Evidence continues to mount for broad acceptance of NIST CSF
Action Item: Executives, General Counsels, Compliance Officers, and Board Members, across industries, should consider these principles.
Last week (April 17, 2015), the National Association of Insurance Commissioners (NAIC) adopted twelve basic principles to provide guidance to insurers, producers, and other regulated entities.
The release prominently discloses that “These principles have been derived from the Securities Industry and Financial Markets Association’s (SIFMA) ‘Principles for Effective Cybersecurity Regulatory Guidance’.” In other words, the financial services industry in many ways has been, and continues to be, a leader on the guidance front.
We believe this release underscores increasing evidence that the acceptance of uniform cybersecurity practices is taking place across industries and the federal standard is gaining a foothold.
The NAIC Cybersecurity Task Force has provided basic guidance for how insurers and related entities should approach information security practices. While there are no earth-shattering new IT security concepts in the release, the Cybersecurity Task Force, which was formed in November of 2014, clearly made an official endorsement of the NIST Framework for Improving Critical Infrastructure Cybersecurity (“NIST CSF”). We would also add that basic principles of the NIST CSF, such as adoption of a risk-based approach and tying cybersecurity concerns to the Enterprise Risk Management program of insurers, are clearly built into the release.
We believe the Cybersecurity Task Force has acted judiciously, taking their time in putting out these basic principles and, intelligently, choosing not to reinvent the wheel. While the principles represent obvious best practices, we still believe such guidance is a helpful form of communication across the enterprise, for Executive Management and the Board of Directors. In effect, what we are looking at is a simplified maturity model which should be considered across industries.
Some of the highlights of the release include:
Principle 9: Cybersecurity risks should be incorporated and addressed as part of an insurer’s or an insurance producer’s enterprise risk management (ERM) process. Cybersecurity transcends the information technology department and must include all facets of an organization.
As momentum continues for acceptance of the NIST CSF, we would suggest that increasingly the Framework will be viewed as a “standard of care.” This is good news as the NIST CSF is a manageable and cost-effective solution.
Please contact Artemis if you are interested in custom Framework implementation based on the NIST CSF
For Further Informaiton: (links will open in a new window)