tools for a range of organizations including schools, small businesses, and local governments.

“Governance underlies everything, it’s the center of the circle,” said Kathleen McGee, a cybersecurity partner at Lowenstein Sandler LLP and former New York state data security regulator. “And it’s there because I think that there’s an expectation by regulators and the plaintiffs bar increasingly that the C-Suite is going to be sitting at the top and overseeing governance writ large.”

The updated framework, the latest step in federal efforts to boost US cybersecurity resources and protections, could help other regulators harmonize their cybersecurity enforcement approaches. It also could help companies that adopt it to fend off regulatory enforcement or litigation, McGee said.

The NIST Cybersecurity Framework 2.0 goes beyond the first version’s critical infrastructure focus to offer cybersecurity advice for entities from small businesses with no security program to large organizations employing artificial intelligence. The update includes new sector-specific implementation guides and a terminology reference tool that organizations can use to establish metrics around their cybersecurity practices.

Regulatory Sway

Financial regulators should use the structure and phrasing of NIST’s cybersecurity approach “as a starting point for regulation” that’s more cohesive across the relevant agencies, said Josh Magri, founder and president of the Cyber Risk Institute, a trade organization that helps the financial services sector implement cybersecurity standards from NIST and other agencies.

The institute, which counts major financial organizations including MasterCard Inc., Coinbase Global Inc., and Bank of America Corp. among its members, pushed agencies, including the US Securities and Exchange Commission, in recent years to adopt the NIST’s first generation framework, Magri said. But regulators resisted and opted for individual risk assessments because they didn’t see the framework as adequately addressing governance or third-party risks, he said.

The updated framework is a potential model for regulators to develop a common glossary of terms and standards, Magri said. There are more than 50 active or proposed cybersecurity incident reporting rules just at the federal level, leading Congress to establish a council for detangling overlapping or conflicting requirements with the passage of the Cyber Incident Reporting for Critical Infrastructure Act in 2022.

“If the regulators don’t speak the same cyber language, then you’re going to have to be translating that all the time, which is a tremendously time-consuming endeavor,” Magri said. “Ultimately, if you want to have advanced cybersecurity, there should be a common understanding on key terms and phrases.”

The revised framework calls for senior leadership to embrace responsibility of their network security by monitoring threats from vendors and by communicating their organization’s defense priorities and resources. It also features new discussion of managing supply chain threats that could make NIST’s approach more practical for regulators to adopt.

Financial regulators already appear mindful of some of the framework’s cybersecurity tenants. A recent SEC lawsuit filed against SolarWinds Corp. and its chief information security officer for allegedly defrauding investors over its cybersecurity practices uses the company’s self-assessment of NIST standards as supporting evidence.

Several states have already codified NIST’s initial framework in laws, encouraging clean cybersecurity hygiene like multi-factor authentication or password management. Lawmakers in states with cybersecurity safe harbor laws that specifically mention NIST’s original framework may now update those statutes, said Melissa Krasnow, a VLP Law Group LLP partner who advises companies on data security compliance.

Three states—Connecticut, Ohio, and Utah—have laws that protect companies in data breach litigation from paying punitive damages or provide them an affirmative defense if they followed a cybersecurity program with certain requirements. Connecticut and Ohio already name NIST’s framework as one of the qualifying cybersecurity programs.

Cyber Baseline

The framework amounts to a set of best practices companies and other organizations can look to for foundational data security designs.

“What you do with it, how you use it, how you implement it has so many potentials,” said Stephen Quinn, a senior computer scientist at NIST who co-authored the framework update. “The cybersecurity framework leads you to the ability to improve your security posture, your supply chain practices.”

The corporate governance language in the expanded guidance is aimed at senior leadership whom regulators increasingly are holding responsible for cybersecurity failures.

The framework provides executives with “plain language so they don’t necessarily have to be technical to have a sense of what your role as the leader should be,” Ari Schwartz, managing director of cybersecurity services at Venable LLP, said.

The new framework also includes material tailored to the cybersecurity needs of small businesses.

NIST is offering cybersecurity advice to organizations that may have fewer resources or a less mature cybersecurity posture, such as small businesses or local school districts, Quinn said.

“If you’ve never had a cyberattack, you’re probably not thinking about a response team,” Quinn said. “So a very practical step is before I’m attacked, before it’s a problem, let me identify the people who will be responsible for responding,” Quinn said.

Following frameworks for cyber standards like NIST’s latest guidance can help entities better protect themselves from regulatory inquiries or litigation following a cyberattack, McGee of Lowenstein said.

McGee said if her clients establish standards using the NIST guidance, they can point back to it as a “benchmark to something that demonstrates reasonableness” in their security measures.