Will NIST’s Framework be Naughty or Nice?
In early 2014, the National Institute of Standards of Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity (referred to by those in the know as the NIST Framework), which is intended to “enable organizations—regardless of size, degree of cybersecurity risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.”. In the words of White House Cybersecurity Coordinator Michael Daniel, the Framework is “not a cookbook.” If you open it up and try to read about learning how to run your firewall, you will be sadly disappointed because that’s not what the Framework is.” The Framework is, however, a useful tool for securities firms that are planning (or rethinking) their cybersecurity programs. Indeed, the Framework might be a particularly useful guide for securities firms because the SEC’s recent cybersecurity sweep exam “track[ed] information outlined in” NIST’s Framework.
For more information about how the NIST Framework might affect securities firms, check out this article.