On February 12, 2013, President Obama signed an executive order (“Order”) aimed at enhancing the cybersecurity of the nation’s “critical infrastructure” (generally defined as those “systems and assets” whose incapacity “would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”). An accompanying policy directive designates the financial services sector as one of sixteen “critical infrastructure sectors” and, among other things, directs the Commerce Department’s National Institute of Standards and Technology (“NIST”) to collaborate with industry representatives in order to create a voluntary “cybersecurity framework.” The framework must be “technology neutral” and focused on “cross-sector security standards and guidelines applicable to critical infrastructure.”
Although these standards nominally will be voluntary, the Department of Homeland Security (“DHS”) must develop “a set of incentives” and monitor participation by critical infrastructure entities. Further, the DHS Secretary must deliver to the President an annual list of critical infrastructure items that are “at greatest risk,” meaning that a cybersecurity incident involving these items “could reasonably result in catastrophic regional or national effects on public health and safety, economic security, or national security.” Entities owning or operating these items will be notified confidentially of the “at-greatest-risk” determination (and may request reconsideration of that classification).
The as-yet undefined set of incentives and provisions for DHS oversight themselves have the potential to spur companies to “voluntarily” adopt the framework. But the Order goes one step further – by requiring regulatory agencies to opine as to whether they have the authority to incorporate the provisions of the framework into mandatory regulations, the Order appears to tacitly invite regulators to do just that. According to one official in the Obama administration, the Order allows “regulators to use their existing authority, if needed, as a backstop.” Further, widespread adoption of the framework could cause it to become a de facto standard of care for the industry – at least with respect to critical infrastructure components, but possibly more broadly. Given the relatively small number of large financial institutions, only a few would need to adopt the framework before the others, as a practical matter, would potentially have to follow.
While all of this may put pressure on industry to participate in the framework, it is too early to tell how effective it will be or how many companies will choose to participate. The answer ultimately will depend both on the complexity and cost of the framework (which will be layered on information security requirements and standards that already apply to highly regulated institutions) and also on its utility. Financial institutions and other companies that wish to participate in the development of the framework should consider participating in NIST working groups or comment on any working drafts that the NIST may release.