Cybersecurity Framework - an overview

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

In February 2013, President Obama signed an Executive Order on "Improving Critical Infrastructure Cybersecurity", that put into motion a number of initiatives aimed at improving the cybersecurity landscape of the "critical infrastructure" of the US. A year later, in February 2014, the Obama Administration launched the US Cybersecurity FrameworkFramework (""), which is a voluntary "how-to" guide for organisations in the critical infrastructure sectors to enhance their cybersecurity.

Each of the Framework components reinforces the connection between business drivers and cybersecurity activities. The Framework also offers guidance regarding privacy and civil liberties considerations that may result from cybersecurity activities. Meanwhile, the White House is working on ways to incentivise industry to adopt the Framework, and announced eight incentive areas to aid adoption:

• Cybersecurity insurance: collaborate with the insurance industry to build underwriting practices to foster a competitive cyber insurance market, which promotes adoption.
• Grants: adoption of the Framework could become a condition or weighted criterion for receiving Federal infrastructure grants.
• Process performance: prioritise delivering technical assistance to operators of critical infrastructure based in part on whether those operators have adopted the Framework.
• Liability limitations: US agencies will consider whether to reduce tort liability, limited indemnity, higher burdens of proof or the creation of a Federal legal privilege pre-empting state disclosure requirements. If companies were provided some liability protection from implementing the information-sharing portion of the cybersecurity framework, they might be more likely to adopt those portions. Providing liability protection would require a significant act of Congress.
• Streamlining regulations: agencies will work to streamline compliance obligations by eliminating overlaps between the Framework and existing regulations.
• Public recognition: consider whether public recognition for those who adopt the Framework, would be an incentive to adopt the Framework. However, it is not clear how this would work in practice.
• Rate recovery for price regulated industries: consider whether the regulatory agencies that set utility rates should allow utilities to recover cybersecurity investments related to Framework adoption.
• Cybersecurity research: US agencies recommend identifying where new solutions are needed to implement the Framework and supporting research and development to fill those gaps.