Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NIST to update cybersecurity framework with a focus on supply chain risk

    Privacy, Cyber Risk & Data Security

    On February 22, the National Institute of Standards and Technology (NIST) published a notice and request for information (RFI) in the Federal Register seeking information to assist in the evaluation and improvement of the agency’s “Framework for Improving Critical Infrastructure Cybersecurity,” as well as other existing and potentials standards related to supply chain cybersecurity. NIST stated it is considering updating the framework (last updated in 2018) to account for the changing landscape of cybersecurity risks, technologies, and resources, and noted that it recently announced it intends to launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to address cybersecurity risks in this space. Responses to the RFI will help to inform the direction of the NIICS, including how it may be integrated and aligned with the framework. NIST explained that the framework outlines standards and guidance for private and public sector companies on how to prevent and respond to cyber threats. Acknowledging that much has changed in the cybersecurity landscape since the framework was last updated, including an increased awareness and emphasis on supply chain cybersecurity risks, the RFI seeks information that will support the identification and prioritization of supply chain-related cybersecurity needs across sectors. Among other things, NIST is interested in: the usefulness of the framework for managing risks; the relationship of the framework to other NIST risk management resources; and how companies manage security risks to their software supply chains and whether this area of increasing concern should be incorporated into the framework or whether a new, separate framework focusing on cybersecurity supply chain risk management might be more valuable. Comments are due April 25.

    Privacy/Cyber Risk & Data Security NIST Agency Rule-Making & Guidance Federal Register Risk Management Supply Chain

  • NIST issues draft cybersecurity framework to mitigate ransomware events

    Privacy, Cyber Risk & Data Security

    Recently, the National Institute of Standards and Technology (NIST) issued a draft version of its Cybersecurity Framework Profile for Ransomware Risk Management, which proposes recommended steps for organizations to follow to prevent and mitigate ransomware events. The profile identifies Cybersecurity Framework Version 1.1 security objectives and can be used as a risk-management guide to help gauge an organization’s readiness level. Steps include “identifying and protecting critical data, systems, and devices; detecting ransomware events as early as possible (preferably before the ransomware is deployed); and preparing for responses to and recovery from any ransomware events that do occur.” The profile also outlines basic preventative measures organizations should take, including: (i) using antivirus software at all times to automatically scan emails and flash drives; (ii) ensuring computers are fully patched and running scheduled checks to identify and install new patches; (iii) segmenting internal networks as a precaution against malware; (iv) continuously monitoring directory services (and other primary user stores) to identify indicators of compromise or active attack; (v) blocking access to potentially malicious web resource and allowing only authorized applications; (vi) using standard user accounts; (vii) restricting personally owned devices and the use of personal applications on work computers; (viii) educating employees about social engineering; and (ix) assigning and managing credential authorization and running periodic reviews to ensure each account has the appropriate access only. Among other things, NIST further outlines five cybersecurity framework functions (identify, protect, detect, respond and recover), and advises organizations to develop an incident recovery plan; develop, implement, and test data backups and restoration strategies; and maintain updated contacts for ransomware attacks. According to NIST, taking these proactive measures will help organizations recover from future ransomware events.

    Privacy/Cyber Risk & Data Security NIST Ransomware Risk Management

  • CFTC adopts NIST Privacy Framework

    Privacy, Cyber Risk & Data Security

    On January 28, the CFTC announced that it has adopted the National Institute of Standards and Technology (NIST) Privacy Framework, making it the first federal agency to do so. The September NIST release of a preliminary draft of the framework described it as “[a] Tool for Improving Privacy through Enterprise Risk Management,” covered by InfoBytes here. Among other things, the privacy framework, which advances guidance to mitigate cybersecurity risk, describes processes to mitigate risks associated with data processing and privacy breaches and to assess current privacy risk management measures. According to the announcement, the CFTC will utilize the framework to “better manage and communicate privacy risk throughout the agency,” making them a leader in the data privacy protection arena.

    Privacy/Cyber Risk & Data Security NIST CFTC Risk Management

  • NIST publishes updated Big Data Interoperability Framework

    Privacy, Cyber Risk & Data Security

    On October 21, the National Institute for Standards and Technology (NIST) released the second revision of its Big Data Interoperability Framework (NBDIF), which aims to “develop consensus on important, fundamental concepts related to Big Data” with the understanding that Big Data systems have the potential to “overwhelm traditional technical approaches,” to include traditional approaches regarding privacy and data security. Modest updates were made to Volume 4 of the NBDIF, which focuses on privacy and data security, including recommending a layered approach to Big Data system transparency. With respect to transparency, Volume 4 introduces three levels, starting from level 1, which involves a System Communicator that “provides online explanations to users or stakeholders” discussing how information is processed and retained in a Big Data system, as well as records of “what has been disclosed, accepted, or rejected.” And at the most mature levels, transparency includes developing digital ontologies (multi-level architecture for digital data management) across domain-specific Big Data systems to enable adaptable privacy and security configurations based on user characteristics and populations. Largely intact, however, are the Big Data Safety Levels, in Appendix A which are voluntary (standalone) standards regarding best practices for privacy and data security in Big Data systems, and include application security, business continuity, and transparency aspects.

    Privacy/Cyber Risk & Data Security Big Data NIST

  • NIST requests comments on draft privacy framework

    Privacy, Cyber Risk & Data Security

    On September 6, the National Institute of Standards and Technology (NIST) released a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to help organizations assess and reduce risks. The draft framework is designed to align with NIST’s Cybersecurity Framework (previously covered by InfoBytes here), which provides guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. The draft framework establishes three components to reinforce privacy risk management: (i) the “Core” describes a set of privacy activities and outcomes used to manage risks that arise from data processing or are associated with privacy breaches; (ii) “Profiles” cover an organization’s current privacy activities or desired outcomes that have been prioritized to manage privacy risk; and (iii) “Implementation Tiers” address how organizations see privacy risk, and whether they have sufficient processes and resources in place to manage that risk. According to NIST, “Finding ways to continue to derive benefits from data while simultaneously protecting individuals’ privacy is challenging, and not well-suited to one-size-fits-all solutions.” Public comments will be accepted through October 24.

    Privacy/Cyber Risk & Data Security NIST

  • National Institute of Standards and Technology issues updated cybersecurity framework

    Privacy, Cyber Risk & Data Security

    On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to Cybersecurity Framework Version 1.1 (Framework) incorporate comments received from public feedback, team members, and workshops held over the past two years, as well as stakeholder input on draft versions. Changes include the addition of (i) explanations to clarify that the Framework can be used to promote compliance with an organization’s own cybersecurity requirements; (ii) a cybersecurity risk self-assessment section; (iii) an expanded section addressing ways in which the Framework can be used to manage cybersecurity within the supply chain; (iv) refinements to authentication and identity processes; (v) new language explaining the “relationship between Implementation Tiers and Profiles” in regard to risk management programs; and (vi) a new subcategory on the lifecycle of vulnerability disclosure. The process for which changes are made to the Framework may be viewed on NIST’s website. NIST further notes that both first-time and current Framework users should experience minimal to no disruptions when implementing the updated Framework, and are encouraged to customize the Framework “to maximize individual organizational value.”

    As previously covered in InfoBytes, last year President Trump issued an Executive Order directing federal agencies to follow NIST’s Framework to manage cybersecurity risk.

    Privacy/Cyber Risk & Data Security NIST Risk Management

  • FFIEC Releases FAQs on Cybersecurity Assessment Tool

    Federal Issues

    On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.

    Federal Issues FFIEC Bank Supervision NIST Risk Management Privacy/Cyber Risk & Data Security

  • National Institute of Standards and Technology Publishes New Guidance on Privacy Controls

    Privacy, Cyber Risk & Data Security

    On December 16, the NIST announced the release of its new guidance on assessing the security and privacy safeguards for federal information systems and organizations. The updated guidance will be used by government IT security professionals to “assess a wide range of software configurations, physical security measures and operating procedures meant to safeguard information systems from both chance failures and hostile attacks.” The new guidance complements the NIST’s Security and Privacy Controls for Federal Information Systems and Organizations catalogue.

    NIST Privacy/Cyber Risk & Data Security

  • NIST Releases Final Cybersecurity Framework

    Privacy, Cyber Risk & Data Security

    On February 12, the Obama Administration released the Cybersecurity Framework prepared by NIST, as called for by Executive Order 13636 issued by President Obama one year ago. The Framework organizes best practices regarding cyber risks into three components—the Framework Core, Profiles and Tiers—each of which “reinforces the connection between business drivers and cybersecurity activities.” The Framework Core component is described as a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped into five functions—Identify, Protect, Detect, Respond, and Recover—which provide a high-level view of an organization’s management of cyber risks. The second component, Profiles, is designed to assist organizations in aligning their cybersecurity activities with business requirements, risk tolerances, and resources. Finally, the Tiers component provides a mechanism for organizations to view their approach and processes for managing cyber risk. The Department of Homeland Security has established a voluntary program intended to increase awareness and use of the Framework to help organizations of all sizes manage cybersecurity risks and improve security and resilience of critical infrastructure. NIST hopes the Framework will serve as a model for international cooperation on strengthening critical infrastructure cybersecurity. NIST will continue to update and improve the Framework as the industry provides feedback on implementation. NIST also issued a Roadmap that discusses its next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration.

    Privacy/Cyber Risk & Data Security NIST

  • NIST Cybersecurity Framework Will Not Include Privacy Standards Appendix

    Privacy, Cyber Risk & Data Security

    On January 15, NIST updated the status of its efforts to finalize the voluntary Cybersecurity Framework directed by President Obama’s Executive Order 13636. According to the update, NIST expects to publish the final framework on February 13, 2014, but the initial final version will not include an appendix with specific privacy standards. Citing insufficient support from stakeholders, NIST instead will include an alternative methodology that it believes will better allow organizations to incorporate general privacy principles when implementing a cybersecurity program.

    Privacy/Cyber Risk & Data Security NIST


Upcoming Events