InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
White House Outlines Potential Cybersecurity Incentives
On August 6, the White House released proposed incentives to drive participation in the cybersecurity program framework under development by the National Institute of Standards and Technology. Both the framework and the incentives were directed by an Executive Order (EO) issued earlier this year by President Obama. The administration notes that while some of the proposed incentives can be adopted soon after the voluntary framework is established, others will require legislative action. The policy options under consideration include, among others, (i) encouraging cybersecurity insurance, (ii) offering critical infrastructure grants, (iii) limiting liability of participating companies, (iv) streamlining regulations, and (v) providing public recognition.
NIST Releases Draft Outline of Cybersecurity Framework
On July 2, the National Institute of Standards and Technology (NIST) released a draft outline of a framework to improve the cybersecurity of certain critical infrastructure. It proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need, and application of the framework in business. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. It solicited and recently analyzed public comments about the voluntary framework. Based on certain comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts. NIST also released a draft compendium of existing standards, practices, and guidelines to reduce cyber risks to critical infrastructure industries. It plans to publish the official draft Cybersecurity Framework for public comment in October 2013.
Obama Administration Targets Iranian Currency
On June 3, the Obama Administration announced a new Executive Order authorizing sanctions that directly target trade in Iran’s currency, the rial. The order authorizes the Treasury Secretary to take action against foreign financial institutions that knowingly conduct or facilitate significant transactions for the purchase or sale of the rial, or that maintain significant accounts outside of Iran denominated in the rial. Specifically, the Treasury Secretary can (i) prohibit opening, and prohibit or impose strict conditions on maintaining, in the United States, a correspondent account or a payable-through account by such foreign financial institution; or (ii) block all property and interests in property that are in the United States, that come within the United States, or that are or come within the possession or control of any United States person (including any foreign branch) of such foreign financial institution, and provide that such property and interests in property may not be transferred, paid, exported, withdrawn, or otherwise dealt in. The order also (i) subjects to new sanctions persons and financial institutions that knowingly engage in transactions for the supply of significant goods or services used in connection with the automotive sector of Iran, and (ii) expands sanctions against those who materially assist, sponsor, or provide financial, material, or technological support to persons designated by Treasury as the “Government of Iran.”
NIST Prepares Analysis of Comments Submitted Regarding Cybersecurity Framework
On May 16, the National Institute of Standards and Technology (NIST) released an initial analysis of the hundreds of comments it received in response to its request for information to begin developing the "Cybersecurity Framework" required by President Obama's executive order. The analysis sifts from the comments characteristics and considerations the Framework must encompass and practices identified as having wide utility and adoption, and identifies initial gaps in the responses that must be addressed in order to meet the goals of the executive order. The paper also includes a series of questions that will serve as the basis for additional discussion and study at an upcoming workshop to be hosted at Carnegie Mellon University in Pittsburgh, Pennsylvania on May 29-31, 2013.
NIST Requests Information Regarding Cybersecurity Framework
On February 26, the National Institute of Standards and Technology (NIST), issued a request for information to begin developing the “Cybersecurity Framework” required by a recent executive order directing NIST to develop a framework to reduce cyber risks to critical infrastructure. The request explains that the framework will incorporate voluntary consensus standards and industry best practices to the fullest extent possible, and should include flexible standards, guidelines, and best practices that provide (i) a consultative process to assess the cybersecurity-related risks to organizational missions and business functions, (ii) a menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats, (iii) a consultative process to identify adequate security controls, (iv) metrics to assess and monitor the effectiveness of security controls, (v) a comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide industry leadership with necessary information to help make ongoing risk-based decisions, and (vi) a menu of privacy controls. The goal of the framework development process is to (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities, (ii) specify high-priority gaps for which new or revised standards are needed, and (iii) collaboratively develop action plans by which those gaps can be addressed. NIST asks that comments be provided by April 8, 2013.
President Obama Issues Executive Order on Cybersecurity
On February 12, President Obama issued an Executive Order (EO) titled Improving Critical Infrastructure Cybersecurity, and a related Presidential Policy Directive (PPD). The EO establishes a process to facilitate sharing of cybersecurity information among private firms in critical infrastructure sectors and the federal government, and tasks the National Institute of Standards and Technology (NIST) with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The EO also includes provisions designed to protect privacy and civil liberties. The financial services sector is one of the many sectors identified as a critical sector, and the EO and PPD name the Treasury Department as the federal entity responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating or supporting the security and resilience programs and associated activities for critical financial services firms. On February 13, NIST initiated the process to develop the best practices framework by announcing a request for information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders. NIST is required by the EO to prepare a preliminary framework by October 10, 2013, and a final framework by February 12, 2014.
Former Florida Attorney General Comments on the Use of Outside Counsel by State AGs
On October 16, former Florida Attorney General (AG) Bill McCollum was featured during a STAGE Network webinar on the "Use of Outside Counsel by State AGs to Enforce Federal and State Law."AG McCollum referred to his own experiences, including his leadership in Florida's adoption of the innovative Transparency in Private Attorney Contracts (TiPAC) law, to provide a perspective on issues related to state AGs' engagement of outside counsel. AG McCollum also examined the prospect of an increased role for state AGs in the enforcement of federal laws, particularly the consumer protection related aspects of the Dodd-Frank financial reform statute. Finally, he discussed the comparative restrictions on state and federal actors in engaging outside counsel, particularly due to Executive Order 14333 regarding compensation for outside legal services. The archived webcast can be reviewed in its entirety at this link.
NCUA Issues List of Regulations Subject to Regulatory Review
On January 30, the NCUA issued a list of regulations to be reviewed in 2012. The NCUA reviews one third of its rules every year to ensure that the regulations are "clearly articulated and easily understood" and that substantive concerns are considered as well. This year, in the spirit of Executive Order 13579 regarding agency regulatory review, the NCUA is seeking comments to help it modify, streamline, expand, or repeal rules that are not required by statute and would not jeopardize safety and soundness. Rules under review this year include, for example, those covering (i) corporate credit unions, (ii) unfair or deceptive acts or practices, (iii) Truth in Savings, (iv) investment and deposit activities, and (v) bank conversions and mergers. The NCUA is accepting comments on the listed regulations through August 3, 2012.