Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 28, the CFTC announced that it has adopted the National Institute of Standards and Technology (NIST) Privacy Framework, making it the first federal agency to do so. The September NIST release of a preliminary draft of the framework described it as “[a] Tool for Improving Privacy through Enterprise Risk Management,” covered by InfoBytes here. Among other things, the privacy framework, which advances guidance to mitigate cybersecurity risk, describes processes to mitigate risks associated with data processing and privacy breaches and to assess current privacy risk management measures. According to the announcement, the CFTC will utilize the framework to “better manage and communicate privacy risk throughout the agency,” making them a leader in the data privacy protection arena.
On October 21, the National Institute for Standards and Technology (NIST) released the second revision of its Big Data Interoperability Framework (NBDIF), which aims to “develop consensus on important, fundamental concepts related to Big Data” with the understanding that Big Data systems have the potential to “overwhelm traditional technical approaches,” to include traditional approaches regarding privacy and data security. Modest updates were made to Volume 4 of the NBDIF, which focuses on privacy and data security, including recommending a layered approach to Big Data system transparency. With respect to transparency, Volume 4 introduces three levels, starting from level 1, which involves a System Communicator that “provides online explanations to users or stakeholders” discussing how information is processed and retained in a Big Data system, as well as records of “what has been disclosed, accepted, or rejected.” And at the most mature levels, transparency includes developing digital ontologies (multi-level architecture for digital data management) across domain-specific Big Data systems to enable adaptable privacy and security configurations based on user characteristics and populations. Largely intact, however, are the Big Data Safety Levels, in Appendix A which are voluntary (standalone) standards regarding best practices for privacy and data security in Big Data systems, and include application security, business continuity, and transparency aspects.
On September 6, the National Institute of Standards and Technology (NIST) released a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to help organizations assess and reduce risks. The draft framework is designed to align with NIST’s Cybersecurity Framework (previously covered by InfoBytes here), which provides guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. The draft framework establishes three components to reinforce privacy risk management: (i) the “Core” describes a set of privacy activities and outcomes used to manage risks that arise from data processing or are associated with privacy breaches; (ii) “Profiles” cover an organization’s current privacy activities or desired outcomes that have been prioritized to manage privacy risk; and (iii) “Implementation Tiers” address how organizations see privacy risk, and whether they have sufficient processes and resources in place to manage that risk. According to NIST, “Finding ways to continue to derive benefits from data while simultaneously protecting individuals’ privacy is challenging, and not well-suited to one-size-fits-all solutions.” Public comments will be accepted through October 24.
On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to Cybersecurity Framework Version 1.1 (Framework) incorporate comments received from public feedback, team members, and workshops held over the past two years, as well as stakeholder input on draft versions. Changes include the addition of (i) explanations to clarify that the Framework can be used to promote compliance with an organization’s own cybersecurity requirements; (ii) a cybersecurity risk self-assessment section; (iii) an expanded section addressing ways in which the Framework can be used to manage cybersecurity within the supply chain; (iv) refinements to authentication and identity processes; (v) new language explaining the “relationship between Implementation Tiers and Profiles” in regard to risk management programs; and (vi) a new subcategory on the lifecycle of vulnerability disclosure. The process for which changes are made to the Framework may be viewed on NIST’s website. NIST further notes that both first-time and current Framework users should experience minimal to no disruptions when implementing the updated Framework, and are encouraged to customize the Framework “to maximize individual organizational value.”
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
On December 16, the NIST announced the release of its new guidance on assessing the security and privacy safeguards for federal information systems and organizations. The updated guidance will be used by government IT security professionals to “assess a wide range of software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks.” The new guidance complements the NIST’s Security and Privacy Controls for Federal Information Systems and Organizations catalogue.
On February 12, the Obama Administration released the Cybersecurity Framework prepared by NIST, as called for by Executive Order 13636 issued by President Obama one year ago. The Framework organizes best practices regarding cyber risks into three components—the Framework Core, Profiles and Tiers—each of which “reinforces the connection between business drivers and cybersecurity activities.” The Framework Core component is described as a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped into five functions—Identify, Protect, Detect, Respond, and Recover—which provide a high-level view of an organization’s management of cyber risks. The second component, Profiles, is designed to assist organizations in aligning their cybersecurity activities with business requirements, risk tolerances, and resources. Finally, the Tiers component provides a mechanism for organizations to view their approach and processes for managing cyber risk. The Department of Homeland Security has established a voluntary program intended to increase awareness and use of the Framework to help organizations of all sizes manage cybersecurity risks and improve security and resilience of critical infrastructure. NIST hopes the Framework will serve as a model for international cooperation on strengthening critical infrastructure cybersecurity. NIST will continue to update and improve the Framework as the industry provides feedback on implementation. NIST also issued a Roadmap that discusses its next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration.
On January 15, NIST updated the status of its efforts to finalize the voluntary Cybersecurity Framework directed by President Obama’s Executive Order 13636. According to the update, NIST expects to publish the final framework on February 13, 2014, but the initial final version will not include an appendix with specific privacy standards. Citing insufficient support from stakeholders, NIST instead will include an alternative methodology that it believes will better allow organizations to incorporate general privacy principles when implementing a cybersecurity program.
On October 22, the National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework pursuant to President Obama’s Executive Order 13636 title Improving Critical Infrastructure Cybersecurity. The Preliminary Framework seeks to help critical infrastructure owners and operators reduce cybersecurity risks through voluntary best practices. The financial services sector is one of the many sectors identified as a critical sector, and NIST notes that the Preliminary Framework can be applied by organizations beyond those contemplated by the Executive Order. The Preliminary Framework outlines steps that can be customized to various sectors and adapted by organizations of any size while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The Preliminary Framework is intended to help all organizations identify and prioritize opportunities for improving cybersecurity risk management. NIST will accept public comments for 45 days, will hold a workshop on the Preliminary Framework on November 14 and 15 at North Carolina State University, and will release the finalized framework in February 2014, as required by the Executive Order.
Recently, the National Institute of Standards and Technology (NIST) released a discussion draft of its preliminary cybersecurity framework. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The discussion draft framework provides a uniform guide for developing robust cybersecurity programs for organizations. It provides a common structure for managing cybersecurity risk, is intended to help organizations identify and understand their dependencies on business partners, vendors, and suppliers, and is designed to facilitate coordination of cybersecurity risk within industries. The Framework places cybersecurity activities into five functions – identify, protect, detect, respond, and recover – and urges organizations to implement capabilities in each area. NIST released the draft in advance of the Fourth Cybersecurity Framework workshop on September 11-13, 2013, at the University of Texas at Dallas. It also is accepting comments via email.
- Jonice Gray Tucker to moderate “Pandemic relief response and lasting impacts on access, credit, banking, and equality” at the American Bar Association Business Law Section Spring Meeting
- Jeffrey P. Naimon to discuss "Post-pandemic CFPB exam preparation" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Making fair lending work for you" at the Mortgage Bankers Association Spring Conference & Expo
- Jonice Gray Tucker to discuss "Reading the tea leaves of President Biden’s initial financial appointees" at LendIt Fintech
- Moorari K. Shah to discuss “CA, NY, federal licensing and disclosure” at the Equipment Leasing & Finance Association Legal Forum
- Jonice Gray Tucker to discuss "Compliance under Biden" at the WSJ Risk & Compliance Forum
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference