(Washington, DC) The voluntary comprehensive cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February is already proving helpful to companies and could become a tool used by regulators. But it could also become a de facto requirement for organizations once it starts being cited by plaintiffs attorneys, a group of top cybersecurity law specialists said yesterday.
Speaking at a cybersecurity event hosted here by Bloomberg Government, Stewart Baker of Steptoe & Johnson said that the NIST framework could come into play with the impending wave of lawsuits surrounding cyber breaches. "It’s a no-brainer for plaintiffs lawyers to say 'what do you mean you didn't even follow the government’s cybersecurity framework?'"
As expected (and feared by some industries) regulators could more heavily rely on the framework as a benchmark for good cybersecurity practices. "The other place we’re going to see the NIST framework used is as regulators [u]se the framework as a way of asking questions about what kind of security you have," Baker said, adding that it could become a kind of test as regulators implement various policies and rules.
"The thought of the SEC [Securities and Exchange Commission] becoming a regulator [in cybersecurity] is quite chilling," Donald Fagan of Covington & Burling said. It's probably more accurate to label it as a "precursor to a test," he said. "The framework can be used to determine whether we are acting reasonably," Ben Powell of WilmerHale said.
Right now few signals are coming out of government agencies that the NIST framework might morph from voluntary to mandatory. "The White House announced that they're happy with where the voluntary process is going…which surprised us a little bit," Jeff Greene, Senior Policy Counsel for Symantec said. "The framework at least for the foreseeable future will stay pretty much as voluntary as it can."
Symantec has already adopted the framework, albeit in a tailored fashion, Greene said. "We're actually using the NIST framework. We have found it useful internally."
Small businesses, though, have a difficult time adapting to the framework, according to Greene. "At the small business end [t]hey don’t have the in-house IT staff. We have found that we have to talk to them in a one-pager document. We’re trying to distill it down in a way that we can talk to them about it."