The National Institute of Standards and Technology (NIST) recently, formally released version 2.0 of its Cybersecurity Framework (CSF).
Rightfully seen as one of, if not the gold standard of cybersecurity frameworks, the updated version has an expanded scope that broadens its scope to have relevance to all organisations, in any industry/sector. This is an expansion of the previous critical infrastructure sector focus.
The NIST Cybersecurity Framework (CSF) 2.0 can help organisations manage and reduce their cybersecurity risks as they start or improve their cybersecurity program. The CS outlines specific outcomes that organisations can achieve to address risk. The CSF 2.0, along with NIST's supplementary resources, can be used by organisations to understand, assess, prioritise, and communicate cybersecurity risks; it is particularly useful for fostering internal and external communication across teams - as well as integrating with broader risk management strategies.
The framework’s core is now organised around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added “Govern” function.
The new governance function encompasses how organisations make and carry out informed decisions on cybersecurity strategy and emphasises that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.
Specifically, “Govern” requires attention on contracts, cyber readiness, privacy strategies and management processes. Some specific examples include:
Within the new governance function is the added focus on supply chains with a key pillar being establishing and monitoring cybersecurity supply chain (vendor) risk management. NIST 2.0 requires the establishment of strategy, policy, and roles and responsibilities - including for overseeing suppliers, customers, and partners, the incorporation of these requirements into contracts and the involvement of partners and suppliers in planning, response, and recovery.
The Office of the Australian Information Commissioner (OAIC) Data Breach Report for July to December 2023 noted an increase of 317% over the previous reporting period in third-party data breach reports. Most of these involved breaches of Cloud or software providers
With third party (vendor) risk management a key pillar of focus and specialty for the Lockton C&T Team locally, we are immensely pleased to see this area form a key part of NIST moving forward.
Existing contracts often fail to adequately consider substantial cyber and privacy issues arising from
The time is now to update your contracts. If you use a standard contract frequently, and negotiate rarely, these risks will likely impact you. Almost any business using a template or standard contract needs to revisit their terms to ensure they adequately address cyber.
This should further be used as a trigger for organisations to holistically assess their cyber and privacy related resilience posture. Speaking specific to NIST, organisations should seek to assess their organisation-wide cyber, privacy, and data protection governance and risk management practices. This includes covering foundational areas including:
For organisations that have already adopted the framework, we recommend beginning with a review of the Governance function to determine the presence of any gaps that need to be remediated based on your current posture. Our Board checklist is a great place to start.
Finally, as we will reenforce throughout the year, the NIST update is a good trigger to remind all of their directors’ and officers’ duties and obligations, as they relate to cyber, data, security and technology risks. By way of reminder: