The New Cybersecurity Framework—A Roadmap for All Companies


The recent string of well-publicized data breaches has demonstrated that cyber criminals are targeting companies of all sizes and in all industries. Even companies with the most sophisticated security systems admit that the hackers are usually one step ahead of them. The unsophisticated amateur hackers have now been joined by professional cybercriminals and foreign government-sponsored mercenaries intent on stealing confidential and other proprietary information. It is therefore understandable that cybersecurity is now a corporate governance issue that is at the top of the list of concerns for most boards of directors, executives and legal departments. Most companies have had little in the way of government regulations or industry standards  to guide them on what they should be doing to protect their own data and the data they handle belonging to customers, vendors and clients.

However, on February 12, 2014, the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, published a 41-page “Framework for Improving Critical Infrastructure Cybersecurity” (Framework) in response to President Obama’s 2013 Executive Order calling for such a framework. The Framework was created to identify best practices and assessment tools to help critical infrastructure companies develop and implement guards against cybersecurity risks. However, it will likely become a de facto “standard of care” that companies will be judged against in defending claims relating to data breaches, including class actions. Companies that suffer data breaches should expect to be questioned by regulatory authorities and plaintiff lawyers about whether they considered and adopted the best practices contained in the Framework.

The Framework encourages companies to take a risk based approach to creating and managing cybersecurity and creates a method for companies to determine both where they currently are in terms of managing cybersecurity risks and where they want to be.  Companies are encouraged to address the following five core functions as they work to either create or strengthen their cybersecurity program:

1) Identify (conduct a cyber-readiness assessment based on type of data held and level of risk company is willing to assume)
2) Protect (analyze access control, use of protective technology and training)
3) Detect (review security monitoring and detection processes)
4) Respond (implement or update data breach response plan)
5) Recover (inventory, classify and risk rank critical systems and assets)


Each of these five main functions has additional corresponding action items including best practices, policies and processes that should to be considered when creating or updating a cybersecurity program. 

NIST recognizes that there is not a one-size fits all approach to managing cybersecurity since companies will have unique risks and different risk tolerances. However this Framework provides a way for companies, regardless of industry, size or sophistication, to create a cybersecurity program or improve an existing program. 

Finally, expect to see future modifications to the Framework based on industry feedback and ongoing changes to the threat environment.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.