As practitioners are aware, in February 2013, President Obama issued an executive order directing federal agencies to create a set of voluntary cybersecurity standards and procedures for critical parts of the private sector. If followed, these “best practices” are intended to reduce the risk of a cyber attack and its attendant disruption of business.
In furtherance of this goal, the order requires various departments to make recommendations to the President as to possible incentives designed to promote private sector participation with the voluntary best practices. Recently, Michael Daniel, Special Assistant to the President and the Cybersecurity Coordinator, listed the results of the applicable agencies’ discussions to date. As Mr. Daniel explains, the draft “Best Practices” will be complete in October, and the final practices will be released in February 2014. In the meantime, the appropriate federal agencies have designed eight possible incentive options, summarized below:
The insurance industry can be engaged to build underwriting practices that promote the adoption of cyber-risk-reducing measures and risk-based pricing, to foster a competitive cyber-insurance market
Make participation in the voluntary program a necessary condition or one of the weighted criteria to receive federal critical infrastructure grants. The weighted criteria will be developed by agencies over the next six months.
Give program participants the ability to expedite existing government service delivery in non-emergency situations. “For example, the government sometimes provides technical assistance to critical infrastructure,” Daniel said. “The primary criteria for technical assistance would always remain the criticality of the infrastructure, but for non-emergency situations, technical assistance could be seen as an additional benefit that could help to drive adoption.”
Potentially implement legislation to reduce liability on program participants, to encourage a broader range of critical infrastructure companies to implement the Framework. These areas include reduced tort liability, limited indemnity, higher burdens of proof or the creation of a federal legal privilege that preempts state disclosure requirements.
As the voluntary cybersecurity standards and procedures and incentive program are developed, agencies will recommend other areas that could help make compliance easier, for example: eliminating overlaps among existing laws and regulation, enabling equivalent adoption across regulatory structures, and reducing audit burdens.
Further exploration on whether optional public recognition for participants in the program and their vendors would be an effective incentive.
Rate Recovery for Price Regulated Industries
Recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for Best Practice related cybersecurity investments.
After the Best Practices are complete, identify areas where commercial solutions are available to implement them and the gaps where those solutions do not yet exist. The government can then emphasize research and development to meet the most pressing cybersecurity challenges where commercial solutions are not currently available.
Stay tuned to this blog for important developments in cybersecurity best practices as they are released.