On August 6, Michael Daniel, Special Assistant to the President and the Cybersecurity Coordinator, posted on the White House blog a set of possible incentives for companies that voluntarily adopt the Cybersecurity Framework currently being created by the National Institute of Standards and Technology (NIST).
The Cybersecurity Framework is a voluntary set of rules based on existing standards, practices and guidelines designed to reduce cybersecurity risks to critical infrastructure authorized by President Obama Executive Order 13636 (EO), Improving Critical Infrastructure Cybersecurity.
Once the Cybersecurity Framework is completed, the EO tasks the Department of Homeland Security (DHS) with creating a Voluntary Program intended to encourage private companies to follow the guidelines established in the Cybersecurity Framework. Recommended by the Departments of Homeland Security, Commerce and Treasury, these incentives are to be used to make compliance with the Cybersecurity Framework more attractive to private companies who may not want to spend the money and time to invest in their cybersecurity protection:
- Cybersecurity Insurance – The insurance industry should be engaged while developing the Cybersecurity Framework and Voluntary Program in order to help build underwriting practices that encourage the use of cyber risk-reducing measures and risk-based pricing.
- Grants – Federal grant programs should encourage the adoption of the Cybersecurity Framework by making participation in the Voluntary Program a criteria or factor in determining the award of certain federal grants.
- Process Preference – The participation in the Voluntary Program can be used as a consideration when private companies request government service delivery be expedited.
- Liability Limitation – Reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements can be offered to private companies participating in the Voluntary Program.
- Streamline Regulations – Agencies will continually work to reduce overlaps between existing laws, regulations and the Cybersecurity Framework to make participation in the Voluntary Program as painless as possible.
- Public Recognition – The use of public recognition for Voluntary Program participants could be used as a method of encouragement for companies to comply with the Cybersecurity Framework.
- Rate Recovery for Price Regulated Industries – It is recommended that consideration be given to working with federal, state and local regulators and specific agencies that regulate utility rates to allow recovery to private companies for cybersecurity investments related to participation in the Voluntary Program.
- Cybersecurity Research – The government can direct research and development to help create solutions to gaps in cybersecurity where commercial solutions do not yet exist.
These incentives are only suggestions and are not final policy; however, they are a good start to helping the Cybersecurity Framework and Voluntary Program make a real difference by encouraging private companies to comply without forcing them to via federal regulation.
"Cybersecurity Framework Incentive Ideas Released" was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original piece.