Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 6, the White House released proposed incentives to drive participation in the cybersecurity program framework under development by the National Institute of Standards and Technology. Both the framework and the incentives were directed by an Executive Order (EO) issued earlier this year by President Obama. The administration notes that while some of the proposed incentives can be adopted soon after the voluntary framework is established, others will require legislative action. The policy options under consideration include, among others, (i) encouraging cybersecurity insurance, (ii) offering critical infrastructure grants, (iii) limiting liability of participating companies, (iv) streamlining regulations, and (v) providing public recognition.
On July 23, the National Institute of Standards and Technology released a revised digital standard used to ensure the integrity of electronic documents and the identity of the signer. The revised standard includes no major changes, but does update the standard to align it with other publications so that all NIST documents offer consistent guidance regarding the use of random number generators. Another revision concerns the use of prime number generators, which requires random initial values for searching for prime numbers.
On July 2, the National Institute of Standards and Technology (NIST) released a draft outline of a framework to improve the cybersecurity of certain critical infrastructure. It proposes a core structure for the framework and includes a user's guide and an executive overview that describes the purpose, need, and application of the framework in business. Under an Executive Order issued earlier this year, NIST is tasked with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. It solicited and recently analyzed public comments about the voluntary framework. Based on certain comments that emphasized the importance of executive involvement in managing cyber risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts. NIST also released a draft compendium of existing standards, practices, and guidelines to reduce cyber risks to critical infrastructure industries. It plans to publish the official draft Cybersecurity Framework for public comment in October 2013.
On June 25, the National Institute of Standards and Technology (NIST) released a mobile device management guide to help federal agencies centrally manage the security of mobile devices. While the NIST document was developed for use by federal agencies, the device management principles may be applicable to other organizations facing similar security concerns. The guide focuses on smart phones and tablets and provides recommendations for selecting, implementing, and using centralized management technologies. It also explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles. The recommendations aim to address security issues related to both organization-provided and personally-owned (“bring your own device”) mobile devices.
On June 11, the National Institute of Standards and Technology (NIST) published a draft security document that provides a comprehensive security model to supplement other NIST efforts to develop a standard vocabulary and implementation framework for the integration of cloud-based applications across the government. NIST will accept comments on the draft document through July 12, 2013. Although NIST’s resources are developed for use by federal agencies, they can influence other policy decisions and may serve as a resource for private firms seeking to understand the benefits and risks of cloud technology.
On May 16, the National Institute of Standards and Technology (NIST) released an initial analysis of the hundreds of comments it received in response to its request for information to begin developing the "Cybersecurity Framework" required by President Obama's executive order. The analysis sifts from the comments characteristics and considerations the Framework must encompass and practices identified as having wide utility and adoption, and identifies initial gaps in the responses that must be addressed in order to meet the goals of the executive order. The paper also includes a series of questions that will serve as the basis for additional discussion and study at an upcoming workshop to be hosted at Carnegie Mellon University in Pittsburgh, Pennsylvania on May 29-31, 2013.
On April 30, the National Institute of Standards and Technology (NIST) published a substantially revised version of its Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” the government’s core computer security guide. Although developed for use by federal agencies, the NIST Special Publication is widely used in the private sector. The revisions are the most extensive since the document first was published in 2005 and is meant to address evolving and emerging cyber security threats. For example, the new guide incorporates issues specific to (i) mobile and cloud computing, (ii) insider threats, (iii) applications security, (iv) supply chain risks, (v) advanced persistent threats, and (vi) trustworthiness, assurance, and resilience of information systems. It is sector-specific to allow organizations greater flexibility in building information security systems, and also provides for the first time a privacy controls catalog.
On February 26, the National Institute of Standards and Technology (NIST), issued a request for information to begin developing the “Cybersecurity Framework” required by a recent executive order directing NIST to develop a framework to reduce cyber risks to critical infrastructure. The request explains that the framework will incorporate voluntary consensus standards and industry best practices to the fullest extent possible, and should include flexible standards, guidelines, and best practices that provide (i) a consultative process to assess the cybersecurity-related risks to organizational missions and business functions, (ii) a menu of management, operational, and technical security controls, including policies and processes, available to address a range of threats, (iii) a consultative process to identify adequate security controls, (iv) metrics to assess and monitor the effectiveness of security controls, (v) a comprehensive risk management approach that provides the ability to assess, respond to, and monitor information security-related risks and provide industry leadership with necessary information to help make ongoing risk-based decisions, and (vi) a menu of privacy controls. The goal of the framework development process is to (i) identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities, (ii) specify high-priority gaps for which new or revised standards are needed, and (iii) collaboratively develop action plans by which those gaps can be addressed. NIST asks that comments be provided by April 8, 2013.
On February 12, President Obama issued an Executive Order (EO) titled Improving Critical Infrastructure Cybersecurity, and a related Presidential Policy Directive (PPD). The EO establishes a process to facilitate sharing of cybersecurity information among private firms in critical infrastructure sectors and the federal government, and tasks the National Institute of Standards and Technology (NIST) with developing standards, methodologies, procedures, and processes that will form a voluntary best practices framework to address cyber risks. The EO also includes provisions designed to protect privacy and civil liberties. The financial services sector is one of the many sectors identified as a critical sector, and the EO and PPD name the Treasury Department as the federal entity responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating or supporting the security and resilience programs and associated activities for critical financial services firms. On February 13, NIST initiated the process to develop the best practices framework by announcing a request for information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders. NIST is required by the EO to prepare a preliminary framework by October 10, 2013, and a final framework by February 12, 2014.
On September 18, the National Institute of Standards and Technology released a final version of its risk assessment guidelines, which are designed to advise all types of government and private organizations—including financial institutions—about information security risks and information technology infrastructures. The Guide for Conducting Risk Assessments provides guidance regarding (i) threats, (ii) vulnerabilities, (iii) impact to missions and business operations, and (iv) the likely threat of exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequence.
- Jonice Gray Tucker to discuss “How the new administration sets the tone for 2021” at the American Conference Institute Legal, Regulatory and Compliance Forum on Fintech & Emerging Payment Systems
- Sherry-Maria Safchuk to discuss UDAAP in consumer finance at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable