Why Obama's 'Voluntary' Cybersecurity Plan May Prove Mandatory

WASHINGTON - The Obama administration's new cybersecurity guidelines are billed as "voluntary," but they are unlikely to stay that way.

The plan - issued last week by an agency of the Commerce Department - establishes a set of best practices for banks and other companies that support critical infrastructure to raise their cybersecurity game.

But several experts say the framework is ultimately likely to be cited in data breach litigation, other consumer claims and even by regulators as a baseline that all institutions must follow.

"It is by law voluntary. But it is going to mutate over time into a de facto or quasi mandatory standard," said Paul Rosenzweig, founder of Red Branch Consulting and formerly deputy assistant secretary for policy in the Department of Homeland Security. "For one thing, regulators may adopt it and tort lawyers that sue banks may view it as a floor."

The White House commissioned the guidelines last year through an executive order after Congress failed to pass stronger cybersecurity legislation.

But that order also called upon the Treasury Department to develop incentives for industry adoption of the new framework and on regulatory agencies to identify gaps between the framework and their statutory authority within 90 days of its release.

A high-level strategic document, the National Institute of Standards and Technology's plan establishes a common language for assessing and improving cybersecurity systems. It outlines "core" cybersecurity goals and activities common to sectors that support key infrastructure. (An example of such infrastructure relevant to the banking industry is the payment system.)

The framework lists four different buckets - or "tiers" - for judging a cybersecurity plan, from "partial" to the most sophisticated "adaptive." The plan allows a stakeholder to assess its plan's effectiveness and set goals for which tier it wants to reach, while also encouraging progression toward higher buckets. NIST referred to the report as "version 1.0," indicating that it plans to issue future iterations, and the agency presented a "roadmap" of key areas where the framework could be revised.

Bankers largely hailed the document, particularly because it is consistent with current cybersecurity regulations, and included desired changes from the earlier proposal. Specifically, whereas the proposal contained a relatively prescriptive appendix on guarding consumers' privacy, the final draft removed that provision, incorporating less prescriptive privacy measures into the main document.

The industry "has been fairly comfortable with the approach to privacy in the final framework and has lauded it as a big improvement over the privacy approach in the preliminary framework circulated by NIST late last year," said Harriet Pearson, a partner at Hogan Lovells.

Industry representatives also stress that banks, compared with other industries, already face a strict cybersecurity regime under the Gramm-Leach-Bliley Act of 1999.

Doug Johnson, vice president for risk management policy at the American Bankers Association, said banking regulators will likely participate in the process following release of the framework to look for any gaps between the NIST guidelines and existing regulations. (Obama's order technically called for findings only of non-independent agencies, but the bank regulators are still expected to weigh in.)

"We anticipate the regulatory agencies will opine even though they are independent," Johnson said, adding that regulatory efforts would likely be coordinated through Treasury and a working group of the Federal Financial Institutions Examination Council.

Financial institutions' regulations on cybersecurity "are probably the most stringent among all the critical infrastructures already," he noted. "So we would not anticipate that there would be a determination that there were material gaps between what we currently have to abide by by regulation and what the cybersecurity framework requires. … If anything, it helps validate some of the existing processes that financial services companies are already going through."

He added that the bank regulators have independently pursued enhancement in security requirements for institutions, further reinforcing the idea that the industry already faces a tough regime. He specifically referred to heightened risk management measures in the Federal Reserve Board and Office of the Comptroller of the Currency's recent guidance on third-party relationships and outsourcing.

"That demonstrates … that the agencies aren't waiting for anything," he said. "When they see existing gaps, they fill those gaps notwithstanding any cybersecurity framework that NIST may have put together."

But others suggested that even though banks' current regulatory regime puts them in good position for being consistent with the NIST approach, the framework's wide applicability to multiple industries could shine an unfavorable spotlight on institutions not on par with the framework.

"There is a concern that it could become a mandatory standard. The caveat to that is the framework is consistent with our current regulatory requirements," said John Carlson, executive vice president at BITS, the technology policy division of the Financial Services Roundtable. "In some respect, it would do no harm to our sector."

Others were more explicit in focusing on the potential for the NIST framework to be used as a benchmark in courts where the effectiveness of a bank's cybersecurity program could be called into question.

Some suggested the framework could be used to determine if an institution's cybersecurity procedures met the legal standard for being "commercially reasonable", meaning that it is consistent with what other firms are able to achieve.

"In the event of a breach that harms its customers, those customers are likely to claim that the institution was negligent. The NIST framework will likely be used by the courts to determine what is reasonable commercial practice," said Stewart Baker, a partner at Steptoe & Johnson who was the first assistant secretary for policy at the Department of Homeland Security. "If the institution has not followed the standard, it will have the burden of showing why its security was reasonable.

"This is likely also to be the position of the courts in dealing with the question of customer liability for electronic money transfers, where institutions may be held liable … if their security is not commercially reasonable. I expect the courts to look to the NIST standard to determine what is commercially reasonable."

He added that bank examiners may also view the NIST document as a new supervisory tool.

"I expect the financial regulatory agencies to follow the President's executive order and incorporate the standard into what they require of the institutions they regulate, probably by cross-referencing it to the privacy and security obligations in Gramm-Leach-Bliley," he said. "Similarly, I would expect bank examiners to ask pointed questions about how the institutions they're inspecting are implementing the framework, and I doubt that 'we're not' is an answer that will go unchallenged."

Gerald Ferguson, a partner at BakerHostetler, agreed that the NIST framework will be used in the courts, but said banks have enough experience complying with cybersecurity rules to win such arguments.

"The reality is that because of the way [the framework] was created, and it represents a very careful effort to distill best practices from the industry, it will in fact be recognized as an industry standard in litigation," Ferguson said. "I don't think that is such a bad thing for the financial services industry because financial institutions for over a decade now have been operating under the Gramm-Leach-Bliley security rule. In the process of complying with that rule, financial institutions have adopted practices and procedures that very closely mirror what is being adopted in this framework."