InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NIST Releases Preliminary Cybersecurity Framework
On October 22, the National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework pursuant to President Obama’s Executive Order 13636 title Improving Critical Infrastructure Cybersecurity. The Preliminary Framework seeks to help critical infrastructure owners and operators reduce cybersecurity risks through voluntary best practices. The financial services sector is one of the many sectors identified as a critical sector, and NIST notes that the Preliminary Framework can be applied by organizations beyond those contemplated by the Executive Order. The Preliminary Framework outlines steps that can be customized to various sectors and adapted by organizations of any size while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The Preliminary Framework is intended to help all organizations identify and prioritize opportunities for improving cybersecurity risk management. NIST will accept public comments for 45 days, will hold a workshop on the Preliminary Framework on November 14 and 15 at North Carolina State University, and will release the finalized framework in February 2014, as required by the Executive Order.
Comptroller Highlights Emerging Cybersecurity Risks, Discusses OCC and Financial Institution Responses
On September 18, in remarks before the Exchequer Club, Comptroller of the Currency Thomas Curry highlighted the emerging operational risks for financial institutions posed by cyberattacks, one of several risk areas identified by the OCC in its recent semiannual report. Comptroller Curry bank cyberattacks have lead to only minor disruptions so far, but are evolving and growing with the development and implementation of new technologies. The Comptroller identified the OCC’s and other federal banking agencies’ attempts to address these risks, including through an FFIEC working group created earlier this year. The Comptroller hopes the working group will address cyber issues through changes to examination policy and by supporting increased information sharing and communication between regulated institutions and their regulators, as well as among regulators and other government entities. According to the Comptroller, the OCC currently is engaged in outreach on this issue to all of its regulated institutions, but is especially focused on assisting community banks and thrifts. The Comptroller urged financial institutions, their boards, and senior level management to be aware of and engaged on the risks posed by cyber threats, including, for example, by considering the potential for new products or strategic business decisions to create new vulnerabilities. He also implored institutions and their leaders to effectively share information, such as through industry cyber threat sharing organizations.
NIST Releases Draft Cybersecurity Framework
Recently, the National Institute of Standards and Technology (NIST) released a discussion draft of its preliminary cybersecurity framework. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The discussion draft framework provides a uniform guide for developing robust cybersecurity programs for organizations. It provides a common structure for managing cybersecurity risk, is intended to help organizations identify and understand their dependencies on business partners, vendors, and suppliers, and is designed to facilitate coordination of cybersecurity risk within industries. The Framework places cybersecurity activities into five functions – identify, protect, detect, respond, and recover – and urges organizations to implement capabilities in each area. NIST released the draft in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. It also is accepting comments via email.
White House Outlines Potential Cybersecurity Incentives
On August 6, the White House released proposed incentives to drive participation in the cybersecurity program framework under development by the National Institute of Standards and Technology. Both the framework and the incentives were directed by an Executive Order (EO) issued earlier this year by President Obama. The administration notes that while some of the proposed incentives can be adopted soon after the voluntary framework is established, others will require legislative action. The policy options under consideration include, among others, (i) encouraging cybersecurity insurance, (ii) offering critical infrastructure grants, (iii) limiting liability of participating companies, (iv) streamlining regulations, and (v) providing public recognition.
NIST Releases Draft Outline of Cybersecurity Framework
On July 2, the National Institute of Standards and Technology (NIST) released a draft outline of a framework to improve the cybersecurity of certain critical infrastructure. It proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need, and application of the framework in business. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. It solicited and recently analyzed public comments about the voluntary framework. Based on certain comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts. NIST also released a draft compendium of existing standards, practices, and guidelines to reduce cyber risks to critical infrastructure industries. It plans to publish the official draft Cybersecurity Framework for public comment in October 2013.
FFIEC Creates Cyber Security Working Group
On June 6, the Federal Financial Institutions Examination Council (FFIEC) announced the formation of a working group to further promote coordination across the federal and state banking regulatory agencies on critical infrastructure and cybersecurity issues.
NIST Prepares Analysis of Comments Submitted Regarding Cybersecurity Framework
On May 16, the National Institute of Standards and Technology (NIST) released an initial analysis of the hundreds of comments it received in response to its request for information to begin developing the "Cybersecurity Framework" required by President Obama's executive order. The analysis sifts from the comments characteristics and considerations the Framework must encompass and practices identified as having wide utility and adoption, and identifies initial gaps in the responses that must be addressed in order to meet the goals of the executive order. The paper also includes a series of questions that will serve as the basis for additional discussion and study at an upcoming workshop to be hosted at Carnegie Mellon University in Pittsburgh, Pennsylvania on May 29-31, 2013.
NIST Requests Information Regarding Cybersecurity Framework
On February 26, the National Institute of Standards and Technology (NIST), issued a request for information to begin developing the “Cybersecurity Framework” required by a recent executive order directing NIST to develop a framework to reduce cyber risks to critical infrastructure. The request explains that the framework will incorporate voluntary consensus standards and industry best practices to the fullest extent possible, and should include flexible standards, guidelines, and best practices that provide (i) a consultative process to assess the cybersecurity-related risks to organizational missions and business functions, (ii) a menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats, (iii) a consultative process to identify adequate security controls, (iv) metrics to assess and monitor the effectiveness of security controls, (v) a comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide industry leadership with necessary information to help make ongoing risk-based decisions, and (vi) a menu of privacy controls. The goal of the framework development process is to (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities, (ii) specify high-priority gaps for which new or revised standards are needed, and (iii) collaboratively develop action plans by which those gaps can be addressed. NIST asks that comments be provided by April 8, 2013.
President Obama Issues Executive Order on Cybersecurity
On February 12, President Obama issued an Executive Order (EO) titled Improving Critical Infrastructure Cybersecurity, and a related Presidential Policy Directive (PPD). The EO establishes a process to facilitate sharing of cybersecurity information among private firms in critical infrastructure sectors and the federal government, and tasks the National Institute of Standards and Technology (NIST) with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The EO also includes provisions designed to protect privacy and civil liberties. The financial services sector is one of the many sectors identified as a critical sector, and the EO and PPD name the Treasury Department as the federal entity responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating or supporting the security and resilience programs and associated activities for critical financial services firms. On February 13, NIST initiated the process to develop the best practices framework by announcing a request for information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders. NIST is required by the EO to prepare a preliminary framework by October 10, 2013, and a final framework by February 12, 2014.