Does the NIST Framework for Improving Critical Infrastructure Cybersecurity create a standard for executive officers and boards of directors of private companies? Good question, right?
Short answer, it is at least developing into a standard in cybersecurity, although the Framework itself time and again says that it is voluntary. If the Framework isn’t currently a standard, although it might be, it will become one of the applicable standards, but not necessarily the only standard.
For executive officers and directors, whether you like or agree with the Framework, if you aren’t already in the process, you need to get comfortable with the Framework and include it in addition to your other processes in cybersecurity risk management. I expect that as cyber hacking problems and catastrophic events continue to occur, and they will occur, executives and board members including board members who are responsible for risk oversight will start to be asked about whether their organization uses the Framework, their organization’s stage of implementation and sophistication in cyber risk management, and other questions based on the Framework provisions.
See also, for example, the new NACD Cyber-Risk Oversight, Director’s Handbook Series, 2014 Edition, in conjunction with the Internet Security Alliance (ISA) and AIG, referring to the NIST Framework including at Principle 4, Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget, referencing the NIST Framework.
The NIST Framework core processes are: identify, protect, detect, respond and recover. But the details of those processes don’t tell anyone what specifically to do to prevent or protect a business or entity from a cyber hack or breach now or in the future. Thus, the possible standard is a process. What if the process is followed in good faith, but a breach still occurs including a catastrophic breach? In that circumstance is there a breach of duty by an officer, director or the business or entity? In that circumstance is there liability, assuming the required post-breach procedures are followed? I would argue no, there cannot be and is no breach of duty or liability. It is impossible to stop all hacks and breaches. If you have doubt, do an internet search for cyber hacks in 2014 to see the huge numbers of attacks, origins and targets.
The following is a link to the NIST Framework in pdf form, nist cybersecurity-framework-021214-final
Dave Tate, Esq.