Individuals and organizations have been scrambling to deal with the aftermath of the Heartbleed bug. When assessing their systems for exposure resulting from Heartbleed, businesses should also assess their risk management practices and identify best practices to prevent and mitigate future potential security breaches. Best practices identified within new U.S. cybersecurity guidelines can be used as a starting point for businesses trying to minimize their risks.
Earlier this year, the White House released the “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”), which was developed by the National Institute of Standards and Technology (“NIST”) as a set of standards for private companies that operate “critical infrastructure” to address cybersecurity risk.
Although the Framework is a voluntary set of standards, in the absence of cybersecurity legislation, it could be used in the future as a standard for evaluating the reasonableness of an organization’s cybersecurity program in the event of a lawsuit or regulatory action relating to a breach of security. Moreover, once critical infrastructure organizations begin using the Framework, they will likely expect their service providers to also use the Framework. Organizations that delay reviewing their risk management practices may later find themselves pressured to make necessary changes when issues are brought to their attention by third parties.
In addition to potential legal liability, organizations should shore up their cybersecurity risk program to address potential operational, financial, reputational, and other risks. The consequences of a security breach, including business interruption, compromise of information, financial losses, and loss of trust, can be devastating to any business.
Although the Framework provides concrete guidelines, it is designed to be flexible based on each organization’s unique risks. Organizations having an existing risk management process and cybersecurity program can use the Framework as a tool to identify gaps in its practices and develop a plan for improvement. Organizations without an existing program can use the Framework as a foundation to design and implement a cybersecurity program. Organizations should identify whether and how the Framework can complement and support applicable data security or privacy regulations, including industry-specific regulations and state law.
The evaluation of whether to adopt the Framework involves decisions that can affect an entire organization, and so a team familiar with the organization’s current approach to risk management, data privacy, security, legal issues, and vendor oversight should collaborate to consider the Framework. Although cybersecurity is often a task relegated to a business’ IT personnel, the team should involve senior leadership and management levels.
If you have questions regarding whether the Framework would be helpful to your business, or whether your organization’s cybersecurity policies and practices are compliant with applicable law, contact Jennifer Puplava at (616) 632-8050, or the Mika Meyers attorney with whom you normally work.