In February, the Obama Administration issued an Executive Order designed to strengthen the cybersecurity of the United States’ critical infrastructure. As part of that Order, the Department of Commerce’s National Institute of Standards and Technology (“NIST”) was tasked with developing a cybersecurity framework (“Framework”). The Framework will seek to align critical infrastructure stakeholders’ practices and capabilities in an effort to reduce the overall risk that infrastructure faces from potential cyber-attacks. In a blog post published on Tuesday, August 6 by Special Assistant to the President and Cybersecurity Coordinator Michael Daniel, the Administration announced that once the Framework is finalized in February, 2014, the Executive will create a “Voluntary Program” to encourage adoption of the Framework. To encourage critical infrastructure companies to join the Program, certain incentives will be available only to those companies who adopt the Framework.
The Administration announced eight areas of potential incentives for adopting the Framework, including reduced tort liability, access to a cybersecurity insurance market and advantages in winning federal critical infrastructure grants. Each agency involved in creating the Framework was tasked with reviewing these incentives, gathering substantive input from the critical infrastructure stakeholders it works with, and providing the President with an agency report outlining both the incentives it recommends and how those incentives can be implemented. The Washington Post reported on these incentives and quoted Alston & Bird’s Kim Peretti, co-chair of the firm’s Security Incident Management and Response Team, who stated “The variety of approaches and creativity gives something to the private sector to start feedback.” [Complete Washington Post article available at: http://www.washingtonpost.com/business/on-it/how-the-white-house-could-incentivize-cybersecurity-compliance/2013/08/08/83b7c914-ff71-11e2-9711-3708310f6f4d_story.html].
The eight areas of potential incentives, and a brief description of each, are as follows:
- Cybersecurity Insurance – Create a Cybersecurity Insurance market designed, in part, on adoption of the Framework. NIST is currently engaging with the insurance industry to develop underwriting practices meant to “promote the adoption of cyber risk-reducing measures and risk-based pricing” in order to “foster a competitive cyber insurance market.”
- Grants – Make adoption of the Framework either a pre-requisite, or a “weighted criteria” for receiving federal critical infrastructure grants.
- Process Preference – Besides assistance the government provides to individual companies in responding to specific cybersecurity incidents, it also provides general technical assistance to critical infrastructure companies. Adoption of the Framework would put an organization on a priority list to receive such assistance.
- Liability Limitation – With legislation, adoption of the Framework could lead to “reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a Federal legal privilege that preempts State disclosure requirements.”
- Streamline Regulations – Agencies will make efforts to eliminate overlaps between current laws and regulations and seek to enable “equivalent adoption across regulatory structure, and reducing audit burdens.”
- Public Recognition – Provide optional recognition that an organization and its vendors have adopted the Framework.
- Rate Recovery for Price Regulated Industries – Allow utility rate recovery to offset the cost of cybersecurity investments made in furtherance of adopting the Framework.
- Cybersecurity Research – For gaps where commercial solutions do not exist to implement the Framework, create programs that encourage research and development to create those commercial solutions.
These preliminary incentives were developed by the Departments of Commerce, Homeland Security and Treasury. While those three departments provided the White House with separate reports on potential incentives, the Administration noted they were “complementary” to one another, and so chose to provide a single list of eight recommended areas. Recognizing that the recommended incentives were “developed in a relatively short time frame,” while the Framework is still under development, the White House stressed that the incentives were based on “significant feedback” from those critical infrastructure stakeholders that provided responses to NIST’s Notice of Inquiry on the subject. While the White House noted that some of the recommended incentives could be implemented “quickly under existing authorities,” others will require “legislative action and additional maturation of the Cybersecurity Framework and Voluntary Program.” None of the incentives will be put in place until after the Framework is finalized.
The complete White House blog post on the incentives is available at: http://www.whitehouse.gov/blog/2013/08/06/incentives-support-adoption-cybersecurity-framework