NEW YORK—On Feb. 12, 2014, the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, published a 41-page “Framework for Improving Critical Infrastructure Cybersecurity” in response to President Obama’s 2013 Executive Order calling for such a framework.

The Framework was created to identify best practices and assessment tools to help critical infrastructure companies develop and implement guards against cybersecurity risks. However, it will likely become a de facto “standard of care” that companies will be judged against in defending claims relating to data breaches, including class actions. Companies that suffer data breaches should expect to be questioned by regulatory authorities and plaintiff lawyers about whether they considered and adopted the best practices contained in the Framework.

Why should the optical industry pay attention to this alert? No doubt you have read and heard on the news about the well-publicized data breaches that cyber criminals have committed, and that continue to target companies of all sizes and in all industries. Even companies with the most sophisticated security systems admit that the hackers are usually one step ahead of them.

It is understandable that cybersecurity is now a business and corporate governance issue that is at the top of the list of concerns for most boards of directors, executives, business owners and law firms. Most companies have had little in the way of government regulations or industry standards to guide them on what they should be doing to protect their own data and the data they handle belonging to customers, vendors and clients, and the optical industry is no different.

The Framework encourages companies to take a risk based approach to creating and managing cybersecurity and creates a method for companies to determine both where they currently are in terms of managing cybersecurity risks and where they want to be. Companies are encouraged to address the following five core functions as they work to either create or strengthen their cybersecurity program:

1. Identify
Conduct a cyber-readiness assessment based on type of data held and level of risk the company is willing to assume.

2. Protect
Analyze access control, use of protective technology and training.

3. Detect
Review security monitoring and detection processes.

4. Respond
Implement or update a data breach response plan.

5. Recover
Inventory, classify and risk rank critical systems and assets.

Each of these five main functions has additional corresponding action items, including best practices, policies and processes that should to be considered when creating or updating a cybersecurity program.

NIST recognizes that there is not a one-size fits all approach to managing cybersecurity since companies will have unique risks and different risk tolerances. However, this Framework provides a way for companies, regardless of industry, size or sophistication, to create a cybersecurity program or improve an existing plan.

Finally, expect to see future modifications to the Framework based on business and industry feedback and ongoing changes to the threat environment.

Hedley Lawson, Contributing Editor
Managing Partner
Aligned Growth Partners, LLC
(707) 217-0979
hlawson@alignedgrowth.com
www.alignedgrowth.com