NIST 2.0 - An overdue Governance focus
Overview
The National Institute of Standards and Technology (NIST) recently, formally released version 2.0 of its Cybersecurity Framework (CSF).
Rightfully seen as one of, if not the gold standard of cybersecurity frameworks, the updated version has an expanded scope that broadens its scope to have relevance to all organisations, in any industry/sector. This is an expansion of the previous critical infrastructure sector focus.
What is NIST2.0?
The NIST Cybersecurity Framework (CSF) 2.0 can help organisations manage and reduce their cybersecurity risks as they start or improve their cybersecurity program. The CS outlines specific outcomes that organisations can achieve to address risk. The CSF 2.0, along with NIST's supplementary resources, can be used by organisations to understand, assess, prioritise, and communicate cybersecurity risks; it is particularly useful for fostering internal and external communication across teams - as well as integrating with broader risk management strategies.
The framework’s core is now organised around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added “Govern” function.
New - Govern
The new governance function encompasses how organisations make and carry out informed decisions on cybersecurity strategy and emphasises that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.
Specifically, “Govern” requires attention on contracts, cyber readiness, privacy strategies and management processes. Some specific examples include:
GV.OC-03
- Legal, regulatory, and contractual requirements including cybersecurity, privacy and civil liberties.
GV.SC-05
- Requirements to address cybersecurity risks in supply chains are established and integrated into contracts.
GV.RR-01
- Organisational leadership responsibility for cybersecurity risk and fostering a risk-aware culture
Supply chain/vendor focus
Within the new governance function is the added focus on supply chains with a key pillar being establishing and monitoring cybersecurity supply chain (vendor) risk management. NIST 2.0 requires the establishment of strategy, policy, and roles and responsibilities - including for overseeing suppliers, customers, and partners, the incorporation of these requirements into contracts and the involvement of partners and suppliers in planning, response, and recovery.
The Office of the Australian Information Commissioner (OAIC) Data Breach Report for July to December 2023 noted an increase of 317% over the previous reporting period in third-party data breach reports. Most of these involved breaches of Cloud or software providers
With third party (vendor) risk management a key pillar of focus and specialty for the Lockton C&T Team locally, we are immensely pleased to see this area form a key part of NIST moving forward.
Further focus - Contract
Existing contracts often fail to adequately consider substantial cyber and privacy issues arising from
- - Cyber security standards
- - Privacy and Data Protection
- - Consumer Law Breaches
The time is now to update your contracts. If you use a standard contract frequently, and negotiate rarely, these risks will likely impact you. Almost any business using a template or standard contract needs to revisit their terms to ensure they adequately address cyber.
This should further be used as a trigger for organisations to holistically assess their cyber and privacy related resilience posture. Speaking specific to NIST, organisations should seek to assess their organisation-wide cyber, privacy, and data protection governance and risk management practices. This includes covering foundational areas including:
- - Handling of personal, sensitive, and commercially confidential information
- - All of which carry differing, but potentially equally significant consequence (due to associated regulatory or contractual obligations).
- - Data ingress, categorisation, retention, archiving and destruction policies, practices, and procedures.
- - Data breach/organisational compromise response and notification obligations (regulatory and contractually related).
- - Contract terms associated with liability arising from data loss incidents.
- - Data Sovereignty, Transfer and Use Impacts
Conclusion
For organisations that have already adopted the framework, we recommend beginning with a review of the Governance function to determine the presence of any gaps that need to be remediated based on your current posture. Our Board checklist is a great place to start.
Finally, as we will reenforce throughout the year, the NIST update is a good trigger to remind all of their directors’ and officers’ duties and obligations, as they relate to cyber, data, security and technology risks. By way of reminder:
-
Addressing risks relating to cyber, data, security and technology risks is a legal obligation of all Directors.
- - We again draw the parallel back to the principles provided from ASIC v Risk and ASIC v Centro.
- - Directors have a foundational duty to act in their role with care and diligence. This includes when considering cyber risks and data protection exposures.
-
A low volume of PII, is not reflective of a lower risk profile, lower duty of care.
- - In fact, as per the OAIC’s most recent Notifiable data breaches report (July to December 2023), the vast majority of data breaches (91%) during this reporting period involved personal information of 5,000 or fewer individuals worldwide. Breaches affecting 100 or fewer individuals comprised 65% of all notifications. Breaches affecting between 1 and 10 individuals accounted for 44% of all notifications, similar to previous reporting periods.
- - The recent HWLE event showed the impact of breach or loss of Commercial/Confidential Corporate data, as the event exposed a range of sensitive information including legal advice provided to government entities; government information including data relating to national security and law enforcement matters; and corporate information, including client, contract, and project information.
-
Regulators around the world, including the OAIC and ASIC, are actively enforcing Director's cyber and data protection obligations.
- - With the ASIC v RI Advice Group decision (the Australian Federal Court found that an Australian Financial Services Licensee (AFSL) breached its obligations by failing to adequately manage its cybersecurity risks) and ASIC’s ongoing clear directive to pursue organisations with a poor cyber security posture clear.
Leave a Comment