April 20, 2018

Cybersecurity: NIST’s New Framework (Version 1.1)

Recently, NIST released an updated cybersecurity framework. This popular framework is entitled “Version 1.1” rather than the “2.0” that some have been calling it (including us) when the proposal was released last year.

Here’s an excerpt from this Wachtell Lipton memo:

The updated Framework, entitled Version 1.1, is intended to clarify and refine (rather than replace) NIST’s original 2014 Cybersecurity Framework, Version 1.0, and builds on the original version’s five core cybersecurity functions—Identify, Protect, Detect, Respond, and Recover—and tiered implementation system. Instead of a “one-size-fits-all” approach, the Framework continues to be a flexible platform that can be customized to address the particular cybersecurity risks faced by any company.

Of broader import, the updated Framework encourages companies to integrate cybersecurity objectives into strategic planning and governance structures and to ensure that cybersecurity is a central part of overall risk management. In terms of other specific changes, Version 1.1 provides new guidance on how to use the Framework to conduct self-assessments of internal and third-party cybersecurity risks and mitigation strategies, includes an expanded discussion of how to manage cyber risks associated with third parties and supply chains, advances new standards for authentication and identity proofing protocols, and addresses how to apply the Framework to a wide range of contexts, such as industrial controls, the use of off-the-shelf software, and the Internet of Things.

Cyber Threats Keeping Investors Up At Night?

Recently, PwC completed its “2018 Global Investor Survey” – reflecting insights from almost 700 investor professionals across the world. PwC’s goal was to compare these views to the results of their earlier CEO survey. One interesting point is that investors don’t seem to share CEO anxiety regarding over-regulation, availability of key skills and tax burdens – but both groups worry about cyber threats & geopolitical uncertainty. Here’s some other key findings:

Investors are more confident about the global outlook than they were last year: 54% think global economic growth will improve over the next 12 months – versus 45% in 2017. But investors are cautious about the longer term – they think companies should aim to grow organically and reduce costs.

Geopolitical uncertainty, cyber threats and the speed of technological change are top concerns for investors: Populism and protectionism ranked next among investors’ concerns.

Investors think the biggest challenge facing companies is the pressure to focus on short term: But investors are also more likely to view “declining trust” as an issue, compared to CEOs.

Investors think cybersecurity should be a top priority for building trust with customers: 64% of investors think that companies should be investing more heavily in cybersecurity protection.

For more intel on what investors are thinking, check out all of the investor surveys that we’ve posted in our “Corporate Governance Surveys” Practice Area.

SEC’s Cyber Enforcement: Mixed Signals?

Despite the SEC’s recent cybersecurity guidance, the creation of its “Cyber Unit” and public statements that more cyber enforcement actions are likely, a new study from NYU & Cornerstone Research found that enforcement activity generally declined last year. This McGuireWoods blog explores this more:

The timing of the decline suggests that the Trump Administration may be reining in regulatory enforcement. However, despite the empirical slow down, Stephanie Avakian and Steven Peikin, the co-directors of the SEC’s enforcement divisions, deny that there has been any directive from the Trump Administration to slow the enforcement arm of the SEC. In fact, during the annual American Bar Association’s white collar conference, the co-directors cautioned that more enforcement actions—especially related to cybersecurity—may be on the horizon. Indeed, the SEC’s new cybersecurity guidelines coupled with the creation of the SEC Cyber Unit at the end of fiscal 2017 will give the SEC new tools to combat cyber related misconduct in 2018.

Farewell to Lynn Stout

I’m sad to note that Professor Lynn Stout has passed away. Here’s a remembrance from Cornell.

Liz Dunshee