2nd ANNUAL CYBER SECURITY LAW CONFERENCE: … · 2nd ANNUAL CYBER SECURITY LAW CONFERENCE:...

2nd

ANNUAL CYBER SECURITY

LAW CONFERENCE:

SAFEGUARDING AGAINST

WEAPONS OF MASS DISRUPTION

Moderator/Speaker Luis J. Diaz, Esq. Gibbons PC (Newark)

Speakers

Assemblywoman Annette Quijano 20th Legislative District (Elizabeth)

Chairwoman of the Assembly Homeland Security and State preparedness Committee

Robert D. Chesler, Esq.Anderson Kill, P.C. (Newark)

Lt. John Gorman New Jersey State Police High Tech Crime Unit

Brett R. Harris, Esq. Wilentz, Goldman & Spitzer, P.A. (Woodbridge, Eatontown; New York City; Philadelphia, PA)

Kelly Harris Prudential Financial

Christine A. Hoffman, Esq. Assistant Attorney General

William J. Hughes, Jr., Esq. Porzio Bromberg & Newman, P.C. (Morristown)

Bert Kaminski, Esq. Industrial LoT and Information Technology (New York City)

Michael R. McDonald, Esq. Gibbons PC (Newark)

Korin Neff, Esq. Wyndham Worldwide Corporation

S0057.17

Professor David W. Opderbeck Seton Hall University School of Law (Newark)

Kenneth N. Rashbaum, Esq. Barton LLP (New York City)

Linda Rush, FIP, CIPP/US/C, CIPM Avis Budget Group, Inc.

Michelle A. Schaap, Esq. Chiesa, Shahinian & Giantomasi, P.C. (West Orange)

Marc Schein, CIC, CLCS Marsh & McLennan Agency

John P. Scordo, Esq. K&L Gates LLP (Newark)

Robert Spangler, Ph.D. New Jersey State Bar Association (New Brunswick)

Julia C. Talarick, Esq. Kinney Lisovicz Reilly & Wolf, P.C. (Parsippany; New York City)

Deirdre R. Wheatley-Liss, Esq. Certified as an Elder Law Attorney by the National Elder Law Foundation Porzio Bromberg & Newman, P.C. (Morristown)

John T. Wolak, Esq. Gibbons PC (Newark)

Newark ♦ New York ♦ Trenton ♦ Philadelphia ♦ Wilmington ♦ gibbonslaw.com

2nd Annual Cybersecurity Law Conference

Safeguarding Against Cyberweapons of Mass Disruption

Panel II. Complex Litigation/Admin Actions In Cybersecurity Cases

Part 1: Data Security Class Actions

Panel Moderator and Panelist:

Michael R. McDonald, Gibbons P.C.

gibbonslaw.com ♦ Gibbons is headquartered at One Gateway Center, Newark, NJ 07102.

PANEL OVERVIEW: RECENT HEADLINES

• March 21, 2017: NY Attorney General Announces Record Number of

Data Breach Notices in 2016 (1,300 reported) — representing a 60

percent increase from 2015, exposing personal records of 1.6 million

NY residents.

• March 8, 2017: Credit unions, and financial institutions sued Eddie

Bauer claiming failure to employ adequate security measures opened

the door to a security breach that compromised shoppers’ credit and

debit card information.

• May 8, 2017: Discount brokerage firm Scottrade sued for failure to

protect customers’ sensitive data, opening the door to a data breach

that compromised more than 4.6 million people’s personal information.

• May 24, 2017: State AGs Announce $18.5 Million Settlement with

Target, reportedly the largest multistate data breach deal ever reached.


PANEL OVERVIEW: RECENT HEADLINES

• May 26, 2017: “Chipotle Hit With 2nd Suit From Financial Institution

Over Hack,” Law360

• April 24, 2017: U.S. Department of Health and Human Services

("HHS") entered a $2.5 million settlement with wireless health services

provider, CardioNet, relating to disclosure of unsecured patient health

information stored on two stolen laptops.

• May 10, 2017: HHS Settled with Hospital Provider for $2.4 million for

alleged HIPAA Privacy Violations, i.e., inadvertently disclosing protected

health information ("PHI") in a hospital press release.

• March 17, 2017: Clothing Retailer Settled Credit Card Data Breach

Class Action for $1.6 Million. The 7th Circuit Court of Appeals found that

preventative measures like credit monitoring were sufficient to show

standing.


Common Cybersecurity

Breaches and PlaintiffsCommon “Breaches”

• Lost or stolen device

• Network hack

• Phishing

• Exposed network

• Insider attacks

• Hacktivists

• Nation-state attack

• Cyber-espionage

Typical “Plaintiffs”

• Customers/Consumers

• Employees

• Students

• Banks/cards

• Business partners

• State AGs

• FTC

• Federal regulator

• International Regulator

Causes of Action and Standards

• Specific federal rules and

guidance documents for

some regulated industries.

– Healthcare: HIPAA

– Financial Services:

GLBA, SEC & FINRA

Guidance

– Energy Sector: DOE

Guidance

• Defense of Trade Secrets

Act (2016)

• Cybersecurity Act (2015)

• State Data Breach

Notification Laws

• Common law – NIST

Cybersecurity Framework ?


Cybersecurity and Class Actions

• Data breaches usually affect a large group of people

• Potential liability stemming from a single event

• Recent high value settlements:

– Nov. 2015 Target settles with consumer class for

$10 million plus $6.75 million in attorneys’ fees

– Aug. 2016 Home Depot settled its consumer claims

at $19.5 million for damages and prevention and

$8.5 million in attorneys’ fees


Issue of Standing in

Data Breach Class Actions • Clapper v. Amnesty Intern. USA, 568 U.S. 398 (2013): plaintiffs “cannot

manufacture standing by incurring costs in anticipation of non-imminent

harm.”

• Thus, standing cannot be manufactured by credit monitoring post data

breach.

• Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016): Allegations of a “bare

procedural violation, divorced from any concrete harm” cannot satisfy

the Article III injury-in-fact requirement.

• When to raise the issue of standing?– 12(b)(1)

– 12(b)(6)

– Class Certification

– Summary Judgment

– Trial

– Note that the issue of standing is never waived, and can always be revisited. It

can also be raised sua sponte by the court.


Standing Arguments

• Damages and Injury-In-Fact– In re Anthem, Inc. Data Breach Litigation, 162 F.Supp.3d 953 (2016):

Loss of Personally Identifiable Information (“PII”) is a concrete,

compensable injury

• Risk of Identity Theft is Cognizable– Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (2015):

“‘Substantial risk’ (to putative class members) exists and is actionable.

Why else would hacker’s break into a store’s database? . . . Customers

shouldn’t have to wait until hackers commit identity theft or credit card

fraud in order to give the class standing[.]”

– Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016): FCRA violation, by itself,

does not satisfy the “concrete injury” requirement

• Heightened risk of future harm? – Cahen v. Toyota Motor Corporation, 147 F.Supp.3d 955 (2015) – must

show actual breach or misuse of data security


Article III Standing: 3rd Cir.

• In re Nickelodeon Consumer Privacy Litig., 827 F.3d

262, 274 (3d Cir. 2016): "unlawful disclosure of

legally protected information" is "a clear de facto

injury.

• In re Horizon Healthcare Serv., Inc. Data Breach

Litig., 846 F.3d 625 (3d Cir. 2017): “the unauthorized

dissemination of [the plaintiffs'] private information”

satisfies the concreteness requirement.


Standing: Other Circuits• Whalen v. Michaels Stores, Inc., --- Fed.Appx.--- (2017): held credit card holder lacked standing

because she hadn’t incurred any actual charges on her card or any other concrete injuries, even though

plaintiff’s stolen credit information was twice used in attempted fraudulent purchases.

• Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (2015): customers whose credit card information

was stolen in a data breach have standing to sue not only after they’re hit with fraudulent charges but

also for fraud-prevention expenses such as credit monitoring.

• Gubala v. Time Warner Cable, Inc., 846 F.3d 909 (2017) (“a failure to comply with a statutory

requirement to destroy information is substantive, yet need not ... cause a concrete injury”)

• Braitberg v. Charter Communications, Inc., 836 F.3d 925 (2016): plaintiff alleged his former television

cable provider retained his personally identifiable information in violation of the Cable Communications

Policy Act, but failed to allege that the information was disclosed to a third party, that any outside party

accessed the data, or that the information was used during the disputed period, and thus the Court found

that the plaintiff "identifie[d] no material risk of harm from the retention; [and determined that] a

speculative or hypothetical risk is insufficient.“

• Van Patten v. Vertical Fitness Group, LLC, 847 F.3d 1037 (2017): held that an automated text sent in

violation of the Telephone Consumer Protection Act (“TCPA”) was an invasion of privacy and a nuisance

sufficient to find standing. The Court found that “[u]nsolicited telemarketing phone calls or text messages,

by their nature, invade the privacy and disturb the solitude of their recipients.”


What is the Correct

Standard of Care?

• Common law negligence

• Strict liability

• Statutory standard

• NIST Cybersecurity Framework?


Professional Liability

• ABA Model Rules

• Civil liability

• Potential ethical breaches:

– (1) by failing to live up to their duty of

confidentiality or

– (2) to their duty of competence to clients


Other Common Litigation Issues

• Discovery and privilege issues– Invoking privilege as to post-breach investigation

– Concerns regarding production of security information

• Settlement issues– Need for subclasses

– Common terms in class settlements: claims fund, credit

monitoring, injunctive relief, cy pres, attorneys’ fees

– Judicial concerns

– Significant settlements

• Related actions– Enforcement actions

– Investor and Shareholder derivative suits


QUESTIONS ??

Michael R. McDonaldGibbons P.C.

Chair, Gibbons Consumer Class Action Defense Group

[email protected]

973-596-4827

mailto:[email protected]

Kenneth N. RashbaumBarton, LLP

www.bartonesq.com

http://www.bartonesq.com/

Data breach class actions

Computer Fraud and Abuse Act

Shareholder Derivative Actions: Palkon v. Holmes

State and federal statutory violations

In re Anthem, Inc. Data Breach Litigation: CA ,KY and NY Unfair Competition, and AC Confidentiality of Medical Information Act (statutory damages)

Negligence (lack of due care, including “cyber-hygiene”)

Hacking is foreseeable, though specifics of individual attack are not

What is the secondary defense?

In the Wings: False Claims Act/Whistleblower Claims© 2017 Barton, LLP

SLIDE 2

Defense of Trade Secrets Act: 18 USC §1836 et. seq.

Effective May 11, 2016

Federal cause of action for misappropriation of “trade secrets” (broadly defined but requires that the owner has taken reasonable measures to keep such information secret

Misappropriation includes breach but not “reverse engineering, derivation or other means.”

Cybersecurity Act of 2015

Email and Internet monitoring permitted to protect “confidential information” © 2017 Barton, LLP

SLIDE 3

Example: Waymo v. Uber Technologies

(driverless car technology)

Injunctive relief available and defendant's

computer can be imaged and, in some

cases, seized

Plaintiff must plead and demonstrate that

appropriate measures were taken to

preserve the secrecy of the information

Poor cyber hygiene may be a defense

Example: Waymo v. Uber Technologies (driverless car technology)

Injunctive relief available and defendant's computer can be imaged and, in some cases, seized

Plaintiff must plead and demonstrate that appropriate measures were taken to preserve the secrecy of the information Poor cyber hygiene may be a defense

Other Elements:

Jurisdiction: Trade Secret used in interstate or foreign commerce

Information is a “Trade Secret:” Broad definition, but secrecy of the information must be pleaded with specificity

Misappropriation and/or Improper Meansto obtain the information

Damages

HIPAA: Office for Civil Rights of U.S. Department of Health and Human Services

Federal Trade Commission

Internet of Things Guidance

FDA (medical devices)

SEC (OCIE Cybersecurity Questionnaire)

FINRA

© 2017 Barton, LLP

SLIDE 7

$3.9 million settlement, plus Corrective Action Plan, for failure to encrypt information at rest, or have protocols for encryption (Feinstein Institute for Medical Research 3/16)

$5.5 million settlement, failure to monitor access to Protected Health Information and prepare and preserve audit logs (2/17)

$3.2 million finding after contested proceeding for failure to encrypt hospital-issued Blackberrys; deadlines for submission of evidence and request for a hearing were missed, increasing the penalty

© 2017 Barton, LLP

SLIDE 8

SEC Regulation S-P Sec. 30: "[e]very broker, dealer... must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.“

SEC Cyber Security Alert May 17, 2017 after WannaCry

Cybersecurity Basis is FINRA Rule 2010: “[a] member, in the conduct of its business, shall observe high standards of commercial honor and just and equitable principles of trade.” © 2017 Barton, LLP

SLIDE 9

FINRA January 17 Priorities Report listed Cybersecurity as a significant enforcement priority

$650,000 Nov. 2016 settlement with Lincoln Financial Securities following breach by Lincoln’s cloud services provider

Basis was lack of security metrics in service agreement with provider, and failure to exercise audit rights that were in the agreement

© 2017 Barton, LLP

SLIDE 10

Press Releases 2017: Cybersecurity Notice April 2017:

“Recommended” safeguards following

record number of breaches in 2016

Settlement with Utah wireless door lock

developer SafeTch Products LLC May

2017

Passwords sent between phone and lock

unencrypted. Settlement requires

encryption and other safeguards © 2017 Barton, LLP

SLIDE 11

6/8/2017 1

© Copyright 2017 by K&L Gates LLP. All rights reserved.

John P. Scordo, Esq.

Thomas A. Zelante Jr.

Liability Under Payment Card Industry Associations

The PCI Security Standards Council

Founding Members: American Express

Discover Financial Services

JCB International (Japan)

MasterCard

Visa, Inc.

PCI Data Security Standard (PCI DSS)

klgates.com 2

6/8/2017 2

12 PCI DSS Requirements

1. Maintaining Firewalls

2. Securing Configurations

3. Protecting Stored Data

4. Protecting Data in Transit

5. Maintaining Anti-Virus

6. Maintaining Secure Systems

7. Restricting Access

8. Authenticating Access

9. Controlling Physical Access

10. Logging and Monitoring

11. Testing Security Systems

12. Maintaining Security Policies

klgates.com 3

Enforcement

From the Council’s website: “Note that enforcement of

compliance with the PCI DSS and determination of any

non-compliance penalties are carried out by the

individual payment brands and not by the Council. Any

questions in those areas should be directed to the

payment brands.”

klgates.com 4

6/8/2017 3

PCI Cash Flowchartcomplianceforge.com

klgates.com 5

The Parties

Cardholder: the consumer

Issuing Bank: issues the card to the consumer

Merchant: organization selling goods and services.

Service Provider: organization providing some or all of the payment

processing services for the merchant

Acquiring or Merchant Bank: connects to card brand network for

payment processing and processes payments for merchants

Card Brand: “association network”

klgates.com 6

6/8/2017 4

The Process Following a Breach

Notice – usually from brand’s fraud detection to the merchant, or from law enforcement

Hire approved forensic investigators

Communicate with brand representatives

Preliminary forensic report and immediate remediation

Alerts to banks, merchants, etc.

Final forensic report

Additional remediation and re-compliance

Fines and assessment of costs

Appeal

klgates.com 7

PCI Forensic Investigators (PFIs)

Must work for a “Qualified Security Assessor” company

that provides a dedicated forensic investigation practice

Report on the extent and scope of the compromise, and

determine if the organization was PCI DSS compliant at

the time of the breach

Not protected as it is shared with adverse parties and

not done in anticipation of litigation per se

klgates.com 8

6/8/2017 5

Network Overview

Findings

“Incident Dashboard” - “Possible Exposure”

Containment Plan and Recommendations

Appendix PCI DSS summary –

Each requirement - “assessed, in place, cause of

breach, contribute to breach”

klgates.com 9

PFI - Contents

PFI - Type of Data Exposed

Name, Encrypted or Clear-Text Pins, Address, Expiry

Date, Pin Blocks

PAN (primary account number)

Track 1

Track 2

CID, CAV2, CVC2, CVV2 (three or four digit code)

klgates.com 10

6/8/2017 6

Track 1 Form

klgates.com 11

https://support.authorize.net/authkb/index?page=content&id=A755

Contractual Relationship

Merchant Service Agreement between Merchant and Acquiring Bank

Agreement with Service Provider and Merchant and Acquiring Bank

Merchant Indemnifies Acquiring Bank and incorporates Association rules

Agreement between Card Association and Acquiring Bank subject to

“Rules and Regulations” of the Association

https://usa.visa.com/dam/VCOM/download/merchants/visa-international-operating-

regulations-main.pdf

Acquiring Bank indemnifies Card Association

klgates.com 12

6/8/2017 7

Contractual Relationship (cont’d)

Cardholder Agreement with Issuing Bank

Issuing Bank Agreement with Card Brand

klgates.com 13

Flow of Losses Following Breach

Cardholders incur fraudulent charges - sometimes

Issuing Bank reimburses fraudulent charges, reissues cards,

monitors accounts

Card Association reimburses Issuing Banks - most of the time

Card Association assesses losses to the Acquiring Bank

Acquiring Bank obtains indemnification from the Merchant for breach

resulting from violations of PCI DSS, usually by withholding

remittances

klgates.com 14

6/8/2017 8

Losses

$3 to $5 per affected card is the average, though higher amounts

are common and this reported number varies widly

Fines vary from $5,000-$25,000 per month (Visa), or $10,000-

$200,000 per violation (MasterCard)

klgates.com 15

PCI DSS Litigation

Litigation of this private risk allocation is not common

Merchant v. Card Association, or Issuing Banks v.

Merchant

Breach of Contract/Breach of Covenant of Good Faith and Fair Dealing

Interpretation issues/ambiguous language

Factual issues

Third Party Beneficiary

Unfair Business Practices

klgates.com 16

6/8/2017 9

Genesco v. VISA, 2013 WL 3790647 (M.D. Tenn. 2013)

Merchant v. Card Association

In depth discussion of VISA’s post-breach procedures – $11 million

at issue

Discussion of

Non-Compliance Fines

Fraud Recovery Assessments

Expense Reimbursement Assessments

Visa’s rules may violate California Unfair Competition Law

klgates.com 17

Schnuck Markets v. First Data, 852 F.3d 732 (8th

Cir. 2017)

Merchant v. Service Provider and Acquiring Bank

“Data Compromise Losses” were indemnified by the merchant

For purposes of a liability limitation, court held that these did not

constitute “fees”

Also did not constitute “fines or penalties”

klgates.com 18

6/8/2017 10

Issuing Bank v. Merchant

Cumis Ins. Soc'y v. BJ's Wholesale Club, 455 Mass. 458, 918

N.E.2d 36 (2009) (banks are not third party beneficiaries)

In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., 834 F. Supp. 2d 566 (S.D. Tex. 2011)(some NJ law)(banks not third party beneficiaries) and Lone Star Nat. Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421 (5th Cir. 2013)(Fifth Circuit reversed the District Court’s dismissal of plaintiff’s negligence claim; remanded for choice of law)

klgates.com 19

Cyber Insurance

P.F. Chang's China Bistro, Inc. v. Fed. Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016) (No.CV-15-01322-PHX-SMM)(PCI DSSliability not covered as it was a contractual obligation), on appeal

Compl., New Hotel Monteleone, LLC v. Certain Underwriters at Loyd’s of London, (E.D. La. 2016) (2:16-cv-00061) (claim denied as fraud recovery and operational costs were considered a fine or penalty)

klgates.com 20

6/8/2017 11

New York's Regulations Cybersecurity Requirements for Financial Companies

Deirdre R. Wheatley-Liss, Esq.

David L. Disler, Esq. Porzio, Bromberg & Newman, PC

www.pbnlaw.com

A. Background

The New York State Department of Financial Services ("DFS") proposed cybersecurity regulations on September 13, 2016, which apply to all financial services companies in New York State (i.e. banks, insurance companies and other financial service institutions regulated by the DFS). The proposal provides for companies to create and enforce their own cybersecurity program, but sets minimum standards and requirements. The regulations are the first of its kind in the country.

The effective date for the regulations is March 1, 2017.

Full text of the regulations is at: http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf

B. Cybersecurity Program

"Each Covered Entity shall establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems."

The cybersecurity program must perform these core functions:

Identify

"Identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on the Covered Entity’s Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed."

Protect

"Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts."

http://www.pbnlaw.com/

http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf

http://www.dfs.ny.gov/legal/regulations/adoptions/rf23-nycrr-500_cybersecurity.pdf

Detect

"Detect Cybersecurity Events." A cybersecurity event is any act or attempt to gain unauthorized access, disrupt or misused the company's system or information stored on the system.

Respond

"Respond to identified or detected Cybersecurity Events to mitigate any negative effects."

Recover

"Recover from Cybersecurity Events and restore normal operations and services."

Report

"Fulfill all regulatory reporting obligations."

C. Cybersecurity Policy

Nonpublic Information

Nonpublic Information includes all electronic information that is:

(1) Related to the business of company where the unauthorized disclosure, access or use of the information would cause a material adverse impact to the business, operations or security of the company;

(2) Any information an individual provides or the company receives about the

individual in connection with a financial product or service;

(3) Any information, except age or gender, that is created by, derived or obtained from a health care provider or an individual relating to the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family or household, or from the provision of health care to any individual, or from payment for the provision of health care to any individual;

(4) Any information that can distinguish or trace an individual’s identity, including

but not limited to an individual’s name, social security number, date and place of birth, mother’s maiden name, biometric records, any information linked or linkable to an individual, including but not limited to medical, educational, financial, occupational or employment information, information about an individual used for marketing purposes or any password or other authentication factor.

Background

A written cybersecurity policy must be implemented and maintained that sets forth the policies and procedures to protect electronic information and Nonpublic Information.

The policy, at a minimum, must address these areas:

(1) information security;

(2) data governance and classification;

(3) access controls and identity management;

(4) business continuity and disaster recovery planning and resources;

(5) capacity and performance planning;

(6) systems operations and availability concerns;

(7) systems and network security;

(8) systems and network monitoring;

(9) systems and application development and quality assurance;

(10) physical security and environmental controls;

(11) customer data privacy;

(12) vendor and third-party service provider management;

(13) risk assessment; and

(14) incident response.

A review of the policy must take place annually and be approved by the board of directors and a senior officer.

Chief Information Security Officer

A Chief Information Security Officer ("CISO") must be designated. The CISO oversees and implements the company's cybersecurity program and policy. This responsibility may be met by a third party services provider, however a senior member of the company must oversee the third party and the third party must maintain a program that meets the regulations.

Report: CISO must create a report (twice a year) and provide it to the board of directors. The report must: (1) assess the integrity of the system; (2) detail exceptions to the

cybersecurity policies and procedure; (3) identify cyber risks; (4) assess the effectiveness of the cybersecurity program; (5) propose steps to remediate any inadequacies; (6) summarize all material cybersecurity events.

Penetration Testing and Vulnerability Assessment

Penetration testing of the system must take place annually and a vulnerability assessment must occur quarterly.

Audit Trail

An audit trail must be used by the company. The company must:

(1) track and maintain data of all financial transactions to allow the company to

detect and respond to a cybersecurity breach;

(2) maintain a data log of all individuals that access critical systems;

(3) protect data from alteration or tampering;

(4) protect hardware from alteration or tampering;

(5) log system events, including access and alterations made to the audit trail

system and all system administrator functions performed on the system; and

(6) maintain audit trail records for at least 6 years.

Access Privileges

Electronic information must be limited to only individuals that require it to perform the responsibilities of their job. Employee access must be reviewed periodically.

Risk Assessment

A risk assessment must be conducted annually. The assessment must include a criteria for evaluating identified risks; a criteria for the adequacy of existing controls as they relate to identified risks; and a description of how identified risks will be mitigated or accepted.

Cybersecurity Personnel and Intelligence

Sufficient cybersecurity personnel must be employed to manage cybersecurity risks and perform the core cybersecurity functions. This personnel must attend regular cybersecurity updates and training sessions. In addition, they should have the authority to take steps to stay abreast of changing cybersecurity threats and countermeasures.

A third party service provider may meet this requirement.

Third Party Information Service Policy

A company must ensure that all third parties with access to electronic and Nonpublic Information properly secure the information.

The company must establish a policy that:

1. Identifies and assesses the risk of third parties with access to electronic or Nonpublic Information .

2. Establishes minimum cybersecurity security practices that third parties must meet to do business with the company.

3. Creates a process to evaluate the adequacy of third parties' cybersecurity practices.

4. Reviews each year the continued adequacy of third parties' cybersecurity practices.

All contracts with third parties should include and require that the third parties (to the extent applicable):

(1) use Multi-Factor Authentication (i.e. sophisticated passwords);

(2) use encryption;

(3) provide prompt notice in the event of a cybersecurity breach;

(4) offer identity protection services to customers affected by a breach due to third party's negligence or misconduct;

(5) make representations and warranties that the third party's services are free from viruses or other mechanics that impair the security of the company's electronic or Nonpublic Information ; and

(6) grant the company the right to perform cybersecurity audits.

Multi-Factor Authentication

Multi-Factor Authentication is the verification of an individual through at least two of the following types of authentication factors:

1. Knowledge factors (i.e. password).

2. Possession factors (i.e. token or text message on a mobile phone).

3. Inherence factors (i.e. biometric characters, such as a finger print scan).

Risk-Based Authentication detects anomalies or changes in an individual's normal pattern. When such a deviation is detected, additional verification (such as through challenge questions) is required.

Multi-Factor Authentication must be required in these situations:

1) access to the internal system or data from an external network;

2) privileged access to database servers; and

3) access to web applications that capture, display or interface with Nonpublic

Information.

Risk-based authentication is also required to access web applications that capture, display or interface with Nonpublic Information .

Limitations on Data Retention

Companies must establish a procedure for the timely destruction of any Nonpublic Information that is no longer necessary for business purposes.

Training and Monitoring

Policies/procedures must be implemented to monitor the activity of users and detect the unauthorized access, use, or tampering with Nonpublic Information .

In addition, companies must provide for (and require) all employees to attend regular cybersecurity awareness training.

Encryption of Nonpublic Information

All Nonpublic Information must be encrypted. If this is not feasible, appropriate alternatives may be used until January 1, 2020.

Incident Response Plan

An incident response plan designed to promptly respond and recover from a cybersecurity breach must be implemented.

The plan must address:

1) the internal process for responding to a cybersecurity breach;

2) goals;

3) clear roles, responsibilities and levels of decision-making authority;

4) communication and information sharing;

5) remediation;

6) documentation and reporting; and

7) evaluation and revision of the incident response plan following the breach.

1

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES

23 NYCRR 500

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

I, Maria T. Vullo, Superintendent of Financial Services, pursuant to the authority granted by sections 102, 201, 202, 301, 302 and 408 of the Financial Services Law, do hereby promulgate Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, to take effect March 1, 2017, to read as follows:

(ALL MATTER IS NEW)

Section 500.00 Introduction. The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success. Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers. It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State. Section 500.01 Definitions. For purposes of this Part only, the following definitions shall apply: (a) Affiliate means any Person that controls, is controlled by or is under common control with another Person. For purposes of this subsection, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a Person, whether through the ownership of stock of such Person or otherwise.

2

(b) Authorized User means any employee, contractor, agent or other Person that participates in the business operations of a Covered Entity and is authorized to access and use any Information Systems and data of the Covered Entity. (c) Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. (d) Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. (e) Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. (f) Multi-Factor Authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; or (2) Possession factors, such as a token or text message on a mobile phone; or (3) Inherence factors, such as a biometric characteristic. (g) Nonpublic Information shall mean all electronic information that is not Publicly Available Information and is: (1) Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity; (2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records; (3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.

3

(h) Penetration Testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside the Covered Entity’s Information Systems. (i) Person means any individual or any non-governmental entity, including but not limited to any non-governmental partnership, corporation, branch, agency or association. (j) Publicly Available Information means any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law. (1) For the purposes of this subsection, a Covered Entity has a reasonable basis to believe that information is lawfully made available to the general public if the Covered Entity has taken steps to determine: (i) That the information is of the type that is available to the general public; and

(ii) Whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so.

(k) Risk Assessment means the risk assessment that each Covered Entity is required to conduct under section 500.09 of this Part. (l) Risk-Based Authentication means any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions. (m) Senior Officer(s) means the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity, including a branch or agency of a foreign banking organization subject to this Part. (n) Third Party Service Provider(s) means a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity. Section 500.02 Cybersecurity Program. (a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. (b) The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform the following core cybersecurity functions: (1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;

4

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cybersecurity Events; (4) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (5) recover from Cybersecurity Events and restore normal operations and services; and (6) fulfill applicable regulatory reporting obligations. (c) A Covered Entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an Affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the Covered Entity. (d) All documentation and information relevant to the Covered Entity’s cybersecurity program shall be made available to the superintendent upon request. Section 500.03 Cybersecurity Policy. Cybersecurity Policy. Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and address the following areas to the extent applicable to the Covered Entity’s operations: (a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance;

5

(j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response. Section 500.04 Chief Information Security Officer. (a) Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”). The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider. To the extent this requirement is met using a Third Party Service Provider or an Affiliate, the Covered Entity shall: (1) retain responsibility for compliance with this Part; (2) designate a senior member of the Covered Entity’s personnel responsible for direction and oversight of the Third Party Service Provider; and (3) require the Third Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part. (b) Report. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity’s cybersecurity program. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable: (1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; (2) the Covered Entity’s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity’s cybersecurity program; and (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report. Section 500.05 Penetration Testing and Vulnerability Assessments.

6

The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct: (a) annual Penetration Testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and (b) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment. Section 500.06 Audit Trail. (a) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity. (b) Each Covered Entity shall maintain records required by section 500.06(a)(1) of this Part for not fewer than five years and shall maintain records required by section 500.06(a)(2) of this Part for not fewer than three years. Section 500.07 Access Privileges.

As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges. Section 500.08 Application Security. (a) Each Covered Entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment. (b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity. Section 500.09 Risk Assessment.

7

(a) Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations. The Covered Entity’s Risk Assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the Covered Entity’s business operations related to cybersecurity, Nonpublic Information collected or stored, Information Systems utilized and the availability and effectiveness of controls to protect Nonpublic Information and Information Systems. (b) The Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: (1) criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity; (2) criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity’s Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks. Section 500.10 Cybersecurity Personnel and Intelligence. (a) Cybersecurity Personnel and Intelligence. In addition to the requirements set forth in section 500.04(a) of this Part, each Covered Entity shall: (1) utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.02(b)(1)-(6) of this Part; (2) provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and (3) verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures. (b) A Covered Entity may choose to utilize an Affiliate or qualified Third Party Service Provider to assist in complying with the requirements set forth in this Part, subject to the requirements set forth in section 500.11 of this Part. Section 500.11 Third Party Service Provider Security Policy.

(a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible

8

to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable: (1) the identification and risk assessment of Third Party Service Providers; (2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and (4) periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

(b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing: (1) the Third Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section 500.12 of this Part, to limit access to relevant Information Systems and Nonpublic Information; (2) the Third Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest; (3) notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third Party Service Provider; and (4) representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.

(c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part. Section 500.12 Multi-Factor Authentication.

(a) Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.

(b) Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.

9

Section 500.13 Limitations on Data Retention.

As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Section 500.14 Training and Monitoring. As part of its cybersecurity program, each Covered Entity shall: (a) implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and (b) provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment. Section 500.15 Encryption of Nonpublic Information.

(a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest. (1) To the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity’s CISO. (2) To the extent a Covered Entity determines that encryption of Nonpublic Information at rest is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity’s CISO.

(b) To the extent that a Covered Entity is utilizing compensating controls under (a) above, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually. Section 500.16 Incident Response Plan.

(a) As part of its cybersecurity program, each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations.

(b) Such incident response plan shall address the following areas: (1) the internal processes for responding to a Cybersecurity Event;

10

(2) the goals of the incident response plan; (3) the definition of clear roles, responsibilities and levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls; (6) documentation and reporting regarding Cybersecurity Events and related incident response activities; and (7) the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event. Section 500.17 Notices to Superintendent.

(a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following: (1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

(b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent. Section 500.18 Confidentiality.

Information provided by a Covered Entity pursuant to this Part is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable state or federal law. Section 500.19 Exemptions.

(a) Limited Exemption. Each Covered Entity with:

11

(1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates, shall be exempt from the requirements of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.

(b) An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity.

(c) A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part. (d) A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.

(e) A Covered Entity that qualifies for any of the above exemptions pursuant to this section shall file a Notice of Exemption in the form set forth as Appendix B within 30 days of the determination that the Covered Entity is exempt.

(f) The following Persons are exempt from the requirements of this Part, provided such Persons do not otherwise qualify as a Covered Entity for purposes of this Part: Persons subject to Insurance Law section 1110; Persons subject to Insurance Law section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125.

(g) In the event that a Covered Entity, as of its most recent fiscal year end, ceases to qualify for an exemption, such Covered Entity shall have 180 days from such fiscal year end to comply with all applicable requirements of this Part. Section 500.20 Enforcement.

This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws. Section 500.21 Effective Date.

12

This Part will be effective March 1, 2017. Covered Entities will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations under section 500.17(b) of this Part commencing February 15, 2018. Section 500.22 Transitional Periods.

(a) Transitional Period. Covered Entities shall have 180 days from the effective date of this Part to comply with the requirements set forth in this Part, except as otherwise specified.

(b) The following provisions shall include additional transitional periods. Covered Entities shall have:

(1) One year from the effective date of this Part to comply with the requirements of sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(b) of this Part. (2) Eighteen months from the effective date of this Part to comply with the requirements of sections 500.06, 500.08, 500.13, 500.14 (a) and 500.15 of this Part.

(3) Two years from the effective date of this Part to comply with the requirements of section 500.11 of this Part. Section 500.23 Severability.

If any provision of this Part or the application thereof to any Person or circumstance is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of this Part or the application thereof to other Persons or circumstances.

13

APPENDIX A (Part 500) (Covered Entity Name)

February 15, 20

Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations

The Board of Directors or a Senior Officer(s) of the Covered Entity certifies:

(1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary;

(2) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cybersecurity Program of (name of Covered Entity) as of (date of the Board Resolution or Senior Officer(s) Compliance Finding) for the year ended (year for which Board Resolution or Compliance Finding is provided) complies with Part ___.

Signed by the Chairperson of the Board of Directors or Senior Officer(s)

(Name) Date: ___________________

[DFS Portal Filing Instructions]

14

APPENDIX B (Part 500) (Covered Entity Name)

(Date)

Notice of Exemption

In accordance with 23 NYCRR § 500.19(e), (Covered Entity Name) hereby provides notice that (Covered Entity Name) qualifies for the following Exemption(s) under 23 NYCRR § 500.19 (check all that apply):

Section 500.19(a)(1)



Section 500.19(b)

Section 500.19(c)

Section 500.19(d)

If you have any question or concerns regarding this notice, please contact:

(Insert name, title, and full contact information)

(Name) Date: ___________________

(Title)

(Covered Entity Name)

[DFS Portal Filing Instructions]

Framework for Improving Critical Infrastructure Cybersecurity

Draft Version 1.1

National Institute of Standards and Technology

January 10, 2017

January 10, 2017 Cybersecurity Framework Draft Version 1.1

ii

NotetoReviewersontheUpdateandNextSteps1 The draft Version 1.1 of Cybersecurity Framework refines, clarifies, and enhances the 2 predecessor version 1.0 3 Version 1.1 can be implemented by first time and current Framework users. Current users can 4 implement Version 1.1 with minimal or no disruption, as refinements were made with the 5 objective of being compatible with Version 1.0. 6

As with Version 1.0, use of the Version 1.1 is voluntary. Users of Version 1.1 are invited to 7 customize the Framework to maximize organizational value. 8

The impetus to change and the proposed changes were collected from: 9

• Feedback and frequently asked questions to NIST since release of Framework Version 10 1.0 in February 2014, 11

• 105 responses to the December 2015 request for information (RFI), Views on the 12 Framework for Improving Critical Infrastructure Cybersecurity, and 13

• Comments provided by approximately 800 attendees at a workshop held in Gaithersburg, 14 Maryland on April 6-7, 2016. 15

In addition, NIST previously released Version 1.0 of the Cybersecurity Framework with a 16 companion document, NIST Roadmap for Improving Critical Infrastructure Cybersecurity. This 17 Roadmap highlighted key “areas of improvement” for further “development, alignment, and 18 collaboration.” Through both private and public sector efforts, some areas of improvement have 19 advanced enough to be included in the Framework Version 1.1. 20

Key refinements, clarifications, and enhancements in Framework Version 1.1 include: 21

Update Description of Update A new section on cybersecurity measurement

Added Section 4.0 Measuring and Demonstrating Cybersecurity to discuss correlation of business results to cybersecurity risk management metrics and measures.

Greatly expanded explanation of using Framework for Cyber Supply Chain Risk Management purposes

Considerations of Cyber Supply Chain Risk Management (SCRM) have been added throughout the document. An expanded Section 3.3 Communicating Cybersecurity Requirements with Stakeholders help users better understand Cyber SCRM. Cyber SCRM has also been added as a property of Implementation Tiers. Finally, a Supply Chain Risk Management Category has been added to the Framework Core.

Refinements to better account for authentication, authorization, and identity proofing

The language of the Access Control Category has been refined to account for authentication, authorization, and identity proofing. A Subcategory has been added to that Category. Finally, the Category has been renamed to Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding Subcategories.

Better explanation of the relationship between Implementation Tiers and Profiles

Added language to Section 3.2 Establishing or Improving a Cybersecurity Program on using Framework Tiers in Framework implementation. Added language to Framework Tiers to reflect integration of Framework considerations within organizational risk management programs. Updated Figure 2.0 to include actions from the Framework Tiers.


iii

A more detailed review of Version 1.1 refinements, clarifications, and enhancements can be 22 found in Appendix D. 23

NIST is seeking public comment on this draft Framework Version 1.1, specifically regarding the 24 following questions: 25

• Are there any topics not addressed in the draft Framework Version 1.1 that could be 26 addressed in the final? 27

• How do the changes made in the draft Version 1.1 impact the cybersecurity ecosystem? 28 • For those using Version 1.0, would the proposed changes impact your current use of the 29

Framework? If so, how? 30 • For those not currently using Version 1.0, does the draft Version 1.1 affect your decision 31

to use the Framework? If so, how? 32 • Does this proposed update adequately reflect advances made in the Roadmap areas? 33 • Is there a better label than “version 1.1” for this update? 34 • Based on this update, activities in Roadmap areas, and activities in the cybersecurity 35

ecosystem, are there additional areas that should be added to the Roadmap? Are there 36 any areas that should be removed from the Roadmap? 37

Feedback and comments should be directed to [email protected]. After reviewing 38 public comments regarding the draft Version 1.1 and convening a workshop on the Framework, 39 NIST intends to publish a final Framework Version 1.1 around the fall of 2017. 40

41


iv

Table of Contents 42 Executive Summary .........................................................................................................................143

1.0 Framework Introduction .......................................................................................................344 2.0 Framework Basics .................................................................................................................745

3.0 How to Use the Framework ................................................................................................1446 4.0 Measuring and Demonstrating Cybersecurity ....................................................................2147

Appendix A: Framework Core .......................................................................................................2548 Appendix B: Glossary ....................................................................................................................4749

Appendix C: Acronyms .................................................................................................................5050 Appendix D: Errata ........................................................................................................................5151

List of Figures 52 Figure 1: Framework Core Structure .............................................................................................. 753

Figure 2: Notional Information and Decision Flows within an Organization .............................. 1354 Figure 3: Cyber Supply Chain Relationship ................................................................................. 1755

List of Tables 56 Table 1: Types of Framework Measurement ................................................................................ 2357

Table 2: Function and Category Unique Identifiers ..................................................................... 2658 Table 3: Framework Core ............................................................................................................. 2759

Table 4: Changes in Framework Version 1.1 ............................................................................... 5160


1

ExecutiveSummary61

The national and economic security of the United States depends on the reliable functioning of 62 critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of 63 critical infrastructure systems, placing the Nation’s security, economy, and public safety and 64 health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s 65 bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to 66 innovate and to gain and maintain customers. 67 To better address these risks, the President issued Executive Order 13636, “Improving Critical 68 Infrastructure Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy of 69 the United States to enhance the security and resilience of the Nation’s critical infrastructure and 70 to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity 71 while promoting safety, security, business confidentiality, privacy, and civil liberties.” In 72 enacting this policy, the Executive Order calls for the development of a voluntary risk-based 73 Cybersecurity Framework – a set of industry standards and best practices to help organizations 74 manage cybersecurity risks. The resulting Framework, created through collaboration between 75 government and the private sector, uses a common language to address and manage 76 cybersecurity risk in a cost-effective way based on business needs without placing additional 77 regulatory requirements on businesses. 78

The Framework focuses on using business drivers to guide cybersecurity activities and 79 considering cybersecurity risks as part of the organization’s risk management processes. The 80 Framework consists of three parts: the Framework Core, the Framework Profile, and the 81 Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, 82 outcomes, and informative references that are common across critical infrastructure sectors, 83 providing the detailed guidance for developing individual organizational Profiles. Through use of 84 the Profiles, the Framework will help the organization align its cybersecurity activities with its 85 business requirements, risk tolerances, and resources. The Tiers provide a mechanism for 86 organizations to view and understand the characteristics of their approach to managing 87 cybersecurity risk. 88

The Executive Order also requires that the Framework include a methodology to protect 89 individual privacy and civil liberties when critical infrastructure organizations conduct 90 cybersecurity activities. While processes and existing needs will differ, the Framework can assist 91 organizations in incorporating privacy and civil liberties as part of a comprehensive 92 cybersecurity program. 93 The Framework enables organizations – regardless of size, degree of cybersecurity risk, or 94 cybersecurity sophistication – to apply the principles and best practices of risk management to 95 improving the security and resilience of critical infrastructure. The Framework provides 96 organization and structure to today’s multiple approaches to cybersecurity by assembling 97 standards, guidelines, and practices that are working effectively in industry today. Moreover, 98 because it references globally recognized standards for cybersecurity, the Framework can also be 99 used by organizations located outside the United States and can serve as a model for 100 international cooperation on strengthening critical infrastructure cybersecurity. 101


2

The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical 102 infrastructure. Organizations will continue to have unique risks – different threats, different 103 vulnerabilities, different risk tolerances – and how they implement the practices in the 104 Framework will vary. Organizations can determine activities that are important to critical service 105 delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, 106 the Framework is aimed at reducing and better managing cybersecurity risks. 107

The Framework is a living document and will continue to be updated and improved as industry 108 provides feedback on implementation. NIST will continue coordinating industry as directed in 109 the Cybersecurity Enhancement Act of 20141. As the Framework is put into practice, lessons 110 learned will be integrated into future versions. This will ensure it is meeting the needs of critical 111 infrastructure owners and operators in a dynamic and challenging environment of new threats, 112 risks, and solutions. 113

Use, evolution, and sharing of best practices of this voluntary Framework are the next steps to 114 improve the cybersecurity of our Nation’s critical infrastructure – providing guidance for 115 individual organizations, while increasing the cybersecurity posture of the Nation’s critical 116 infrastructure as a whole. 117

1See15U.S.C.§272(e)(1)(A)(i).TheCybersecurityEnhancementActof2014(S.1353)becamepubliclaw113-274onDecember18,2014andmaybefoundat:https://www.congress.gov/bill/113th-congress/senate-bill/1353/text.


3

1.0 FrameworkIntroduction118

The national and economic security of the United States depends on the reliable functioning of 119 critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued 120 Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity,” on February 12, 121 2013.2 This Executive Order calls for the development of a voluntary Cybersecurity Framework 122 (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-123 effective approach” to manage cybersecurity risk for those processes, information, and systems 124 directly involved in the delivery of critical infrastructure services. The Framework, developed in 125 collaboration with industry, provides guidance to an organization on managing cybersecurity 126 risk. 127

Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so 128 vital to the United States that the incapacity or destruction of such systems and assets would have 129 a debilitating impact on security, national economic security, national public health or safety, or 130 any combination of those matters.” Due to the increasing pressures from external and internal 131 threats, organizations responsible for critical infrastructure need to have a consistent and iterative 132 approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary 133 regardless of an organization’s size, threat exposure, or cybersecurity sophistication today. 134 The critical infrastructure community includes public and private owners and operators, and 135 other entities with a role in securing the Nation’s infrastructure. Members of each critical 136 infrastructure sector perform functions that are supported by information technology (IT) and 137 industrial control systems (ICS).3 This reliance on technology, communication, and the 138 interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and 139 increased potential risk to operations. For example, as ICS and the data produced in ICS 140 operations are increasingly used to deliver critical services and support business decisions, the 141 potential impacts of a cybersecurity incident on an organization’s business, assets, health and 142 safety of individuals, and the environment should be considered. To manage cybersecurity risks, 143 a clear understanding of the organization’s business drivers and security considerations specific 144 to its use of IT and ICS is required. Because each organization’s risk is unique, along with its use 145 of IT and ICS, the tools and methods used to achieve the outcomes described by the Framework 146 will vary. 147

Recognizing the role that the protection of privacy and civil liberties plays in creating greater 148 public trust, the Executive Order requires that the Framework include a methodology to protect 149 individual privacy and civil liberties when critical infrastructure organizations conduct 150 cybersecurity activities. Many organizations already have processes for addressing privacy and 151 civil liberties. The methodology is designed to complement such processes and provide guidance 152 to facilitate privacy risk management consistent with an organization’s approach to cybersecurity 153 risk management. Integrating privacy and cybersecurity can benefit organizations by increasing 154 customer confidence, enabling more standardized sharing of information, and simplifying 155 operations across legal regimes. 156

2 Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12,

2013. https://www.gpo.gov/fdsys/pkg/CFR-2014-title3-vol1/pdf/CFR-2014-title3-vol1-eo13636.pdf 3 The DHS Critical Infrastructure program provides a listing of the sectors and their associated critical functions

and value chains. http://www.dhs.gov/critical-infrastructure-sectors


4

To ensure extensibility and enable technical innovation, the Framework is technology neutral. 157 The Framework relies on a variety of existing standards, guidelines, and practices to enable 158 critical infrastructure providers to achieve resilience. By relying on those global standards, 159 guidelines, and practices developed, managed, and updated by industry, the tools and methods 160 available to achieve the Framework outcomes will scale across borders, acknowledge the global 161 nature of cybersecurity risks, and evolve with technological advances and business requirements. 162 The use of existing and emerging standards will enable economies of scale and drive the 163 development of effective products, services, and practices that meet identified market needs. 164 Market competition also promotes faster diffusion of these technologies and practices and 165 realization of many benefits by the stakeholders in these sectors. 166

Building from those standards, guidelines, and practices, the Framework provides a common 167 taxonomy and mechanism for organizations to: 168

1) Describe their current cybersecurity posture; 169 2) Describe their target state for cybersecurity; 170

3) Identify and prioritize opportunities for improvement within the context of a 171 continuous and repeatable process; 172

4) Assess progress toward the target state; 173 5) Communicate among internal and external stakeholders about cybersecurity risk. 174

The Framework complements, and does not replace, an organization’s risk management process 175 and cybersecurity program. The organization can use its current processes and leverage the 176 Framework to identify opportunities to strengthen and communicate its management of 177 cybersecurity risk while aligning with industry practices. Alternatively, an organization without 178 an existing cybersecurity program can use the Framework as a reference to establish one. 179 Just as the Framework is not industry-specific, the common taxonomy of standards, guidelines, 180 and practices that it provides also is not country-specific. Organizations outside the United States 181 may also use the Framework to strengthen their own cybersecurity efforts, and the Framework 182 can contribute to developing a common language for international cooperation on critical 183 infrastructure cybersecurity. 184

1.1 Overview of the Framework 185 The Framework is a risk-based approach to managing cybersecurity risk, and is composed of 186 three parts: the Framework Core, the Framework Implementation Tiers, and the Framework 187 Profiles. Each Framework component reinforces the connection between business drivers and 188 cybersecurity activities. These components are explained below. 189

• The Framework Core is a set of cybersecurity activities, desired outcomes, and 190 applicable references that are common across critical infrastructure sectors. The Core 191 presents industry standards, guidelines, and practices in a manner that allows for 192 communication of cybersecurity activities and outcomes across the organization from the 193 executive level to the implementation/operations level. The Framework Core consists of 194 five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. 195 When considered together, these Functions provide a high-level, strategic view of the 196 lifecycle of an organization’s management of cybersecurity risk. The Framework Core 197


5

then identifies underlying key Categories and Subcategories for each Function, and 198 matches them with example Informative References such as existing standards, 199 guidelines, and practices for each Subcategory. 200

• Framework Implementation Tiers (“Tiers”) provide context on how an organization 201 views cybersecurity risk and the processes in place to manage that risk. Tiers describe the 202 degree to which an organization’s cybersecurity risk management practices exhibit the 203 characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and 204 adaptive). The Tiers characterize an organization’s practices over a range, from Partial 205 (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive 206 responses to approaches that are agile and risk-informed. During the Tier selection 207 process, an organization should consider its current risk management practices, threat 208 environment, legal and regulatory requirements, business/mission objectives, and 209 organizational constraints. 210

• A Framework Profile (“Profile”) represents the outcomes based on business needs that an 211 organization has selected from the Framework Categories and Subcategories. The Profile 212 can be characterized as the alignment of standards, guidelines, and practices to the 213 Framework Core in a particular implementation scenario. Profiles can be used to identify 214 opportunities for improving cybersecurity posture by comparing a “Current” Profile (the 215 “as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an 216 organization can review all of the Categories and Subcategories and, based on business 217 drivers and a risk assessment, determine which are most important; they can add 218 Categories and Subcategories as needed to address the organization’s risks. The Current 219 Profile can then be used to support prioritization and measurement of progress toward the 220 Target Profile, while factoring in other business needs including cost-effectiveness and 221 innovation. Profiles can be used to conduct self-assessments and communicate within an 222 organization or between organizations. 223

1.2 Risk Management and the Cybersecurity Framework 224 Risk management is the ongoing process of identifying, assessing, and responding to risk. To 225 manage risk, organizations should understand the likelihood that an event will occur and the 226 resulting impact. With this information, organizations can determine the acceptable level of risk 227 for delivery of services and can express this as their risk tolerance. 228 With an understanding of risk tolerance, organizations can prioritize cybersecurity activities, 229 enabling organizations to make informed decisions about cybersecurity expenditures. 230 Implementation of risk management programs offers organizations the ability to quantify and 231 communicate adjustments to their cybersecurity programs. Organizations may choose to handle 232 risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or 233 accepting the risk, depending on the potential impact to the delivery of critical services. 234 The Framework uses risk management processes to enable organizations to inform and prioritize 235 decisions regarding cybersecurity. It supports recurring risk assessments and validation of 236 business drivers to help organizations select target states for cybersecurity activities that reflect 237 desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and 238 direct improvement in cybersecurity risk management for the IT and ICS environments. 239


6

The Framework is adaptive to provide a flexible and risk-based implementation that can be used 240 with a broad array of cybersecurity risk management processes. Examples of cybersecurity risk 241 management processes include International Organization for Standardization (ISO) 242 31000:20094, ISO/IEC 27005:20115, National Institute of Standards and Technology (NIST) 243 Special Publication (SP) 800-396, and the Electricity Subsector Cybersecurity Risk Management 244 Process (RMP) guideline7. 245

1.3 Document Overview 246 The remainder of this document contains the following sections and appendices: 247

• Section 2 describes the Framework components: the Framework Core, the Tiers, and the 248 Profiles. 249

• Section 3 presents examples of how the Framework can be used. 250 • Section 4 describes how to use Framework for cybersecurity measurement. 251 • Appendix A presents the Framework Core in a tabular format: the Functions, Categories, 252

Subcategories, and Informative References. 253 • Appendix B contains a glossary of selected terms. 254 • Appendix C lists acronyms used in this document. 255 • Appendix D is a detailed listing of updates between the Framework Version 1.0 and 1.1. 256

4 International Organization for Standardization, Risk management – Principles and guidelines, ISO 31000:2009,

2009. http://www.iso.org/iso/home/standards/iso31000.htm 5 International Organization for Standardization/International Electrotechnical Commission, Information

technology – Security techniques – Information security risk management, ISO/IEC 27005:2011, 2011. http://www.iso.org/iso/catalogue_detail?csnumber=56742

6 Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and Information System View, NIST Special Publication 800-39, March 2011. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

7 U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003, May 2012. https://energy.gov/sites/prod/files/Cybersecurity Risk Management Process Guideline - Final - May 2012.pdf


7

2.0 FrameworkBasics257

The Framework provides a common language for understanding, managing, and expressing 258 cybersecurity risk both internally and externally. It can be used to help identify and prioritize 259 actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and 260 technological approaches to managing that risk. It can be used to manage cybersecurity risk 261 across entire organizations or it can be focused on the delivery of critical services within an 262 organization. Different types of entities – including sector coordinating structures, associations, 263 and organizations – can use the Framework for different purposes, including the creation of 264 common Profiles. 265

2.1 Framework Core 266 The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and 267 references examples of guidance to achieve those outcomes. The Core is not a checklist of 268 actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in 269 managing cybersecurity risk. The Core comprises four elements: Functions, Categories, 270 Subcategories, and Informative References, depicted in Figure 1: 271

272 Figure 1: Framework Core Structure 273

The Framework Core elements work together as follows: 274

• Functions organize basic cybersecurity activities at their highest level. These Functions 275 are Identify, Protect, Detect, Respond, and Recover. They aid an organization in 276 expressing its management of cybersecurity risk by organizing information, enabling risk 277 management decisions, addressing threats, and improving by learning from previous 278 activities. The Functions also align with existing methodologies for incident management 279 and help show the impact of investments in cybersecurity. For example, investments in 280 planning and exercises support timely response and recovery actions, resulting in reduced 281 impact to the delivery of services. 282


8

• Categories are the subdivisions of a Function into groups of cybersecurity outcomes 283 closely tied to programmatic needs and particular activities. Examples of Categories 284 include “Asset Management,” “Access Control,” and “Detection Processes.” 285

• Subcategories further divide a Category into specific outcomes of technical and/or 286 management activities. They provide a set of results that, while not exhaustive, help 287 support achievement of the outcomes in each Category. Examples of Subcategories 288 include “External information systems are catalogued,” “Data-at-rest is protected,” and 289 “Notifications from detection systems are investigated.” 290

• Informative References are specific sections of standards, guidelines, and practices 291 common among critical infrastructure sectors that illustrate a method to achieve the 292 outcomes associated with each Subcategory. The Informative References presented in the 293 Framework Core are illustrative and not exhaustive. They are based upon cross-sector 294 guidance most frequently referenced during the Framework development process.8 295

The five Framework Core Functions are defined below. These Functions are not intended to 296 form a serial path, or lead to a static desired end state. Rather, the Functions can be performed 297 concurrently and continuously to form an operational culture that addresses the dynamic 298 cybersecurity risk. See Appendix A for the complete Framework Core listing. 299

• Identify – Develop the organizational understanding to manage cybersecurity risk to 300 systems, assets, data, and capabilities. 301

The activities in the Identify Function are foundational for effective use of the 302 Framework. Understanding the business context, the resources that support critical 303 functions, and the related cybersecurity risks enables an organization to focus and 304 prioritize its efforts, consistent with its risk management strategy and business needs. 305 Examples of outcome Categories within this Function include: Asset Management; 306 Business Environment; Governance; Risk Assessment; and Risk Management Strategy. 307

• Protect – Develop and implement the appropriate safeguards to ensure delivery of 308 critical infrastructure services. 309 The Protect Function supports the ability to limit or contain the impact of a potential 310 cybersecurity event. Examples of outcome Categories within this Function include: 311 Access Control; Awareness and Training; Data Security; Information Protection 312 Processes and Procedures; Maintenance; and Protective Technology. 313

• Detect – Develop and implement the appropriate activities to identify the occurrence of a 314 cybersecurity event. 315

The Detect Function enables timely discovery of cybersecurity events. Examples of 316 outcome Categories within this Function include: Anomalies and Events; Security 317 Continuous Monitoring; and Detection Processes. 318

8 NIST developed a Compendium of informative references gathered from the Request for Information (RFI)

input, Cybersecurity Framework workshops, and stakeholder engagement during the Framework development process. The Compendium includes standards, guidelines, and practices to assist with implementation. The Compendium is not intended to be an exhaustive list, but rather a starting point based on initial stakeholder input. The Compendium and other supporting material can be found at http://www.nist.gov/cyberframework/.


9

• Respond – Develop and implement the appropriate activities to take action regarding a 319 detected cybersecurity event. 320

The Respond Function supports the ability to contain the impact of a potential 321 cybersecurity event. Examples of outcome Categories within this Function include: 322 Response Planning; Communications; Analysis; Mitigation; and Improvements. 323

• Recover – Develop and implement the appropriate activities to maintain plans for 324 resilience and to restore any capabilities or services that were impaired due to a 325 cybersecurity event. 326 The Recover Function supports timely recovery to normal operations to reduce the 327 impact from a cybersecurity event. Examples of outcome Categories within this Function 328 include: Recovery Planning; Improvements; and Communications. 329

2.2 Framework Implementation Tiers 330 The Framework Implementation Tiers (“Tiers”) provide context on how an organization views 331 cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial 332 (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in 333 cybersecurity risk management practices and the extent to which cybersecurity risk management 334 is informed by business needs and is integrated into an organization’s overall risk management 335 practices. Risk management considerations include many aspects of cybersecurity, including the 336 degree to which privacy and civil liberties considerations are integrated into an organization’s 337 management of cybersecurity risk and potential risk responses. 338

The Tier selection process considers an organization’s current risk management practices, threat 339 environment, legal and regulatory requirements, information sharing practices, business/mission 340 objectives, cyber supply chain risk management needs, and organizational constraints. 341 Organizations should determine the desired Tier, ensuring that the selected level meets the 342 organizational goals, is feasible to implement, and reduces cybersecurity risk to critical assets 343 and resources to levels acceptable to the organization. Organizations should consider leveraging 344 external guidance obtained from Federal government departments and agencies, Information 345 Sharing and Analysis Centers (ISACs), existing maturity models, or other sources to assist in 346 determining their desired tier. 347 While organizations identified as Tier 1 (Partial) are encouraged to consider moving toward Tier 348 2 or greater, Tiers do not represent maturity levels. Progression to higher Tiers is encouraged 349 when such a change would reduce cybersecurity risk and be cost effective. Successful 350 implementation of the Framework is based upon achievement of the outcomes described in the 351 organization’s Target Profile(s) and not upon Tier determination. However, Tier selection and 352 designation naturally affect Framework Profiles. The risk disposition expressed in a desired Tier 353 should influence prioritization within a Target Profile. Similarly, the organizational state 354 represented in an assessed Tier will indicate the likely findings of an assessed Profile, as well as 355 inform realistic progress in addressing Profile gaps. 356


10

The Tier definitions are as follows: 357 Tier 1: Partial 358

• Risk Management Process – Organizational cybersecurity risk management practices are 359 not formalized, and risk is managed in an ad hoc and sometimes reactive manner. 360 Prioritization of cybersecurity activities may not be directly informed by organizational 361 risk objectives, the threat environment, or business/mission requirements. 362

• Integrated Risk Management Program – There is limited awareness of cybersecurity risk 363 at the organizational level. The organization implements cybersecurity risk management 364 on an irregular, case-by-case basis due to varied experience or information gained from 365 outside sources. The organization may not have processes that enable cybersecurity 366 information to be shared within the organization. 367

• External Participation – An organization may not have the processes in place to 368 participate in coordination or collaboration with other entities. 369

• Cyber Supply Chain Risk Management – An organization may not understand the full 370 implications of cyber supply chain risks or have the processes in place to identify, assess 371 and mitigate its cyber supply chain risks. 372

Tier 2: Risk Informed 373

• Risk Management Process – Risk management practices are approved by management 374 but may not be established as organizational-wide policy. Prioritization of cybersecurity 375 activities is directly informed by organizational risk objectives, the threat environment, or 376 business/mission requirements. 377

• Integrated Risk Management Program – There is an awareness of cybersecurity risk at 378 the organizational level, but an organization-wide approach to managing cybersecurity 379 risk has not been established. Cybersecurity information is shared within the organization 380 on an informal basis. Consideration of cybersecurity in mission/business objectives may 381 occur at some levels of the organization, but not at all levels. Cyber risk assessment of 382 organizational assets is not typically repeatable or reoccurring. 383

• External Participation – The organization knows its role in the larger ecosystem, but has 384 not formalized its capabilities to interact and share information externally. 385

• Cyber Supply Chain Risk Management – The organization understands the cyber supply 386 chain risks associated with the products and services that either supports the business 387 mission function of the organization or that are utilized in the organization’s products or 388 services. The organization has not formalized its capabilities to manage cyber supply 389 chain risks internally or with its suppliers and partners and performs these activities 390 inconsistently. 391


11

Tier 3: Repeatable 392

• Risk Management Process – The organization’s risk management practices are formally 393 approved and expressed as policy. Organizational cybersecurity practices are regularly 394 updated based on the application of risk management processes to changes in 395 business/mission requirements and a changing threat and technology landscape. 396

• Integrated Risk Management Program – There is an organization-wide approach to 397 manage cybersecurity risk. Risk-informed policies, processes, and procedures are 398 defined, implemented as intended, and reviewed. Consistent methods are in place to 399 respond effectively to changes in risk. Personnel possess the knowledge and skills to 400 perform their appointed roles and responsibilities. The organization consistently and 401 accurately monitors cybersecurity risk of organizational assets. Senior cybersecurity and 402 non-cybersecurity executives communicate regularly regarding cybersecurity risk. 403 Senior executives ensure consideration of cybersecurity through all lines of operation in 404 the organization. 405

• External Participation – The organization understands its dependencies and partners and 406 receives information from these partners that enables collaboration and risk-based 407 management decisions within the organization in response to events. 408

• Cyber Supply Chain Risk Management – An organization-wide approach to managing 409 cyber supply chain risks is enacted via enterprise risk management policies, processes 410 and procedures. This likely includes a governance structure (e.g. Risk Council) that 411 manages cyber supply chain risks in balance with other enterprise risks. Policies, 412 processes, and procedures are implemented consistently, as intended, and continuously 413 monitored and reviewed. Personnel possess the knowledge and skills to perform their 414 appointed cyber supply chain risk management responsibilities. The organization has 415 formal agreements in place to communicate baseline requirements to its suppliers and 416 partners. 417

Tier 4: Adaptive 418

• Risk Management Process – The organization adapts its cybersecurity practices based on 419 lessons learned and predictive indicators derived from previous and current cybersecurity 420 activities. Through a process of continuous improvement incorporating advanced 421 cybersecurity technologies and practices, the organization actively adapts to a changing 422 cybersecurity landscape and responds to evolving and sophisticated threats in a timely 423 manner. 424

• Integrated Risk Management Program – There is an organization-wide approach to 425 managing cybersecurity risk that uses risk-informed policies, processes, and procedures 426 to address potential cybersecurity events. The relationship between cybersecurity risk and 427 mission/business objectives is clearly understood and considered when making decisions. 428 Senior executives monitor cybersecurity risk in the same context as financial risk and 429 other organizational risks. The organizational budget is based on understanding of current 430 and predicted risk environment and future risk appetites. Business units implement 431 executive vision and analyze system level risks in the context of the organizational risk 432 appetite and tolerances. Cybersecurity risk management is part of the organizational 433 culture and evolves from an awareness of previous activities, information shared by other 434


12

sources, and continuous awareness of activities on their systems and networks. 435 Cybersecurity risk is clearly articulated and understood across all strata of the enterprise. 436 The organization can quickly and efficiently account for changes to business/mission 437 objectives and threat and technology landscapes in how risk is communicated and 438 approached. 439

• External Participation – The organization manages risk and actively shares information 440 with partners to ensure that accurate, current information is being distributed and 441 consumed to improve cybersecurity before a cybersecurity event occurs. 442

• Cyber Supply Chain Risk Management – The organization can quickly and efficiently 443 account for emerging cyber supply chain risks using real-time or near real-time 444 information and leveraging an institutionalized knowledge of cyber supply chain risk 445 management with its external suppliers and partners as well as internally, in related 446 functional areas and at all levels of the organization. The organization communicates 447 proactively and uses formal (e.g. agreements) and informal mechanisms to develop and 448 maintain strong relationships with its suppliers, partners, and individual and 449 organizational buyers. 450

2.3 Framework Profile 451 The Framework Profile (“Profile”) is the alignment of the Functions, Categories, and 452 Subcategories with the business requirements, risk tolerance, and resources of the organization. 453 A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well 454 aligned with organizational and sector goals, considers legal/regulatory requirements and 455 industry best practices, and reflects risk management priorities. Given the complexity of many 456 organizations, they may choose to have multiple profiles, aligned with particular components and 457 recognizing their individual needs. 458

Framework Profiles can be used to describe the current state or the desired target state of specific 459 cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that are 460 currently being achieved. The Target Profile indicates the outcomes needed to achieve the 461 desired cybersecurity risk management goals. Profiles support business/mission requirements 462 and aid in the communication of risk within and between organizations. This Framework 463 document does not prescribe Profile templates, allowing for flexibility in implementation. 464

Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be 465 addressed to meet cybersecurity risk management objectives. An action plan to address these 466 gaps can contribute to the roadmap described above. Prioritization of gap mitigation is driven by 467 the organization’s business needs and risk management processes. This risk-based approach 468 enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve 469 cybersecurity goals in a cost-effective, prioritized manner. 470


13

2.4 Coordination of Framework Implementation 471 Figure 2 describes a common flow of information and decisions at the following levels within an 472 organization: 473

• Executive 474 • Business/Process 475 • Implementation/Operations 476

The executive level communicates the mission priorities, available resources, and overall risk 477 tolerance to the business/process level. The business/process level uses the information as inputs 478 into the risk management process, and then collaborates with the implementation/operations 479 level to communicate business needs and create a Profile. The implementation/operations level 480 communicates the Profile implementation progress to the business/process level. The 481 business/process level uses this information to perform an impact assessment. Business/process 482 level management reports the outcomes of that impact assessment to the executive level to 483 inform the organization’s overall risk management process and to the implementation/operations 484 level for awareness of business impact. 485

486 Figure 2: Notional Information and Decision Flows within an Organization 487


14

3.0 HowtoUsetheFramework488

An organization can use the Framework as a key part of its systematic process for identifying, 489 assessing, and managing cybersecurity risk. The Framework is not designed to replace existing 490 processes; an organization can use its current process and overlay it onto the Framework to 491 determine gaps in its current cybersecurity risk approach and develop a roadmap to 492 improvement. Utilizing the Framework as a cybersecurity risk management tool, an organization 493 can determine activities that are most important to critical service delivery and prioritize 494 expenditures to maximize the impact of the investment. 495

The Framework is designed to complement existing business and cybersecurity operations. It can 496 serve as the foundation for a new cybersecurity program or a mechanism for improving an 497 existing program. The Framework provides a means of expressing cybersecurity requirements to 498 business partners and customers and can help identify gaps in an organization’s cybersecurity 499 practices. It also provides a general set of considerations and processes for considering privacy 500 and civil liberties implications in the context of a cybersecurity program. 501

The Framework can be applied in design, build/buy, deploy, operate, and decommission system 502 lifecycle phases. The design phase should account for cybersecurity requirements as a part of a 503 larger multi-disciplinary systems engineering process9. A key milestone of the design phase is 504 validation that the system cybersecurity specifications match the needs and risk disposition of the 505 organization as summarized in a Framework Profile. The cybersecurity outcomes prioritized in a 506 Profile should be enacted during either a) development of the system during the build phase or b) 507 purchase or outsourcing of the system during the buy phase. In the system deploy phase, the 508 cybersecurity features of the system should be assessed to verify the design was enacted. The 509 cybersecurity outcomes of the Framework then serve as a basis for on-going operation of the 510 system, including occasional reassessment to verify that cybersecurity requirements are still 511 fulfilled. Typically, a complex web of dependencies amongst systems means Framework 512 outcomes should be carefully considered as one or more systems are decommissioned. 513

The following sections present different ways in which organizations can use the Framework. 514

3.1 Basic Review of Cybersecurity Practices 515 The Framework can be used to compare an organization’s current cybersecurity activities with 516 those outlined in the Framework Core. Through the creation of a Current Profile, organizations 517 can examine the extent to which they are achieving the outcomes described in the Core 518 Categories and Subcategories, aligned with the five high-level Functions: Identify, Protect, 519 Detect, Respond, and Recover. An organization may find that it is already achieving the desired 520 outcomes, thus managing cybersecurity commensurate with the known risk. Conversely, an 521 organization may determine that it has opportunities to (or needs to) improve. The organization 522 can use that information to develop an action plan to strengthen existing cybersecurity practices 523 and reduce cybersecurity risk. An organization may also find that it is overinvesting to achieve 524

9 NIST Special Publication 800-160: System Security Engineering, Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, Ross et al, November 2016, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf


15

certain outcomes. The organization can use this information to reprioritize resources to 525 strengthen other cybersecurity practices. 526

While they do not replace a risk management process, these five high-level Functions will 527 provide a concise way for senior executives and others to distill the fundamental concepts of 528 cybersecurity risk so that they can assess how identified risks are managed, and how their 529 organization stacks up at a high level against existing cybersecurity standards, guidelines, and 530 practices. The Framework can also help an organization answer fundamental questions, 531 including “How are we doing?” Then they can move in a more informed way to strengthen their 532 cybersecurity practices where and when deemed necessary. 533

3.2 Establishing or Improving a Cybersecurity Program 534 The following steps illustrate how an organization could use the Framework to create a new 535 cybersecurity program or improve an existing program. These steps should be repeated as 536 necessary to continuously improve cybersecurity. 537

Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and 538 high-level organizational priorities. With this information, the organization makes strategic 539 decisions regarding cybersecurity implementations and determines the scope of systems and 540 assets that support the selected business line or process. The Framework can be adapted to 541 support the different business lines or processes within an organization, which may have 542 different business needs and associated risk tolerance. Implementation Tiers may be used to 543 express varying risk tolerances. 544

Step 2: Orient. Once the scope of the cybersecurity program has been determined for the 545 business line or process, the organization identifies related systems and assets, regulatory 546 requirements, and overall risk approach. The organization then consults sources to identify 547 threats and vulnerabilities applicable to those systems and assets. 548

Step 3: Create a Current Profile. The organization develops a Current Profile by indicating 549 which Category and Subcategory outcomes from the Framework Core are currently being 550 achieved. If an outcome is partially achieved, noting this fact will help support subsequent steps. 551

Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s 552 overall risk management process or previous risk assessment activities. The organization 553 analyzes the operational environment in order to discern the likelihood of a cybersecurity event 554 and the impact that the event could have on the organization. It is important that organizations 555 identify emerging risks and use cyber threat information from internal and external sources to 556 gain a better understanding of the likelihood and impact of cybersecurity events. 557

Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the 558 assessment of the Framework Categories and Subcategories describing the organization’s desired 559 cybersecurity outcomes. Organizations also may develop their own additional Categories and 560 Subcategories to account for unique organizational risks. The organization may also consider 561 influences and requirements of external stakeholders such as sector entities, customers, and 562 business partners when creating a Target Profile. When used in conjunction with an 563


16

Implementation Tier, characteristics of the Tier level should be reflected in the desired 564 cybersecurity outcomes. 565

Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current 566 Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to 567 address those gaps - drawing upon mission drivers, a cost/benefit analysis, and risk 568 understanding - to achieve the outcomes in the Target Profile. The organization then determines 569 resources necessary to address the gaps. Using Profiles in this manner enables the organization to 570 make informed decisions about cybersecurity activities, supports risk management, and enables 571 the organization to perform cost-effective, targeted improvements. 572

Step 7: Implement Action Plan. The organization determines which actions to take in regards 573 to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity 574 practices against the Target Profile. For further guidance, the Framework identifies example 575 Informative References regarding the Categories and Subcategories, but organizations should 576 determine which standards, guidelines, and practices, including those that are sector specific, 577 work best for their needs. 578

An organization may repeat the steps as needed to continuously assess and improve its 579 cybersecurity. For instance, organizations may find that more frequent repetition of the orient 580 step improves the quality of risk assessments. Furthermore, organizations may monitor progress 581 through iterative updates to the Current Profile, subsequently comparing the Current Profile to 582 the Target Profile. Organizations may also utilize this process to align their cybersecurity 583 program with their desired Framework Implementation Tier. 584

3.3 Communicating Cybersecurity Requirements with Stakeholders 585 The Framework provides a common language to communicate requirements among 586 interdependent stakeholders responsible for the delivery of essential critical infrastructure 587 services. Examples include: 588

• An organization may utilize a Target Profile to express cybersecurity risk management 589 requirements to an external service provider (e.g., a cloud provider to which it is 590 exporting data). 591

• An organization may express its cybersecurity state through a Current Profile to report 592 results or to compare with acquisition requirements. 593

• A critical infrastructure owner/operator, having identified an external partner on whom 594 that infrastructure depends, may use a Target Profile to convey required Categories and 595 Subcategories. 596

• A critical infrastructure sector may establish a Target Profile that can be used among its 597 constituents as an initial baseline Profile to build their tailored Target Profiles. 598

In addition, Implementation Tiers allow organizations to understand how they fit into the larger 599 cybersecurity ecosystem. Organizations can better manager cybersecurity risk amongst 600 stakeholders by assessing their position in both critical infrastructure and the broader digital 601 economy. 602


17

The practice of communicating and verifying cybersecurity requirements among stakeholders is 603 one aspect of cyber supply chain risk management (SCRM). A primary objective of cyber 604 SCRM is to identify, assess and mitigate “products and services that may contain potentially 605 malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and 606 development practices within the cyber supply chain.10.” Cyber SCRM activities may include: 607

• Determining cybersecurity requirements for suppliers and information technology 608 (IT) and operational technology (OT) partners, 609

• Enacting cybersecurity requirements through formal agreement (e.g. contracts), 610 • Communicating to suppliers and partners how those cybersecurity requirements will 611

be verified and validated, 612 • Verify cybersecurity requirements are met through a variety of assessment 613

methodologies, and 614 • Governing and managing the above activities. 615

As depicted in Figure 3, cyber SCRM encompasses IT and OT suppliers and buyers as well as 616 non-IT and OT partners. These relationships highlight the critical role of cyber SCRM in 617 addressing cybersecurity risk in the critical infrastructure and the broader digital economy. They 618 should be identified and factored into the protective and detective capabilities of organizations, 619 as well as the response and recovery protocols of organizations. 620

621 Figure 3: Cyber Supply Chain Relationship 622

Buyer refers to the people or organizations that consume a given product or service from an 623 organization. Suppliers encompass product and service providers that are used for an 624 organization’s internal purposes (e.g., IT infrastructure) or integrated into the products or 625 services provided to the Buyer. Finally, non-IT and OT partners have access to, or may otherwise 626 be a risk to, the security posture of the organization. 627

10 NIST Special Publication 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations, Boyens et al, April 2015, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf


18

Whether considering individual Subcategories of the Core, or the comprehensive considerations 628 of a Profile, the Framework offers organizations and their partners a method of ensuring the new 629 product or service meets security outcomes that are prioritized. By first selecting outcomes that 630 are relevant to the context (PII transmission, mission critical service delivery, data verification 631 services, product or service integrity, etc.) the organization can then evaluate partners against 632 those criteria. For example, if a particular system is being purchased that will monitor OT, 633 availability may be a particularly important cybersecurity objective to achieve and thus will drive 634 Subcategory selection (ID.BE-4, ID.SC-3, ID.SC-4, ID.SC-5, PR.DS-4, PR.DS-6, PR.DS-7, 635 PR.DS-8, PR.IP-1, DE.AE-5, etc.). 636

3.4 Buying Decisions 637 Since a Framework Target Profile is a prioritized list of organizational cybersecurity 638 requirements, Target Profiles can be used to inform decisions about buying products and 639 services. This transaction varies from cyber SCRM (Section 3.3) in that it may not be possible to 640 impose a set of cybersecurity requirements on the supplier. Instead, the objective is to make the 641 best buying decision, optimally between multiple suppliers, given a pre-decided list of 642 cybersecurity requirements. Often, this means some degree of trade-off analysis. Therefore, a 643 product or service is typically purchased with known gaps to the Target Profile. 644 Once a product or service is purchased, the Profile also can be used to track residual 645 cybersecurity risk. For example, if the service or product purchased did not meet all the 646 objectives described in the Target Profile, the organization can incorporate that residual 647 cybersecurity risk into the overall risk management of the larger environment, addressing the 648 residual risk through other management actions. The Profile also allows the organization a 649 method for assuring that the product meets cybersecurity outcomes through periodic review and 650 testing mechanisms. 651

3.5 Identifying Opportunities for New or Revised Informative 652 References 653 The Framework can be used to identify opportunities for new or revised standards, guidelines, or 654 practices where additional Informative References would help organizations address emerging 655 needs. An organization implementing a given Subcategory, or developing a new Subcategory, 656 might discover that there are few Informative References, if any, for a related activity. To 657 address that need, the organization might collaborate with technology leaders and/or standards 658 bodies to draft, develop, and coordinate standards, guidelines, or practices. 659

3.6 Methodology to Protect Privacy and Civil Liberties 660 This section describes a methodology as required by the Executive Order to address individual 661 privacy and civil liberties implications that may result from cybersecurity operations. This 662 methodology is intended to be a general set of considerations and processes since privacy and 663 civil liberties implications may differ by sector or over time and organizations may address these 664 considerations and processes with a range of technical implementations. Nonetheless, not all 665 activities in a cybersecurity program may give rise to these considerations. Consistent with 666 Section 3.4, technical privacy standards, guidelines, and additional best practices may need to be 667 developed to support improved technical implementations. 668


19

Privacy and cybersecurity have a strong nexus. It is well-recognized that cybersecurity plays an 669 important role in protecting individuals’ privacy; for example, with respect to the confidentiality 670 of assets containing personal information. Nonetheless, an organization’s cybersecurity activities 671 also can create risks to privacy and civil liberties when personal information is used, collected, 672 processed, maintained, or disclosed in connection with an organization’s cybersecurity activities. 673 Some examples of activities that bear privacy or civil liberties considerations may include: 674 cybersecurity activities that result in the over-collection or over-retention of personal 675 information; disclosure or use of personal information unrelated to cybersecurity activities; 676 cybersecurity mitigation activities that result in denial of service or other similar potentially 677 adverse impacts, including activities such as some types of incident detection or monitoring that 678 may impact freedom of expression or association. 679 The government and agents of the government have a direct responsibility to protect civil 680 liberties arising from cybersecurity activities. As referenced in the methodology below, 681 government or agents of the government that own or operate critical infrastructure should have a 682 process in place to support compliance of cybersecurity activities with applicable privacy laws, 683 regulations, and Constitutional requirements. 684

To address privacy implications, organizations may consider how, in circumstances where such 685 measures are appropriate, their cybersecurity program might incorporate privacy principles such 686 as: data minimization in the collection, disclosure, and retention of personal information material 687 related to the cybersecurity incident; use limitations outside of cybersecurity activities on any 688 information collected specifically for cybersecurity activities; transparency for certain 689 cybersecurity activities; individual consent and redress for adverse impacts arising from use of 690 personal information in cybersecurity activities; data quality, integrity, and security; and 691 accountability and auditing. 692

As organizations assess the Framework Core in Appendix A, the following processes and 693 activities may be considered as a means to address the above-referenced privacy and civil 694 liberties implications: 695 Governance of cybersecurity risk 696

• An organization’s assessment of cybersecurity risk and potential risk responses considers 697 the privacy implications of its cybersecurity program 698

• Individuals with cybersecurity-related privacy responsibilities report to appropriate 699 management and are appropriately trained 700

• Process is in place to support compliance of cybersecurity activities with applicable 701 privacy laws, regulations, and Constitutional requirements 702

• Process is in place to assess implementation of the foregoing organizational measures and 703 controls 704

Approaches to identifying and authorizing individuals to access organizational assets and 705 systems 706

• Steps are taken to identify and address the privacy implications of access control 707 measures to the extent that they involve collection, disclosure, or use of personal 708 information 709


20

Awareness and training measures 710

• Applicable information from organizational privacy policies is included in cybersecurity 711 workforce training and awareness activities 712

• Service providers that provide cybersecurity-related services for the organization are 713 informed about the organization’s applicable privacy policies 714

Anomalous activity detection and system and assets monitoring 715

• Process is in place to conduct a privacy review of an organization’s anomalous activity 716 detection and cybersecurity monitoring 717

Response activities, including information sharing or other mitigation efforts 718

• Process is in place to assess and address whether, when, how, and the extent to which 719 personal information is shared outside the organization as part of cybersecurity 720 information sharing activities 721

• Process is in place to conduct a privacy review of an organization’s cybersecurity 722 mitigation efforts 723

3.7 Federal Alignment 724 For Federal information systems, including those systems that are part of the critical 725 infrastructure, Federal agencies are required to fulfill the security requirements defined in the 726 Federal Information Security Modernization Act (FISMA), Office of Management and Budget 727 (OMB) policies, and NIST standards and guidelines as expressed in Federal Information 728 Processing Standards and Special Publications. The Cybersecurity Framework complements 729 existing federal risk management approaches. Federal agencies may find the Framework a 730 valuable addition by using: 731

• Implementation Tiers to express risk disposition, 732 • The Core to organize and communicate cybersecurity concepts, activities, and outcomes, 733 • Profiles to inform prioritization decisions, and 734 • The Seven-Step Process to organize assessment and remediation activities. 735

Additionally, OMB has organized recent FISMA reporting11 and improvement initiatives (e.g., 736 Cybersecurity Strategy and Implementation Plan12) according to Framework Functions. Federal 737 organizations may find value in gaining a working understanding of the Framework Core to 738 ensure precise and efficient high-level cybersecurity dialog with Federal and non-Federal 739 partners. 740

11 OMB Memorandum M-16-03, FY 2015-16 Guidance on Federal Information Security and Privacy Management Requirements, https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-03.pdf 12 OMB Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan, https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf


21

4.0 MeasuringandDemonstratingCybersecurity741

Framework measurement provides a basis for strong trusted relationships, both inside and 742 outside of an organization. Measuring state and trends over time, internally, through external 743 audit, and through conformity assessment, enables an organization to understand and convey 744 meaningful risk information to dependents, partners, and customers. 745 In combination with Informative References, the Framework can be used as the basis for 746 comprehensive measurement. The key terms for measuring with Framework are “metrics” and 747 “measures.13” Metrics are used to “facilitate decision making and improve performance and 748 accountability.” The Implementation Tiers, Subcategories, and Categories are examples of 749 metrics. Metrics create meaning and awareness of organizational security postures by 750 aggregating and correlating measures. Measures are “quantifiable, observable, objective data 751 supporting metrics.” Measures are most closely aligned with technical controls, such as the 752 Informative References. 753 The information harvested from security metrics is indicative of different aspects of 754 organizational cyber risk posture. As such, tracking both security metrics and business outcomes 755 may provide meaningful insight as to how changes in granular security controls impact the 756 completion of business objectives. While it is important to measure whether or not a business 757 objective was achieved through lagging measurement, it is typically more important to 758 understand the likelihood of achieving a future objective through a leading measurement. 759 The ability of an organization to determine cause-and-effect relationships between cybersecurity 760 and business outcomes is dependent on the accuracy and precision of the measurement systems 761 (i.e., composed of the “resources” highlighted in ID.AM-5). Therefore, the measurement system 762 should be designed with business requirements and operating expense in mind. The expense of a 763 measurement system may increase as the accuracy of measurement increases. To mitigate undue 764 cost to the organization, the accuracy and expense of a system need only match the required 765 measurement accuracy of the corresponding business objective. 766

4.1 Correlation to Business Results 767 The objective of measuring cybersecurity is to correlate cybersecurity with business objectives 768 (ID.BE-3), to understand and quantify cause-and-effect. Common business objectives include 769 driving business/mission results, increasing cost effectiveness, and reducing enterprise risk. The 770 aggregate of these business objectives may be measured in earnings per share and price/earnings 771 multiple at the board level: revenue and net profits by senior executives; and in more specific 772 measures such as number of products or hours delivered by those that report to senior executives. 773

Correlating cybersecurity metrics to business objectives is often more complex than simply 774 measuring one cybersecurity result. There are a large number and variety of contributing factors 775 to a given business objective. For instance, a retail bank wanting to increase the number of on-776 line banking customers may seek to do so by implementing stronger authentication. However, 777 achieving an increase in on-line banking customers is also contingent upon developing the 778 messages regarding trusted on-line transactions, targeting specific demographics of consumers, 779

13Cybersecuritry Metrics and Measures, Black et al, March 2009, http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=51292


22

selecting communication channels that are most meaningful to those demographics, and 780 marketing those communication channels over a duration necessary to achieve the objective. In 781 short, achieving customer growth is contingent on messaging, marketing, advertising 782 cybersecurity, and other factors. 783

The relative cost effectiveness of various cybersecurity activities is an important consideration. 784 Cost effectiveness means achieving a given business objective using minimum cybersecurity 785 effort and expense. To examine cost effectiveness, an organization must first have a clear 786 understanding of the business objectives, an understanding of the relationship between business 787 objectives and the cybersecurity metrics, and an understanding of the relationship between 788 business objectives and non-cybersecurity factors. 789

The effect of cybersecurity outcomes on a business objective may often be unclear. 790 Cybersecurity’s primary role is the preservation of the businesses value through the protection of 791 the confidentiality, integrity, and availability (CIA) of the organization’s information, operations, 792 and processes. As such, even when cost effectiveness or the effect of cybersecurity outcomes on 793 a business objective are unclear, organizations should exercise prudence when modifying their 794 cybersecurity program. Often, cybersecurity outcomes are preventing a bad business 795 circumstance, like a data breach. 796 Enterprise risk management is the consideration of all risks to achieving a given business 797 objective. Ensuring cybersecurity is factored into enterprise risk consideration is integral to 798 achieving business objectives. This includes the positive effects of cybersecurity as well as the 799 negative effects should cybersecurity be subverted. The Management metrics highlighted below 800 are a way of aggregating cybersecurity risk using the Framework Core, enabling cybersecurity 801 can be factored into enterprise risk management. 802 The ability of an organization to determine cause-and-effect relationships between cybersecurity 803 outcomes and business objectives also depends on the ability to adequately isolate those 804 cybersecurity outcomes and business objectives. This is one of the largest challenges affecting 805 measurement of cybersecurity. Special care must be taken to ensure that a given cybersecurity 806 outcome and business objective truly correlate. Generally, correlating cybersecurity measures to 807 higher-level cybersecurity metrics is easier than correlating cybersecurity metrics to business 808 metrics. 809


23

4.2 Types of Cybersecurity Measurement 810 A summary of metrics and measures relating to the Framework is displayed in Table 1. 811

Table 1: Types of Framework Measurement 812

Measurement What is Measured Corresponding Framework

Component Measurement

Type

Practices General risk management behaviors

Implementation Tiers Metric

Process Specific risk management activities

Prose of Framework including the Seven-Step Process (Section 3.2) and use case specific process (e.g., Section 3.3 & 3.6)

Measure

Management Fulfillment of general cybersecurity outcomes

Core/Profile Functions, Categories, and Subcategories

Metric

Technical Achievement of specific cybersecurity outcomes

Informative References Measure

813

Framework Implementation Tiers are a qualitative metric of overall cybersecurity risk 814 management practices. Beyond an overarching 1 – 4 qualitative metric, the individual 815 Implementation Tier properties of Risk Management Process, Integrated Risk Management 816 Program, External Participation, and Cyber Supply Chain Risk Management also comprise 817 practice metrics. 818 Whereas practices such as those in Implementation Tiers are general trends in high-level 819 organizational behavior, those practices are composed of discrete processes that represent 820 specific risk management activities. For instance, the periodicity of a process for updating 821 Framework Profiles (Step 3) is a measure that is reflected in the metric, Risk Management 822 Process. Similarly, a measure of the extent that governance and risk management processes 823 address cybersecurity risk (ID.GV-4) is reflected in the metric, Integrated Risk Management 824 Program. Finally, the volume of threat and vulnerability information received from information 825 sharing forums and sources (ID.RA-2) is reflected in the metric, External Participation. 826


24

The cybersecurity outcomes of the Framework Core are the basis for a comprehensive set of 827 cybersecurity management metrics. The aggregate of these metrics equals a reduction (or not) of 828 cybersecurity risk. 829

• For instance, the outcome of the Protect Function is to “develop and implement the 830 appropriate safeguards to ensure delivery…” A Senior executive held accountable to this 831 outcome might be measured using a lagging metric of percentage uptime of system(s) 832 (i.e. ensuring delivery), with a leading metric of creating and communicating strategy for 833 development and implementation for data security. 834

• Correspondingly, a Business Process person might be held accountable to the Data 835 Security Category of the Protect Function (PR.DS) and Subcategories thereof. Data 836 Security reads “information and records (data) are managed consistent with the 837 organization’s risk strategy to protect the CIA of information.” A Business Process 838 person accountable for all Data Security could be measured using the leading metric of 839 whether policies are published and communicated commensurate with both the 840 organizations risk strategy and the goals of CIA. Lagging metrics for this Business 841 Process person might be a composite of lagging metrics of how CIA is managed by those 842 responsible for the Data Security Subcategories. 843

• Similarly, the Implementation/Operations person accountable for protecting data-at-rest 844 (PR.DS-1) might be measured on the leading metric of implementing protective 845 mechanisms, with the lagging metric being whether data was protected as evidenced by 846 the lack of unauthorized modification, deletion, or theft of organizational data. That 847 Implementation/Operations person might fulfill the objective of PR.DS-1 using 848 applicable Informative References and corresponding measures. 849

Informative References, such as controls catalogs, offer detailed technical measures that work 850 modularly to complement Framework. For instance, an organization using the NIST Special 851 Publication 800-5314 security control SP-28 to implement the PR.DS-1 Subcategory might be 852 held accountable to measures of design, development/purchase, implementation, management, 853 evolution, and sunset of: 854

• Cryptographic mechanisms across a variety of media storage (internally-hosted hard 855 drives, cloud hard drives, portable storage devices, mobile devices) 856

• Full disk encryption versus specific data structures (e.g., files, records, or fields), 857 • File share scanning, 858 • Write-Once-Read-Many technologies, and 859 • Secure off-line storage in lieu of online storage. 860

14NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations, Joint Task Force Transformation Initiative Interagency Working Group, April 2013, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf


25

AppendixA:FrameworkCore861

Note to Reviewers: 862 NIST is currently working with various parties to further refine and update the Informative 863 References illustrated in the Core. These updates are still pending. 864 This appendix presents the Framework Core: a listing of Functions, Categories, Subcategories, 865 and Informative References that describe specific cybersecurity activities that are common 866 across all critical infrastructure sectors. The chosen presentation format for the Framework Core 867 does not suggest a specific implementation order or imply a degree of importance of the 868 Categories, Subcategories, and Informative References. The Framework Core presented in this 869 appendix represents a common set of activities for managing cybersecurity risk. While the 870 Framework is not exhaustive, it is extensible, allowing organizations, sectors, and other entities 871 to use Subcategories and Informative References that are cost-effective and efficient and that 872 enable them to manage their cybersecurity risk. Activities can be selected from the Framework 873 Core during the Profile creation process and additional Categories, Subcategories, and 874 Informative References may be added to the Profile. An organization’s risk management 875 processes, legal/regulatory requirements, business/mission objectives, and organizational 876 constraints guide the selection of these activities during Profile creation. Personal information is 877 considered a component of data or assets referenced in the Categories when assessing security 878 risks and protections. 879

While the intended outcomes identified in the Functions, Categories, and Subcategories are the 880 same for IT and ICS, the operational environments and considerations for IT and ICS differ. ICS 881 have a direct effect on the physical world, including potential risks to the health and safety of 882 individuals, and impact on the environment. Additionally, ICS have unique performance and 883 reliability requirements compared with IT, and the goals of safety and efficiency must be 884 considered when implementing cybersecurity measures. 885

For ease of use, each component of the Framework Core is given a unique identifier. Functions 886 and Categories each have a unique alphabetic identifier, as shown in Table 1. Subcategories 887 within each Category are referenced numerically; the unique identifier for each Subcategory is 888 included in Table 2. 889

Additional supporting material relating to the Framework can be found on the NIST website at 890 http://www.nist.gov/cyberframework/. 891


26

Table 2: Function and Category Unique Identifiers 892 Function

Unique Identifier

Function Category Unique

Identifier Category

ID Identify

ID.AM Asset Management

ID.BE Business Environment

ID.GV Governance

ID.RA Risk Assessment

ID.RM Risk Management Strategy

ID.SC Supply Chain Risk Management

PR Protect

PR.AC Access Control

PR.AT Awareness and Training

PR.DS Data Security

PR.IP Information Protection Processes and Procedures

PR.MA Maintenance

PR.PT Protective Technology

DE Detect DE.AE Anomalies and Events

DE.CM Security Continuous Monitoring

DE.DP Detection Processes

RS Respond

RS.RP Response Planning

RS.CO Communications

RS.AN Analysis

RS.MI Mitigation

RS.IM Improvements

RC Recover RC.RP Recovery Planning

RC.IM Improvements

RC.CO Communications


27

Table 3: Framework Core 893

Function Category Subcategory Informative References

IDENTIFY (ID)

Asset Management (ID.AM): The data, personnel, devices,

systems, and facilities that enable the organization to achieve

business purposes are identified and managed consistent with their

relative importance to business objectives and the organization’s

risk strategy.

ID.AM-1: Physical devices and systems within the organization are inventoried

• CCS CSC 1 • COBIT 5 BAI09.01, BAI09.02 • ISA 62443-2-1:2009 4.2.3.4 • ISA 62443-3-3:2013 SR 7.8 • ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 • NIST SP 800-53 Rev. 4 CM-8

ID.AM-2: Software platforms and applications within the organization are inventoried

• CCS CSC 2 • COBIT 5 BAI09.01, BAI09.02, BAI09.05 • ISA 62443-2-1:2009 4.2.3.4 • ISA 62443-3-3:2013 SR 7.8 • ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 • NIST SP 800-53 Rev. 4 CM-8

ID.AM-3: Organizational communication and data flows are mapped

• CCS CSC 1 • COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.2.3.4 • ISO/IEC 27001:2013 A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9,

PL-8

ID.AM-4: External information systems are catalogued

• COBIT 5 APO02.02 • ISO/IEC 27001:2013 A.11.2.6 • NIST SP 800-53 Rev. 4 AC-20, SA-9

ID.AM-5: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value

• COBIT 5 APO03.03, APO03.04, BAI09.02 • ISA 62443-2-1:2009 4.2.3.6 • ISO/IEC 27001:2013 A.8.2.1 • NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

• COBIT 5 APO01.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1


28


• NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11

Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and

prioritized; this information is used to inform cybersecurity

roles, responsibilities, and risk management decisions.

ID.BE-1: The organization’s role in the supply chain is identified and communicated

• COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05

• ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2

• NIST SP 800-53 Rev. 4 CP-2, SA-12 ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated

• COBIT 5 APO02.06, APO03.01 • NIST SP 800-53 Rev. 4 PM-8

ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated

• COBIT 5 APO02.01, APO02.06, APO03.01 • ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 • NIST SP 800-53 Rev. 4 PM-11, SA-14

ID.BE-4: Dependencies and critical functions for delivery of critical services are established

• ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3

• NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14

ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)

• COBIT 5 DSS04.02 • ISO/IEC 27001:2013 A.11.1.4, A.17.1.1,

A.17.1.2, A.17.2.1 • NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14

Governance (ID.GV): The policies, procedures, and

processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the

management of cybersecurity risk.

ID.GV-1: Organizational information security policy is established

• COBIT 5 APO01.03, EDM01.01, EDM01.02 • ISA 62443-2-1:2009 4.3.2.6 • ISO/IEC 27001:2013 A.5.1.1 • NIST SP 800-53 Rev. 4 -1 controls from all

families

ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners

• COBIT 5 APO13.02 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.1 • NIST SP 800-53 Rev. 4 PM-1, PS-7

ID.GV-3: Legal and regulatory requirements regarding cybersecurity, • COBIT 5 MEA03.01, MEA03.04


29


including privacy and civil liberties obligations, are understood and managed

• ISA 62443-2-1:2009 4.4.3.7 • ISO/IEC 27001:2013 A.18.1 • NIST SP 800-53 Rev. 4 -1 controls from all

families (except PM-1)

ID.GV-4: Governance and risk management processes address cybersecurity risks

• COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8,

4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3 • NIST SP 800-53 Rev. 4 PM-9, PM-11

Risk Assessment (ID.RA): The organization understands the

cybersecurity risk to organizational operations

(including mission, functions, image, or reputation),

organizational assets, and individuals.

ID.RA-1: Asset vulnerabilities are identified and documented

• CCS CSC 4 • COBIT 5 APO12.01, APO12.02, APO12.03,

APO12.04 • ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9,

4.2.3.12 • ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8,

RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5

ID.RA-2: Cyber threat intelligence and vulnerability information is received from information sharing forums and sources

• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • ISO/IEC 27001:2013 A.6.1.4 • NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5

ID.RA-3: Threats, both internal and external, are identified and documented

• COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04

• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12,

PM-16

ID.RA-4: Potential business impacts and likelihoods are identified

• COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9,

PM-11, SA-14

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

• COBIT 5 APO12.02 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16


30


ID.RA-6: Risk responses are identified and prioritized

• COBIT 5 APO12.05, APO13.02 • NIST SP 800-53 Rev. 4 PM-4, PM-9

Risk Management Strategy (ID.RM): The organization’s

priorities, constraints, risk tolerances, and assumptions are established and used to support

operational risk decisions.

ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders

• COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02

• ISA 62443-2-1:2009 4.3.4.2 • NIST SP 800-53 Rev. 4 PM-9

ID.RM-2: Organizational risk tolerance is determined and clearly expressed

• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.3.2.6.5 • NIST SP 800-53 Rev. 4 PM-9

ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

• NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14

Supply Chain Risk Management (ID.SC):

The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions

associated with managing supply chain risk. The organization has

in place the processes to identify, assess and manage supply chain

risks.

ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders

• CIS CSC: 4.8 • COBIT 5: APO10.01, APO10.04, APO12.04,

APO12.05, APO13.02, BAI01.03, BAI02.03, BAI04.02

• ISA 62443-2-1:2009: 4.3.4.2 • ISA 62443-3-3:2013: • ISO/IEC 27001:2013: A.15.1.1, A.15.1.2,

A.15.1.3, A.15.2.1, A.15.2.2 • NIST SP 800-53: SA-9, SA-12, PM-9

ID.SC-2: Identify, prioritize and assess suppliers and partners of critical information systems, components and services using a cyber supply chain risk assessment process

• CIS CSC: • COBIT 5: APO10.01, APO10.02, APO10.04,

APO10.05, APO12.01, APO12.02, APO12.03, APO12.04, APO12.05, APO12.06, APO13.02, BAI02.03

• ISA 62443-2-1:2009: 4.2.3.1, 4.2.3.2, 4.2.3.3,


31


4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10, 4.2.3.12, 4.2.3.13, 4.2.3.14

• ISA 62443-3-3:2013: • ISO/IEC 27001:2013: A.15.2.1, A.15.2.2 • NIST SP 800-53: RA-2, RA-3, SA-12, SA-14,

SA-15, PM-9

ID.SC-3: Suppliers and partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan.


APO10.04, APO10.05 • ISA 62443-2-1:2009: 4.3.2.6.4, 4.3.2.6.7 • ISA 62443-3-3:2013: • ISO/IEC 27001:2013: A.15.1.1, A.15.1.2,

A.15.1.3 • NIST SP 800-53: SA-9, SA-11, SA-12, PM-9

ID.SC-4: Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted


APO10.05, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05

• ISA 62443-2-1:2009: 4.3.2.6.7 • ISA 62443-3-3:2013: SR 6.1 • ISO/IEC 27001:2013: A.15.2.1, A.15.2.2 • NIST SP 800-53: AU-2, AU-6, AU-12, AU-16,

PS-7, SA-9, SA-12

ID.SC-5: Response and recovery planning and testing are conducted with critical suppliers/providers

• CIS CSC: 19.7, 20.3 • COBIT 5: DSS04.04 • ISA 62443-2-1:2009: 4.3.2.5.7, 4.3.4.5.11 • ISA 62443-3-3:2013: SR 2.8, SR 3.3, SR.6.1,

SR 7.3, SR 7.4 • ISO/IEC 27001:2013 A.17.1.3 • NIST SP 800-53: CP-2, CP-4, IR-3, IR-4, IR-6,

IR-8, IR-9


32


PROTECT (PR)

Identity Management, Authentication and Access Control (PR.AC): Access to

physical and logical assets and associated facilities is limited to authorized users, processes, and

devices, and is managed consistent with the assessed risk

of unauthorized access to authorized activities and

transactions.

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes

• CCS CSC 16 • COBIT 5 DSS05.04, DSS06.03 • ISA 62443-2-1:2009 4.3.3.5.1 • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3,

SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 • ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4,

A.9.3.1, A.9.4.2, A.9.4.3 • NIST SP 800-53 Rev. 4 AC-2, IA Family

PR.AC-2: Physical access to assets is managed and protected

• COBIT 5 DSS01.04, DSS05.05 • ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 • ISO/IEC 27001:2013 A.11.1.1, A.11.1.2,

A.11.1.4, A.11.1.6, A.11.2.3 • NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-

5, PE-6, PE-9

PR.AC-3: Remote access is managed

• COBIT 5 APO13.01, DSS01.04, DSS05.03 • ISA 62443-2-1:2009 4.3.3.6.6 • ISA 62443-3-3:2013 SR 1.13, SR 2.6 • ISO/IEC 27001:2013 A.6.2.2, A.13.1.1,

A.13.2.1 • NIST SP 800-53 Rev. 4 AC-17, AC-19, AC-20

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

• CCS CSC 12, 15 • ISA 62443-2-1:2009 4.3.3.7.3 • ISA 62443-3-3:2013 SR 2.1 • ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3,

A.9.4.1, A.9.4.4 • NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5,

AC-6, AC-16

PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate

• ISA 62443-2-1:2009 4.3.3.4 • ISA 62443-3-3:2013 SR 3.1, SR 3.8 • ISO/IEC 27001:2013 A.13.1.1, A.13.1.3,

A.13.2.1


33


• NIST SP 800-53 Rev. 4 AC-4, SC-7

PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropriate

• CIS CSC: CSC 5, 12, 14, 16 • COBIT 5: DSS05.04, DSS05.05, DSS05.07,

DSS06.03, BAI08.03 • ISA 62443-2-1:2009: 4.3.2.4.2, 4.3.3.2.2,

4.3.3.2.3, 4.3.3.5.2, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4

• ISA 62443-3-3:2013: SR 1.4, SR 1.5, SR 2.1, SR 2.2, SR 2.3

• ISO/IEC 27001:2013: A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6, A.9.4.1, A.9.4.4

• NIST SP 800-53: AC-2, AC-3, AC-5, AC-6, AC-16, AC-19, AC-24, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3

Awareness and Training (PR.AT): The organization’s

personnel and partners are provided cybersecurity awareness

education and are adequately trained to perform their

information security-related duties and responsibilities

consistent with related policies, procedures, and agreements.

PR.AT-1: All users are informed and trained

• CCS CSC 9 • COBIT 5 APO07.03, BAI05.07 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.7.2.2 • NIST SP 800-53 Rev. 4 AT-2, PM-13

PR.AT-2: Privileged users understand roles & responsibilities

• CCS CSC 9 • COBIT 5 APO07.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • NIST SP 800-53 Rev. 4 AT-3, PM-13

PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities

• CCS CSC 9 • COBIT 5 APO07.03, APO10.04, APO10.05 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • NIST SP 800-53 Rev. 4 PS-7, SA-9

PR.AT-4: Senior executives understand roles & responsibilities

• CCS CSC 9 • COBIT 5 APO07.03


34


• ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, • NIST SP 800-53 Rev. 4 AT-3, PM-13

PR.AT-5: Physical and information security personnel understand roles & responsibilities

• CCS CSC 9 • COBIT 5 APO07.03 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, • NIST SP 800-53 Rev. 4 AT-3, PM-13

Data Security (PR.DS): Information and records (data) are

managed consistent with the organization’s risk strategy to

protect the confidentiality, integrity, and availability of

information.

PR.DS-1: Data-at-rest is protected

• CCS CSC 17 • COBIT 5 APO01.06, BAI02.01, BAI06.01,

DSS06.06 • ISA 62443-3-3:2013 SR 3.4, SR 4.1 • ISO/IEC 27001:2013 A.8.2.3 • NIST SP 800-53 Rev. 4 SC-28

PR.DS-2: Data-in-transit is protected

• CCS CSC 17 • COBIT 5 APO01.06, DSS06.06 • ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1,

SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.13.1.1,

A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3 • NIST SP 800-53 Rev. 4 SC-8

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1 • ISA 62443-3-3:2013 SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2,

A.8.3.3, A.11.2.7 • NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16

PR.DS-4: Adequate capacity to ensure availability is maintained

• COBIT 5 APO13.01 • ISA 62443-3-3:2013 SR 7.1, SR 7.2 • ISO/IEC 27001:2013 A.12.3.1


35


• NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5

PR.DS-5: Protections against data leaks are implemented

• CCS CSC 17 • COBIT 5 APO01.06 • ISA 62443-3-3:2013 SR 5.2 • ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2,

A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3

• NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

• ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8

• ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3

• NIST SP 800-53 Rev. 4 SI-7

PR.DS-7: The development and testing environment(s) are separate from the production environment

• COBIT 5 BAI07.04 • ISO/IEC 27001:2013 A.12.1.4 • NIST SP 800-53 Rev. 4 CM-2

PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity

• CIS CSC: CSC 3.3 • COBIT 5: BAI03.05.4 • ISA 62443-2-1:2009: 4.3.4.4.4 • ISA 62443-3-3:2013: • ISO/IEC 27001:2013: A.11.2.4 • NIST SP 800-53: SA-10, SI-7

Information Protection Processes and Procedures

(PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management

commitment, and coordination among organizational entities), processes, and procedures are

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality)

• CCS CSC 3, 10 • COBIT 5 BAI10.01, BAI10.02, BAI10.03,

BAI10.05 • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 • ISA 62443-3-3:2013 SR 7.6 • ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,

A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4


36


maintained and used to manage protection of information systems

and assets.

• NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10

PR.IP-2: A System Development Life Cycle to manage systems is implemented

• COBIT 5 APO13.01 • ISA 62443-2-1:2009 4.3.4.3.3 • ISO/IEC 27001:2013 A.6.1.5, A.14.1.1,

A.14.2.1, A.14.2.5 • NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-

10, SA-11, SA-12, SA-15, SA-17, PL-8

PR.IP-3: Configuration change control processes are in place

• COBIT 5 BAI06.01, BAI01.06 • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 • ISA 62443-3-3:2013 SR 7.6 • ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,

A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4 • NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10

PR.IP-4: Backups of information are conducted, maintained, and tested periodically

• COBIT 5 APO13.01 • ISA 62443-2-1:2009 4.3.4.3.9 • ISA 62443-3-3:2013 SR 7.3, SR 7.4 • ISO/IEC 27001:2013 A.12.3.1,

A.17.1.2A.17.1.3, A.18.1.3 • NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9

PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met

• COBIT 5 DSS01.04, DSS05.05 • ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2,

4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6 • ISO/IEC 27001:2013 A.11.1.4, A.11.2.1,

A.11.2.2, A.11.2.3 • NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13,

PE-14, PE-15, PE-18

PR.IP-6: Data is destroyed according to policy

• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4.3.4.4.4 • ISA 62443-3-3:2013 SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2,


37


A.11.2.7 • NIST SP 800-53 Rev. 4 MP-6

PR.IP-7: Protection processes are continuously improved

• COBIT 5 APO11.06, DSS04.05 • ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3,

4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8

• NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6

PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties

• ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4

PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed

• COBIT 5 DSS04.03 • ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.1, A.17.1.1,

A.17.1.2 • NIST SP 800-53 Rev. 4 CP-2, IR-8

PR.IP-10: Response and recovery plans are tested

• ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 • ISA 62443-3-3:2013 SR 3.3 • ISO/IEC 27001:2013 A.17.1.3 • NIST SP 800-53 Rev. 4 CP-4, IR-3, PM-14

PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

• COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05

• ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3

• ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4 • NIST SP 800-53 Rev. 4 PS Family

PR.IP-12: A vulnerability management plan is developed and implemented

• ISO/IEC 27001:2013 A.12.6.1, A.18.2.2 • NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2

Maintenance (PR.MA): Maintenance and repairs of

industrial control and information system components is performed

PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools

• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4.3.3.3.7 • ISO/IEC 27001:2013 A.11.1.2, A.11.2.4,

A.11.2.5


38


consistent with policies and procedures.

• NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5

PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

• COBIT 5 DSS05.04 • ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6,

4.3.3.6.7, 4.4.4.6.8 • ISO/IEC 27001:2013 A.11.2.4, A.15.1.1,

A.15.2.1 • NIST SP 800-53 Rev. 4 MA-4

Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related

policies, procedures, and agreements.

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

• CCS CSC 14 • COBIT 5 APO11.04 • ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8,

4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,

SR 2.11, SR 2.12 • ISO/IEC 27001:2013 A.12.4.1, A.12.4.2,

A.12.4.3, A.12.4.4, A.12.7.1 • NIST SP 800-53 Rev. 4 AU Family

PR.PT-2: Removable media is protected and its use restricted according to policy

• COBIT 5 DSS05.02, APO13.01 • ISA 62443-3-3:2013 SR 2.3 • ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1,

A.8.3.3, A.11.2.9 • NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5,

MP-7

PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities

• COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2,

4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4

• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3,


39


SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7

• ISO/IEC 27001:2013 A.9.1.2 • NIST SP 800-53 Rev. 4 AC-3, CM-7

PR.PT-4: Communications and control networks are protected

• CCS CSC 7 • COBIT 5 DSS05.02, APO13.01 • ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8,

SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6

• ISO/IEC 27001:2013 A.13.1.1, A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18,

CP-8, SC-7

PR.PT-5: Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, during recovery, normal operations).

• CIS CSC: • COBIT 5: BAI04.01, BAI04.02, BAI04.03,

BAI04.04, BAI04.05, DSS01.05 • ISA 62443-2-1:2009: 4.3.2.5.2 • ISA 62443-3-3:2013: SR 7.1, SR 7.2 • ISO/IEC 27001:2013: A.17.1.2, A.17.2.1 • NIST SP 800-53: CP-7, CP-8, CP-11, CP-13,

PL-8, SA-14, SC-6

DETECT (DE)

Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

• COBIT 5 DSS03.01 • ISA 62443-2-1:2009 4.4.3.3 • NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2,

SI-4

DE.AE-2: Detected events are analyzed to understand attack targets and methods

• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8

• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2

• ISO/IEC 27001:2013 A.16.1.1, A.16.1.4 • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-

4

DE.AE-3: Event data are aggregated and • ISA 62443-3-3:2013 SR 6.1


40


correlated from multiple sources and sensors

• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4

DE.AE-4: Impact of events is determined • COBIT 5 APO12.06 • NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -

4

DE.AE-5: Incident alert thresholds are established

• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.2.3.10 • NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8

Security Continuous Monitoring (DE.CM): The

information system and assets are monitored at discrete intervals to identify cybersecurity events and

verify the effectiveness of protective measures.

DE.CM-1: The network is monitored to detect potential cybersecurity events

• CCS CSC 14, 16 • COBIT 5 DSS05.07 • ISA 62443-3-3:2013 SR 6.2 • NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7,

CM-3, SC-5, SC-7, SI-4

DE.CM-2: The physical environment is monitored to detect potential cybersecurity events

• ISA 62443-2-1:2009 4.3.3.3.8 • NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-

20

DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events

• ISA 62443-3-3:2013 SR 6.2 • ISO/IEC 27001:2013 A.12.4.1 • NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13,

CA-7, CM-10, CM-11

DE.CM-4: Malicious code is detected

• CCS CSC 5 • COBIT 5 DSS05.01 • ISA 62443-2-1:2009 4.3.4.3.8 • ISA 62443-3-3:2013 SR 3.2 • ISO/IEC 27001:2013 A.12.2.1 • NIST SP 800-53 Rev. 4 SI-3

DE.CM-5: Unauthorized mobile code is detected

• ISA 62443-3-3:2013 SR 2.4 • ISO/IEC 27001:2013 A.12.5.1 • NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44


41


DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events

• COBIT 5 APO07.06 • ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 • NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-

9, SI-4 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed

• NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4

DE.CM-8: Vulnerability scans are performed

• COBIT 5 BAI03.10 • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-5

Detection Processes (DE.DP): Detection processes and

procedures are maintained and tested to ensure timely and

adequate awareness of anomalous events.

DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability

• CCS CSC 5 • COBIT 5 DSS05.01 • ISA 62443-2-1:2009 4.4.3.1 • ISO/IEC 27001:2013 A.6.1.1 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14

DE.DP-2: Detection activities comply with all applicable requirements

• ISA 62443-2-1:2009 4.4.3.2 • ISO/IEC 27001:2013 A.18.1.4 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14,

SI-4

DE.DP-3: Detection processes are tested

• COBIT 5 APO13.02 • ISA 62443-2-1:2009 4.4.3.2 • ISA 62443-3-3:2013 SR 3.3 • ISO/IEC 27001:2013 A.14.2.8 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3,

PM-14, SI-3, SI-4

DE.DP-4: Event detection information is communicated to appropriate parties

• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.3.4.5.9 • ISA 62443-3-3:2013 SR 6.1 • ISO/IEC 27001:2013 A.16.1.2 • NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7,


42


RA-5, SI-4

DE.DP-5: Detection processes are continuously improved

• COBIT 5 APO11.06, DSS04.05 • ISA 62443-2-1:2009 4.4.3.4 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2,

RA-5, SI-4, PM-14


43


RESPOND (RS)

Response Planning (RS.RP): Response processes and

procedures are executed and maintained, to ensure timely

response to detected cybersecurity events.

RS.RP-1: Response plan is executed during or after an event

• COBIT 5 BAI01.10 • CCS CSC 18 • ISA 62443-2-1:2009 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-

8

Communications (RS.CO): Response activities are

coordinated with internal and external stakeholders, as

appropriate, to include external support from law enforcement

agencies.

RS.CO-1: Personnel know their roles and order of operations when a response is needed

• ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4

• ISO/IEC 27001:2013 A.6.1.1, A.16.1.1

• NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8

RS.CO-2: Events are reported consistent with established criteria

• ISA 62443-2-1:2009 4.3.4.5.5 • ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 • NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8

RS.CO-3: Information is shared consistent with response plans

• ISA 62443-2-1:2009 4.3.4.5.2 • ISO/IEC 27001:2013 A.16.1.2 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-

4, IR-8, PE-6, RA-5, SI-4

RS.CO-4: Coordination with stakeholders occurs consistent with response plans

• ISA 62443-2-1:2009 4.3.4.5.5 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

• NIST SP 800-53 Rev. 4 PM-15, SI-5

Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery

activities.

RS.AN-1: Notifications from detection systems are investigated

• COBIT 5 DSS02.07 • ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,

4.3.4.5.8 • ISA 62443-3-3:2013 SR 6.1 • ISO/IEC 27001:2013 A.12.4.1, A.12.4.3,

A.16.1.5 • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-

5, PE-6, SI-4


44


RS.AN-2: The impact of the incident is understood

• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8

• ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 CP-2, IR-4

RS.AN-3: Forensics are performed

• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1

• ISO/IEC 27001:2013 A.16.1.7 • NIST SP 800-53 Rev. 4 AU-7, IR-4

RS.AN-4: Incidents are categorized consistent with response plans

• ISA 62443-2-1:2009 4.3.4.5.6 • ISO/IEC 27001:2013 A.16.1.4 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8

Mitigation (RS.MI): Activities are performed to prevent

expansion of an event, mitigate its effects, and eradicate the incident.

RS.MI-1: Incidents are contained

• ISA 62443-2-1:2009 4.3.4.5.6 • ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 IR-4

RS.MI-2: Incidents are mitigated • ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 • ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 • NIST SP 800-53 Rev. 4 IR-4

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks

• ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5

Improvements (RS.IM): Organizational response activities

are improved by incorporating lessons learned from current and

previous detection/response activities.

RS.IM-1: Response plans incorporate lessons learned

• COBIT 5 BAI01.13 • ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RS.IM-2: Response strategies are updated • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RECOVER (RC)

Recovery Planning (RC.RP): Recovery processes and

procedures are executed and maintained to ensure timely

restoration of systems or assets

RC.RP-1: Recovery plan is executed during or after an event

• CCS CSC 8 • COBIT 5 DSS02.05, DSS03.04 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8


45


affected by cybersecurity events.

Improvements (RC.IM): Recovery planning and processes

are improved by incorporating lessons learned into future

activities.

RC.IM-1: Recovery plans incorporate lessons learned

• COBIT 5 BAI05.07 • ISA 62443-2-1:2009 4.4.3.4 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RC.IM-2: Recovery strategies are updated • COBIT 5 BAI07.08 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

Communications (RC.CO): Restoration activities are

coordinated with internal and external parties, such as

coordinating centers, Internet Service Providers, owners of

attacking systems, victims, other CSIRTs, and vendors.

RC.CO-1: Public relations are managed • COBIT 5 EDM03.02

RC.CO-2: Reputation after an event is repaired • COBIT 5 MEA03.02

RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams

• NIST SP 800-53 Rev. 4 CP-2, IR-4

894 Information regarding Informative References described in Appendix A may be found at the following locations: 895

• Control Objectives for Information and Related Technology (COBIT): http://www.isaca.org/COBIT/Pages/default.aspx 896 • Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org 897 • ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial 898

Automation and Control Systems Security Program: https://www.isa.org/templates/one-899 column.aspx?pageid=111294&productId=116731 900

• ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements 901 and Security Levels: https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785 902

• ISO/IEC 27001, Information technology -- Security techniques -- Information security management systems -- Requirements: 903 http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534 904

• NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information 905 Systems and Organizations, April 2013 (including updates as of January 15, 2014). http://dx.doi.org/10.6028/NIST.SP.800-906 53r4. 907

908


46

Mappings between the Framework Core Subcategories and the specified sections in the Informative References represent a general 909 correspondence and are not intended to definitively determine whether the specified sections in the Informative References provide 910 the desired Subcategory outcome. 911


47

AppendixB:Glossary912

This appendix defines selected terms used in the publication. 913

Buyer The people or organizations that consume a given product or service

Category The subdivision of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Access Control,” and “Detection Processes.”

Critical Infrastructure

Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health or safety, or any combination of those matters.

Cybersecurity The process of protecting information by preventing, detecting, and responding to attacks.

Cybersecurity Event

A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation).

Detect (function) Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Framework A risk-based approach to reducing cybersecurity risk composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. Also known as the “Cybersecurity Framework.”

Framework Core A set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.

Framework Implementation Tier

A lens through which to view the characteristics of an organization’s approach to risk—how an organization views cybersecurity risk and the processes in place to manage that risk.

Framework Profile

A representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.

Function One of the main components of the Framework. Functions provide the highest level of structure for organizing basic cybersecurity activities into Categories and Subcategories. The five functions are Identify,


48

Protect, Detect, Respond, and Recover.

Identify (function) Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Informative Reference

A specific section of standards, guidelines, and practices common among critical infrastructure sectors that illustrates a method to achieve the outcomes associated with each Subcategory. An example of an Informative Reference is ISO/IEC 27001 Control A.10.8.3, which supports the “Data-in-transit is protected” Subcategory of the “Data Security” Category in the “Protect” function.

Lagging Measurement

A measurement of whether an outcome was fulfilled or not. Since this measure is taken after an outcome is achieved, it cannot be used to guide fulfillment of that outcome.

Leading Measurement

A predictive measurement of whether an outcome is likely or not to be achieve. It may guide future activities to ensure a specific outcome is achieved.

Measures Quantifiable, observable, objective data supporting Metrics. Typically, Measures align with technical controls, such as the Informative References.

Metrics Used to facilitate decision making and improve performance and accountability. Typically, Metrics are higher level, qualitative, and an aggregate of several Measures.

Mobile Code A program (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and executed with identical semantics.

Non-IT/OT Partner

Product or service providers that do not provide IT or OT to a given organization, but who do affect the security of that organization

Protect (function) Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Privileged User A user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

Recover (function) Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Respond (function)

Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse


49

impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Risk Management The process of identifying, assessing, and responding to risk.

Subcategory The subdivision of a Category into specific outcomes of technical and/or management activities. Examples of Subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.”

Supplier Product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s Buyers


50

AppendixC:Acronyms914 This appendix defines selected acronyms used in the publication. 915 CCS Council on CyberSecurity 916 CIA Confidentiality, Integrity, and Availability 917 COBIT Control Objectives for Information and Related Technology 918 CPS Cyber-Physical Systems 919 DCS Distributed Control System 920 DHS Department of Homeland Security 921 EO Executive Order 922 ICS Industrial Control Systems 923 IEC International Electrotechnical Commission 924 IR Interagency Report 925 ISA International Society of Automation 926 ISAC Information Sharing and Analysis Center 927 ISO International Organization for Standardization 928 IT Information Technology 929 NIST National Institute of Standards and Technology 930 OT Operational Technology 931 PII Personally Identifiable Information 932 RFI Request for Information 933 RMP Risk Management Process 934 SCADA Supervisory Control and Data Acquisition 935 SCRM Supply Chain Risk Management 936 SP Special Publication 937


51

AppendixD:Errata938

Changes to Framework version 1.0 incorporated into NIST Cybersecurity Framework Version 939 1.1 are displayed in Table 4. 940

Table 4: Changes in Framework Version 1.1 941

PAGE(S) CHANGE

N/A Framework version and release date were updated on the title page and in the header/footer

N/A Table of Contents was modified to reflect the all changes relative to this update

p. 6 Section 1.3 ‘Document Overview’ was modified to reflect the additional section and appendix added with this update

p. 7 Figure 1: ‘Framework Core Structure’ was added

p. 9

Section 2.2 ‘Framework Implementation Tiers’ - Paragraph 2 was modified to read:

"The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, information sharing practices, business/mission objectives, cyber supply chain risk management needs, and organizational constraints. Organizations should determine… "

p. 9

Section 2.2 ‘Framework Implementation Tiers’ - Paragraph 3 was modified to include:

“However, Tier selection and designation naturally affect Framework Profiles. The risk disposition expressed in a desired Tier should influence prioritization within a Target Profile. Similarly, the organizational state represented in an assessed Tier will indicate the likely findings of an assessed Profile, as well as inform realistic progress in addressing Profile gaps.”

pp. 10-12 Section 2.2 ‘Framework Implementation Tiers’ - An additional property (SCRM) was added to each of the Implementation Tiers

p. 10

Section 2.2 ‘Framework Implementation Tiers’ - Tier 2 ‘Risk Informed’ - Paragraph 2 was modified to include: “Consideration of cybersecurity in mission/business objectives may occur at some levels of the organization, but not at all levels. Cyber risk assessment of organizational assets is not typically repeatable or reoccurring.”


52

PAGE(S) CHANGE

p. 11

Section 2.2 ‘Framework Implementation Tiers’ - Tier 3 ‘Repeatable’ - Paragraph 2 was modified to include: “The organization consistently and accurately monitors cybersecurity risk of organizational assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risk. Senior Executives ensure consideration of cybersecurity through all lines of operation in the organization.”

p. 11

Section 2.2 ‘Framework Implementation Tiers’ - Tier 4 ‘Adaptive’ - Paragraph 2 was modified to include: “The relationship between cybersecurity risk and mission/business objectives is clearly understood and considered when making decisions. Senior Executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organizational budget is based on understanding of current and predicted risk environment and future risk appetites. Business units implement executive vision and analyze system level risks in the context of the organizational risk appetite and tolerances.”

p. 12

Section 2.2 ‘Framework Implementation Tiers’ - Tier 4 ‘Adaptive’ - Paragraph 2 was modified to include: “Cybersecurity risk is clearly articulated and understood across all strata of the enterprise. The organization can quickly and efficiently account for changes to business/mission objectives and threat and technology landscapes in the risk disposition and approach.”

p. 13 Figure 2: ‘Notional Information and Decision Flows within an Organization’ was modified to include additional ‘Actions’

p. 14

Section 3.0 ‘How to Use the Framework’ was modified to include the following: “The Framework can be applied in design, build/buy, deploy, operate, and decommission system lifecycle phases. The design phase must account for cybersecurity requirements as a part of a larger multi-disciplinary systems engineering process. A key milestone of the design phase is validation that the system cybersecurity specifications match the needs and risk disposition of the organization as summarized in a Framework Profile. The cybersecurity outcomes prioritized in a Profile must be enacted during either a) development of the system during the build phase or b) purchase or outsourcing of the system during the buy phase. In the system deploy phase, the cybersecurity features of the system should be assessed to verify the design was enacted. The cybersecurity outcomes of Framework then serve as a basis for on-going operation of the system, including occasional re-assessment to verify cybersecurity requirements are still fulfilled. Owed to an inevitable Web of dependencies amongst systems, Framework outcomes must be carefully considered as one or more systems are decommissioned.”


53

PAGE(S) CHANGE

p. 15 Section 3.2 ‘Establishing or Improving a Cybersecurity Program’ - Step 1: ‘Prioritize and Scope’ was modified to include: “Implementation Tiers may be used to express varying risk tolerances.”

p. 15

Section 3.2 ‘Establishing or Improving a Cybersecurity Program’ - Step 2: ‘Orient’ was modified to now read as follows: “Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets.”

p. 15 Section 3.2 ‘Establishing or Improving a Cybersecurity Program’ - Step 3: ‘Create a Current Profile’ was modified to include: “If an outcome is partially achieved, noting this fact will help support subsequent steps.”

p. 15

Section 3.2 ‘Establishing or Improving a Cybersecurity Program’ - Step 4: ‘Conduct a Risk Assessment’ was modified to now read as follows: “This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations identify emerging risks and use cyber threat information from both internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events.”

pp. 15-16

Section 3.2 ‘Establishing or Improving a Cybersecurity Program’ - Step 5: ‘Create a Target Profile’ was modified to include: “When used in conjunction with an Implementation Tier, characteristics of the Tier level should be reflected in the desired cybersecurity outcomes.”

p. 16

Section 3.2 ‘Establishing or Improving a Cybersecurity Program’ - Step 6: ‘Determine, Analyze, and Prioritize Gaps’ was modified to now read as follows: “The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address those gaps drawing upon mission drivers, a cost/benefit analysis, and risk understanding to achieve the outcomes in the Target Profile. The organization then determines resources necessary to address the gaps. Using Profiles in this manner enables the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.”


54

PAGE(S) CHANGE

pp. 16-18 Section 3.3 ‘Communicating Cybersecurity Requirement with Stakeholders’ was modified to include Supply Chain Risk Management.

p. 17 Figure 3: ‘Cyber Supply Chain Relationships’ was added

p. 18 Section 3.4 ‘Buying Decisions’ was added

p. 18 Section 3.5 ‘Identifying Opportunities for New or Revised Informative References’ (previously Section 3.4) was moved to accommodate an additional section.

p. 18 Section 3.6 ‘Methodology to Protect Privacy and Civil Liberties’ (previously Section 3.5) was moved to accommodate an additional section.

p. 19

Section 3.6 ‘Methodology to Protect Privacy and Civil Liberties’ - a portion of this section was modified to now read as follows: “Privacy and cybersecurity have a strong nexus. It is well-recognized that cybersecurity plays an important role in protecting individuals’ privacy; for example, with respect to the confidentiality of assets containing personal information. Nonetheless, an organization’s cybersecurity activities also can create risks to privacy and civil liberties when personal information is used, collected, processed, maintained, or disclosed in connection with an organization’s cybersecurity activities. Some examples of activities that bear privacy or civil liberties considerations may include: cybersecurity activities that result in the over-collection or over-retention of personal information; disclosure or use of personal information unrelated to cybersecurity activities; cybersecurity mitigation activities that result in denial of service or other similar potentially adverse impacts, including activities such as some types of incident detection or monitoring that may impact freedom of expression or association.”

p. 20 Section 3.7 ‘Federal Alignment’ was added

p. 21 Section 4.0 ‘Measuring and Demonstrating Cybersecurity’ was added

pp. 21-22 Section 4.1 ‘Correlation to Business Results’ was added

pp. 23-24 Section 4.2 ‘Types of Cybersecurity Measurement’ was added

p. 23 Table 1: ‘Types of Framework Measurement’ was added

p. 26 Table 2: ‘Function and Category Unique Identifiers’ (previously Table 1) was moved to accommodate an additional table.

p. 26 Table 2: ‘Function and Category Unique Identifiers’ was updated to include an additional Category (ID.SC) Supply Chain Risk Management


55

PAGE(S) CHANGE

p. 27 Table 3: ‘Framework Core’ (previously Table 2) was moved to accommodate an additional table.

p. 27

Appendix A: ‘Framework Core’ - Subcategory ID.AM-5 was modified to now read as follows: "Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value"

p. 28

Appendix A: ‘Framework Core’ - Subcategory ID.BE-5 was modified to now read as follows: “Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)”

p. 28 Appendix A: ‘Framework Core’ - Subcategory ID.GV-1 - Informative Reference was added ‘CSC(V6) 19.2’

p. 29

Appendix A: ‘Framework Core’ - Subcategory ID.RA-2 was modified to now read as follows: “Cyber threat intelligence and vulnerability information is received from information sharing forums and sources”

p. 30 Appendix A: ‘Framework Core’ - Subcategory ID.RA-6 - Informative Reference was added ‘CSC(V6) 4.8’

pp. 30-32 Appendix A: ‘Framework Core’ - Category ID.SC: ‘Supply Chain Risk Management’ and subsequent Subcategories (ID.SC-1, ID.SC-2, ID.SC-3, ID.SC-4, ID.SC-5) and Informative References were added

p. 32

Appendix A: ‘Framework Core’ - Category PR.AC: ‘Access Control’ was retitled to “Identity Management, Authentication and Access Control” and now reads: “Access to physical and logical assets and associated facilities is limited to authorized users, processes, or and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.”

p. 32

Appendix A: ‘Framework Core’ - Subcategory PR.AC-1 was modified to now read as follows: “Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, and users, and processes”

p. 32

Appendix A: ‘Framework Core’ - Subcategory PR.AC-4 was modified to now read as follows: “Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties”


56

PAGE(S) CHANGE

p. 33 Appendix A: ‘Framework Core’ - Subcategory PR.AC-6 and subsequent Informative References were added

p. 35 Appendix A: ‘Framework Core’ - Subcategory PR.DS-8 and subsequent Informative References were added

p. 35

Appendix A: ‘Framework Core’ - Subcategory PR.IP-1 was modified to now read as follows: “A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality)”

p. 38

Appendix A: ‘Framework Core’ - Subcategory PR.PT-3 was modified to now read as follows: “The principle of least functionality is incorporated by configuring systems to provide only essential capabilities”

p. 39 Appendix A: ‘Framework Core’ - Subcategory PR.PT-5 and subsequent Informative References were added

p. 47 Appendix B: ‘Glossary’ - was modified to include the term ‘Buyer’ with the definition: “The people or organizations that consume a given product of service”

p. 48 Appendix B: ‘Glossary’ - was modified to include the term ‘Lagging Measurement’ with the definition: “A measurement of whether an outcome was fulfilled or not”

p. 48 Appendix B: ‘Glossary’ - was modified to include the term ‘Leading Measurement’ with the definition: “A predictive measurement that may guide future activities to achieve a specific outcome”

p. 48 Appendix B: ‘Glossary’ - was modified to include the term ‘Measures’ with the definition: “Quantifiable, observable, objective data supporting Metrics. Typically, Measures align with technical controls, such as the Informative References.”

p. 48 Appendix B: ‘Glossary’ - was modified to include the term ‘Metrics’ with the definition: “Used to facilitate decision making and improve performance and accountability. Typically, Metrics are higher level, qualitative, and an aggregate of several Measures.”


57

PAGE(S) CHANGE

p. 48

Appendix B: ‘Glossary’ - was modified to include the term ‘Non-IT/OT Partner’ with the definition: “Product or service providers that do not provide IT or OT to a given organization, but who do affect the security of that organization.”

p. 49

Appendix B: ‘Glossary’ - was modified to include the term ‘Supplier’ with the definition: “Product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s Buyers.”

p. 50 Appendix C: ‘Acronyms’ - was modified to include CPS - Cyber-Physical Systems

p. 50 Appendix C: ‘Acronyms’ - was modified to include OT - Operational Technology

p. 50 Appendix C: ‘Acronyms’ - was modified to include PII - Personally Identifiable Information

p. 50 Appendix C: ‘Acronyms’ - was modified to include SCRM - Supply Chain Risk Management

942

Newark New York Trenton Philadelphia Wilmington

New Jersey State Bar Association

Second Annual Cybersecurity Law Conference

Panel IV:

Protecting Against The Risk For Your

Practice and Clients

Moderator

Robert D. Chesler, Esq.

Panelists:

Korin Neff, Esq.

Marc Schein

John T. Wolak, Esq.

Newark New York Trenton Philadelphia Wilmington1

Insurance Coverage for

Cyber Risks

Insurance coverage may be available under various commercial

insurance policies –

✓ Directors and Officers (D&O)

✓ Errors and Omissions (E&O) / Professional Liability

✓ Property

✓ Crime / Theft

✓ Commercial General Liability (CGL)

✓ Cyber Liability Policies


Cyber Insurance Market

I. Post-Loss Liability Coverage✓ Network and Privacy Liability

✓ Crisis Management

✓ Regulatory Liability

✓ Technology Products / Services E&O

II. Time Element Coverage✓ Business Income Loss and Extra Expense

✓ System Failure

III. Theft of Property Coverage

✓ Information Asset and Data Restoration

✓ Extortion


Cyber Coverage Considerations

✓ Paper records and e-data?

✓ Data with Cloud providers?

✓ Rogue employees?

✓ Credit card data and transactions?

✓ Privacy laws/regulations?

✓ Confidential corporate data?

✓ Acts, errors, or omissions of third parties?

✓ Fines and Penalties?

✓ Sublimits?

3


Cyber Policy Terms, Conditions,

and “Hidden” Exclusions

✓ System maintenance requirements✓ Notice Requirements

✓ Duty of Confidentiality

✓ Mergers / acquisitions / joint ventures / partnerships

✓ Definitions – e.g., “Computer Systems”, “Insureds”,

“Confidential Information”

✓ Pre-approval – Defense costs / Breach response services

✓ Retroactive date

✓ Waiting period

✓ Dispute Resolution clauses

✓ Breach Response Providers

4


Disputes involving coverage for

“Cyber losses”

Columbia Cas. Co. v. Cottage Health Systems,2015 U.S. Dist. LEXIS 93456 (C.D. Ca. July 17, 2015)✓ Columbia issued a cyber-insurance policy to Cottage Health with an exclusion for

“Failure to Follow Minimum Required Practices” that excluded coverage:

for any loss based upon, directly or indirectly arising out of, or in any way involving …

any failure of an Insured to continuously implement the procedures and risk controls

identified in the Insured’s application … and all related information submitted … in

conjunction with such application …

✓ Cottage suffered a breach that exposed 32,500 patient records, and ultimately

agreed to a $4.124 million class settlement.

✓ Columbia sought a DJ of no coverage alleging that

(1) Cottage Health provided false responses to the security-related

questions in the application, and

(2) the exclusion for “Failure to Follow Minimum Required Practices”

applied to preclude all coverage under the Policy.

✓ Columbia’s Complaint was dismissed without prejudice pending the completion of

an ADR procedure provided in the policy



“Cyber losses”

BitPay, Inc. v. Mass. Bay Ins. Co.,

Civ. Action No. 15-3238 (N.D.Ga.)

✓ BitPay’s CFO was the victim of spearphishing attack resulting in

transfer of 3,000 bitcoins (valued at $1.85 M) to a bitcoin wallet to

which the hacker had access

✓ Policy covered “loss of or damage to ‘money’ … resulting directly from

the use of any computer to fraudulently cause a transfer of that

property” from inside the “premises” to a person or place “outside

those ‘premises’”

✓ Mass Bay denied claim, asserting:

• “resulting directly from” means without any intervening step

(i.e., without any intruding or diverting factor)

• “fraudulently causing a transfer” is different than “causing a

fraudulent transfer”

• “Premises” refers to physical premises, not to a transaction

that occurs only in virtual space

6



“Cyber losses”

Medidata Solutions v. Federal Ins. Co.,

Civ. No. 15-00907 (S.D.N.Y.)

✓ Medidata employee was tricked into wiring $4.8 million into

an overseas account in China

✓ Federal policy provides coverage for computer fraud, funds

transfer fraud, forgery coverage

✓ Insurer argues that “the policy provides coverage against

involuntary transfers effected by hackers, forgers and

imposters, not voluntary transfers effected by authorized

signatories”, and there has been no manipulation of the

insured’s computers

✓ Medidata argues that the fraudulent scheme was

accomplished by changing code on the computer system

to alter employee email addresses, pictures and signatures

7



“Cyber losses”

P.F. Chang’s v. Federal Insurance Co.,

2016 U.S. Dist. LEXIS 70749 (D. Az. May 31, 2016)

✓ Hackers obtain 60,000 credit card numbers of

P.F.Chang’s customers

✓ Under CyberSecurity policy, Federal reimburses over

$1.7million of costs incurred by P.F.Chang’s as a result

of the breach

✓ Federal denies coverage for “assessments” of an

additional $2million assumed by P.F.Chang’s under

Services Agreement with payment processor

✓ Court concludes that coverage is not available based

upon the terms of policy Insuring Agreements and

various applicable exclusions, including the Contract

Exclusion

8



“Cyber losses”

Nat’l Fire Ins. Co. of Hartford v. E. Mishan & Sons, Inc.

2016 WL 3079958 (2d Cir. June 1, 2016)

✓ Emson had been sued in two separate class actions alleging

violations of the TCPA, various state consumer protection

statutes, breach of contract and unjust enrichment.

✓ The insurers sought a declaratory judgment that they had no

duty to defend by virtue of the exclusion for knowing and

intentional conduct.

✓ The Second Circuit reversed the trial court, finding that the

unjust enrichment claim did not require a showing of intent or

knowledge that its actions would violate the rights of another

and inflict injury.

9



“Cyber losses”Pestmaster Servs. v. Travelers Cas. & Sur., 2016 U.S. App. Lexis 13829 (9th Cir. July 29, 2016),

aff'g, 2014 U.S. Dist. Lexis 108416 (C.D.Ca. July 17, 2014)

✓ Payroll processor for Pestmaster used its funds to pay personal expenses,

ultimately leaving Pestmaster indebted to the Internal Revenue Service for payroll

taxes; Pestmaster sought coverage under various provisions of its Crime Policy

✓ "Funds Transfer Fraud" covers transfers which “purport[] to have been transmitted

by you, but was in fact fraudulently transmitted by someone other than you

without your knowledge or consent”

✓ “Computer Fraud“ covers loss from "[t]he use of any computer to fraudulently

cause a transfer of Money, Securities or Other Property"

✓ The 9th Circuit adopted the rationale of the district court that the Funds Transfer

Fraud provision “does not cover authorized or valid electronic transactions ... even

though they are, or may be, associated with a fraudulent scheme”

✓ The Court also interprets the phrase “fraudulently cause a transfer” to require an

unauthorized transfer of funds; all the transfers at issue were authorized by

Pestmaster and there was no suggestion that payroll processor was an

unauthorized user or hacker who gained access to Pestmaster’s computer system

10



“Cyber losses”

Principle Solutions Group, LLC v. Ironshore Indem, Inc.,

Civ. Action No. 15-4130 (N.D.Ga. August 30, 2016)✓ Principle’s Controller received a spearphishing email that resulted in

approval of a wire transfer of $1.7million to a bank account in China

✓ Policy covered “loss resulting directly from a ‘fraudulent instruction’

directing a ‘financial institution’ to … transfer, pay or deliver ‘money or

securities’” from the insured’s account

✓ Court concludes that the phrase “resulting directly from” is ambiguous,

and must be construed in favor of the insured, and therefore grants

judgment in favor of coverage

✓ Court also dismisses bad faith claim because the “issue of liability was

close” and it “was not ‘unreasonable’ or ‘unfounded’ for [the insurer] to

deny coverage here and wait for this Court to determine the coverage

required by the contract”

11



“Cyber losses”Apache Corp. v. Great Am. Ins. Co., 2016 U.S. App. LEXIS 18748 (5

thCir. Oct. 18, 2016)

✓ Computer fraud policy provides coverage for “loss … resulting directly

from the use of any computer to fraudulently cause a transfer … ”

✓ Apache sought coverage for loss of over $2.4million wired in payment of

legitimate invoices but made to criminals’ bank account

✓ GAIC denied claim asserting that the “loss did not result directly from the

use of a computer nor did the use of a computer cause the transfer of

funds”

✓ Fifth Circuit reversed trial court, concluding that the loss did not result

directly from the use of a computer and the emails containing fraudulent

instructions were merely incidental to the authorized transfer of funds

✓ Court repeatedly notes Apache’s failure to properly verify the change

request and concludes that the transfer “was made to the fraudulent

account only because, after receiving the email, Apache failed to

investigate accurately the new, but fraudulent, information provided to it”

12



“Cyber losses”Camp's Grocery, Inc. v. State Farm Fire & Cas.,2016 U.S. Dist. LEXIS 147361 (N.D. Ala. Oct. 25, 2016)

• Camp's computer network was hacked, compromising the confidential data of its

customers, including credit card, debit card, and check card information. Camp’s

was sued by several Credit Unions for damages as a result of reissuance of credit

cards, reimbursement for fraud losses, lost interest and transaction fees, and

administrative and other expenses

• Camp’s sought coverage for defense costs and indemnity in the underlying action

based on Inland Marine coverage for (1) the accidental direct physical loss to

computer equipment and data storage media; (2) accidental direct loss to

computer programs and electronic data

• The court found that first party coverage of policy does not impose a duty to

defend or indemnify the insured for losses suffered by others

• There was no physical harm or damage to any cards as tangible property; the

damage was to the intangible electronic data contained on the cards, and the loss

of electronic data was specifically excluded

• The Inland Marine endorsements are properly read as expanding or otherwise

modifying not the third-party liability insurance but rather the first-party property

insurance coverage

13



“Cyber losses”

RVST Holdings, LLC v. Main St. Am. Assurance Co.

137 A.D.3d 1196 (N.Y. App. Div. 3d Dept. 2016)

✓ Court found no coverage for a data breach under a Business Owner’s

policy containing an electronic data exclusion.

✓ The insurers relied on policy language that defined “property damage”

as “physical injury to tangible property“ and further provided that

“electronic data is not tangible property.” Also, the policy specifically

excluded “damages arising out of the loss of … electronic data.”

✓ The court also ruled that the separate section of the policy providing

coverage for property damage consisting of “direct physical loss of or

damage to” the insured’s own property did not apply to third-party

claims.

14



“Cyber losses”

LifeLock, Inc. v. Certain Underwriters at Lloyd’s

2017 WL 161045 (N.Y. App. Div. Jan. 17, 2017)

✓ The First Department affirmed the dismissal of claims under an

Information Security, Privacy Liability, First Party Data Protection and

Network Business Interruption Insurance Policy.

✓ Class actions had been filed asserting that LifeLock engaged in

fraudulent and deceptive sales practices.

✓ Retroactive Date Exclusion precluded coverage for “related or

continuing acts … where the first such act … was committed or

occurred prior to the Retroactive Date” of January 8, 2008.

✓ The court concluded that there was pattern of false and misleading

advertising beginning in 2005, so the exclusion applied.

✓ The court also concluded that the claims fell within the Exclusion for

Unfair Trade Practices.

15



“Cyber losses”

Taylor & Lieberman v. Federal Ins. Co.

2017 WL 929211 (9th Cir. Mar. 9, 2017)

✓ Forgery coverage part applied to “forgery or alteration of a

financial instrument,” and the court found that the fraudulent

emails were not financial instruments.

✓ Sending an email does not constitute unauthorized entry into a

system, and the policy was designed to cover matters like the

unauthorized entry an introduction of malicious code.

✓ Funds Transfer Fraud coverage encompassed “fraudulent …

electronic … instructions without the insured’s knowledge or

consent”, which the court concluded was inapplicable because

the insured knew about the transfers and in fact had requested

them.

16



“Cyber losses”

InComm Holdings, Inc. v. Great American Ins. Co.

Case No. 1:15-cv-2671 (D.Ga. March 16, 2017)

✓ Computer Fraud coverage insures against “loss of … money

… resulting directly from the use of any computer to

fraudulently cause a transfer …”

✓ The court found that there was no coverage under the policy

because the wrongdoers did not actually use a computer to

make the fraudulent redemptions –the fact that a computer

was involved does not establish that the wrongdoer ‘used’ a

computer to cause a loss

✓ The “loss” did not occur until the funds held by the banks were

used to pay sellers for purchases made by the wrongdoers.

✓ InComm itself chose to make transfers to the banks, and it was

that decision that resulted “directly” in the loss.

17



“Cyber losses”

Moses Afonso Ryan Ltd. V. Sentinel Insurance Co., Ltd.,

Dkt No. 17-157 (D.R.I. April 21, 2017)

✓ Law firm suffered ransomware attack and paid $25,000 to unlock

it’s computer system that had been encrypted for 3 months,

resulting in a $700,000 reduction in revenue

✓ Complaint alleges that the policy specifically covers “business

income interruptions” for 12 months of actual loss sustained.

✓ Sentinel claims its coverage obligation under the policy is limited to

$20,000 under the Computers and Media coverage and the

Computer Fraud coverage - $10,000 per coverage

18


Questions ???

19

6/8/2017

1

PART 1:Understanding The Risks:Qualifying &QuantifyingA Breach

PART 2:Data Breach Costs &Risk Transfer

Marc D. Schein, CIC, CLCS Rim Council Board Member,

Ponemon Institute

2015 - Appointed to the Claims & Litigation Management Alliance’s Cyber Committee

2014 - Appointed a Member of the Ponemon Institute’s RIM Council

2011 – Received Commercial LinesCoverage Specialist Designation

2014 – Received Certified Insurance Counselor Designation

6/8/2017

2

of all cyber attacks occur at companies with fewer than 250 employees

31%

of all breaches are a result of human error75%

6/8/2017

3

What Types of Data Are

Most Often Compromised?

Phishing/Social Engineering

6/8/2017

4

Ransomware

Average cost post-breach is:

$221 per record

6/8/2017

5

For larger companies the averagecost is:

$7.01M

Part 2: Data Breach Costs

6/8/2017

6

Costs & Legal Responsibilities Associated with a Breach

Forensics to Determine Cause

6/8/2017

7

Fines & Penalties

Notification Requirements• State Attorney General & Clients

6/8/2017

8

Legal Advice

Notice Requirements• Providing Notice

6/8/2017

9

Notice Requirements• Call Center for Inquiries

Notice Requirements• Credit Monitoring

6/8/2017

10

Public Relations andCrisis Management Coaching

Third Party Claims: Consumers

6/8/2017

11

Third PartyClaims: Banks

Third Party Claims: Regulators

6/8/2017

12

Business Interruption

Contractual Transfer:Are They Helpful?

6/8/2017

13

INSURANCECyber Liability Policies:Exclusions & Conditions

10 TIPS FOR NEGOTIATING CYBER INSURANCE FROM A POSITION OF POWER

6/8/2017

14

1. Honest Insurance applications.

2. Retro dates.

3. Wild Wild West !! Look at policy structure: Coverage triggers, Reimbursement VS. indemnification.

4. Symmetry with other insurance (e.g., CGL and Property Insurance).

CYBER INSURANCE

5. Endorsements can broaden coverage pertaining needs to cloud providers and third-party vendors, as well as other data outside of the network or premises.

6. If you accept payment cards, PCI Issues and Card Brand fines and penalties.

7. Sub-limits should include Voluntary parting of funds, Social engineering, and cyber extortion.

6/8/2017

15

8. Beware of exclusions for breach of contract, unencrypted mobile devices, and conduct.

9. Beware conditions on "reasonable“ cyber security measures; and

10.Business interruption coverage.

H A C K E D

Thank You!

Marc D. Schein, CIC, CLCS Rim Council Board Member, Ponemon Institute+1 516-395-8504 | [email protected]

Luis J. Diaz is the Director of Intellectual Property and Chief Diversity Officer of Gibbons PC in Newark, New Jersey. He has more than 20 years of experience in a wide range of complex matters, including intellectual property law, technology-related joint ventures and strategic alliances, mergers and acquisitions, sales and marketing, and government relations. Mr. Diaz focuses his practice in advice and transactions relating to technology, e-commerce, privacy and data security, and cloud computing, and represents foreign corporations from Spain, Central America, and South America in the United States. As Gibbons’ Chief Diversity Officer, he manages all aspects of the Gibbons Diversity Initiative (GDI), including the implementation and execution of a highly innovative diversity strategy that leverages all of the firm’s existing resources while enhancing the ability of the firm’s clients to meet their objectives in this area. Admitted to practice in New Jersey and Arizona, Mr. Diaz is a Trustee of the New Jersey State Bar Association and has served as Vice-Chair of the Association’s Judicial and Prosecutorial Appointments Committee and Chair of the Diversity Committee’s Strategic Planning Subcommittee. He has been a member of the American and Arizona Bar Associations, the New Jersey Hispanic Bar Association’s Judicial and Prosecutorial Appointments Committee, the International Association of Privacy Professionals, the American Intellectual Property Law Association and the Board of Trustees of Leadership New Jersey. The author and co-author of articles which have appeared in IP Law Alert, Law 360 and other professional publications, Mr. Diaz has lectured for ICLE, bar associations and other organizations. He was selected as a 2015 “Diverse Attorney of the Year” by the New Jersey Law Journal. Mr. Diaz received his B.S. from Cook College, Rutgers University, and his J.D. from Rutgers University School of Law-Newark.

http://www.gibbonslaw.com/culture/diversity-initiative/

Lieutenant John Gorman is the Assistant Bureau Chief of the New Jersey State Police High Tech Crime Bureau. He oversees statewide and interstate computer

crime investigations and is a subject matter expert on several national committees that steer policy and promote collaboration on cyber investigative and intelligence

efforts. He completed a six month fellowship with the FBI at the National Cyber Investigative Joint Task Force in Washington, D.C., where he took part in national efforts to identify, pursue, and defeat cyber threats against the United States. He

holds a Bachelor of Science in Accounting from Rider University.

Brett R. Harris, a business, nonprofit and technology attorney, is a Shareholder in Wilentz, Goldman & Spitzer, P.A., with offices in Woodbridge and Eatontown, New Jersey; New York City; and Philadelphia, PA. Her broad-based general corporate practice includes transactional matters and client counseling, mergers and acquisitions, document drafting and negotiation, regulatory compliance and policy development. Ms. Harris has a particular focus on counseling non-profit organizations including entity formation, establishing and maintaining tax-exempt status, and complying with fundraising regulations. She counsels boards on governance, mission statement development and strategic planning, and advises clients on structuring and operating foundations and charitable trusts, including grantmaking due diligence and the administration of grant agreements. She has also developed a practice with an emphasis on technology issues including cyber security and social media policies, and handles intellectual property matters including licensing, trademarks and copyrights. Ms. Harris is General Counsel to the New Jersey Women Lawyers Association and serves on the Executive Board of the organization. A member of the New Jersey State Bar Association, she is Secretary of the Business Law Section, Past Chair of the Association’s Internet and Computer Law Committee and a member of the Board of Trustees of the Women in the Profession Section. She serves on the Board of Directors of the Business Law Section and is Vice Chair of Communications of that Section. Ms. Harris is also a member of the NJSBA Intellectual Property and Privacy Law Committees, and the American and Middlesex County Bar Associations. She is involved in several business organizations, and serves on the Steering Committee of the Technology for Business Roundtable of the Commerce and Industry Association of New Jersey and the Women of Leadership Committee of the Association for Corporate Growth, New Jersey. Ms. Harris is a member of the Legal Working Group for the Center for Non-Profits, the Rutgers Institute for Ethical Leadership and the New Jersey Chapter of the Association of Fundraising Professionals. In 2014 she was appointed as the New Jersey State Bar Association designee to the New Jersey Supreme Court Working Group on Ethical Issues Involving Metadata. The recipient of several honors and recognitions, including NJBIZ Best 50 Women in Business in 2012, Ms. Harris lectures regularly on nonprofit law, transactional matters and legal issues related to technology for ICLE and other professional organizations. She has contributed to several books, including the Desk Reference Manual for Nonprofit and Social Service Organizations, and her articles have appeared in New Jersey Lawyer Magazine, the New Jersey Law Journal, The Computer & Internet Lawyer and other publications. Ms. Harris is also active on Twitter, tweeting @BrettHarrisEsq on business and nonprofit matters, technology law and issues of interest to professional women. Ms. Harris received her B.A., cum laude, from Washington and Jefferson College and her J.D. from New York University School of Law, where she served as the Executive Editor of the New York University Review of Law and Social Change.

AAG Christine A. Hoffman is a Deputy Director of the New Jersey Division of Criminal Justice supervising statewide investigation and prosecution of white collar crimes, including computer crimes. AAG Hoffman previously served as former Chief of the Division's Corruption Bureau, Deputy Chief of the Division's Major Crimes Bureau, and Assistant Prosecutor with the Burlington County Prosecutor's Office. AAG Hoffman is also a faculty member of the New Jersey Attorney General's Advocacy Institute, National Attorneys General Training and Research Institute, and an adjunct law professor for Rutgers Law School.

Newark New York Trenton Philadelphia Wilmington www.gibbonslaw.com

www.gibbonslaw.com

Michael R. McDonald

NewarkOne Gateway Center Newark, New Jersey 07102-5310

[email protected] P: 973-596-4827 | F: 973-639-6295

Services: Business & Commercial Litigation; Products Liability; Class Action Defense Industries: German Practice

OVERVIEW Mr. McDonald leads the firm’s Consumer Class Action Defense Team, which the New Jersey Law Journalnamed the “Class Action Litigation Department of the Year” for 2017. He represents businesses in a broad range of unfair business practice/consumer class actions and complex commercial disputes. He is recognized for his work in connection with consumer protection and advertising laws, and he uses his experience to achieve cost-effective, efficient results for his clients through the early and strategic use of motions to dispose of cases or by positioning them for favorable settlements. Mr. McDonald has repeatedly been selected for inclusion on the New Jersey Super Lawyers list, Best Lawyers®, and Chambers USA Guide to America's Leading Lawyers for Business publications.

Mr. McDonald has extensive experience in complex litigation including consumer fraud and consumer product related class action lawsuits, asserting claims under the New Jersey Consumer Fraud Act, California consumer protection statutes, New York General Business Law, Magnuson-Moss Warranty Act, Uniform Commercial Code, False Claims Act, California Secret Warranty law, California Song-Beverly Consumer Warranty Act, New Jersey Product Liability Act, New Jersey Truth in Consumer Contract Warranty & Notice Act, the Telephone Consumer Protection Act, the Fair and Accurate Credit Transactions Act, and New Jersey Gift Card Act, as well as toxic tort matters.

FOCUS AREA(S)

Class Action Litigation

• Defense of automobile manufacturers in class actions arising out of alleged product defects or failure to honor warranties.

• Defense of manufacturers and suppliers of dietary supplements, food products, pharmaceuticals, and medical devices.

• Defense of suppliers of natural wood shingles in class action litigation.

• Defense of rent-to-own companies in defense of contracts and compliance with applicable retail installment sales laws.

• Defense of publishers and other companies in a wide array of industries for alleged violations of Telephone Consumer Protection Act and related junk fax and robo-call laws.

Director, Business & Commercial Litigation


www.gibbonslaw.com

• Defense of manufacturers of consumer products (printers, cameras, consumer electronics, and cosmetics, among others) in class actions arising out of alleged product defects or failure to honor warranties.

• Defense of manufacturers in environmental class actions.

• Defense of businesses in False Claims Act litigation.

EXPERIENCE Recent Representative Matters:

• Defense of distributor of ink jet printers in purported nationwide New Jersey Consumer Fraud Act (NJCFA) class action and decision from Third Circuit impeding future nationwide class actions under NJCFA.

• Counseling on arbitration agreements in commercial and consumer contexts, including class action waivers.

• Defense of manufacturer of digital camera in nationwide consumer fraud class action.

• Defense of wholesale drug distributor in nationwide class action arising out of distribution of counterfeit pharmaceutical drug.

• Defense of seller of vehicle service contract in nationwide consumer fraud class action.

• Defense of medical device manufacturer in nationwide consumer fraud class action.

• Defense of distributor of cosmetics in nationwide consumer fraud class action involving allegations of lead in lipstick.

• Defense of healthcare insurer in class action involving alleged improper denial of claims for eating disorders.

• Defense of nationwide class actions involving claims that transmission of pre-recorded telephone calls violated the Telephone Consumer Protection Act (TCPA).

• Defense of nationwide class actions involving claims that transmission of unsolicited facsimile advertisements violated the TCPA.

• Defense of internet seller of gift certificates in class action involving Truth in Consumer Contract Warranty and Notice Act (TCCWNA), NJCFA, and Gift Card Act (GCA).

• Defense of rent-to-own company in class action under NJCFA and TCCWNA.

• Defense of accounting firm in securities class action.

• Defense of business sued in nationwide class action for receipt violations under Fair and Accurate Credit Transactions Act (FACTA).

• Defense of manufacturer of printing press control system in commercial dispute seeking remedies under the Uniform Commercial Code.


www.gibbonslaw.com

• Oral Arguments in Third Circuit Court of Appeals and New Jersey Supreme Court.

• Mediation/arbitration.

Representative Cases:Stern, et al. v. Maibec Inc., Civil Action No. 11-03951 (PGS) (TJB), Opinion Denying Motion for Class Certification (D.N.J. March 27, 2017)

Hoffman v. Nordic Naturals, Inc., 837 F.3d 272 (3d Cir. N.J. 2016)

Luppino, et al. v. Mercedes-Benz USA, LLC, Civil Action No. 09-05582 (JLL) (JAD), Opinion Granting Defendant’s Motion for Summary Judgment and Denying Plaintiffs’ Partial Motion for Summary Judgment (D.N.J. August 10, 2016)

Dicuio v. Brother Int'l Corp., 2016 U.S. App. LEXIS 11869 (3d Cir. N.J. June 29, 2016)

Walters v. Dream Cars Nat'l, LLC, 2016 N.J. Super. Unpub. LEXIS 498 (Law Div. Mar. 7, 2016)

Luppino, et al. v. Mercedes-Benz USA, LLC, Civil Action No. 09-05582 (JLL) (JAD), Opinion Denying Motion for Class Certification (D.N.J. December 22, 2015)

Luppino, et al. v. Mercedes-Benz USA, LLC, Civil Action No. 09-05582 (JLL) (JAD), Opinion Denying in Part Motion to Exclude Experts (D.N.J. June 29, 2015)

Bohus v. Restaurant.com, Inc., 784 F.3d 918 (3d Cir. N.J. 2015)

Hoffman v. Nordic Naturals, Inc., 2015 U.S. Dist. LEXIS 4439 (D.N.J. Jan. 14, 2015)

Hoffman, et al v. Paradise Herbs & Essentials, Inc., et al., Superior Court of New Jersey, Essex County, Law Division, Docket No. BER-L-2538-14

Shelton v. Restaurant.com, 2014 U.S. Dist. LEXIS 93731 (D.N.J. July 10, 2014)

Hoffman v. Natural Factors Nutritional Products Inc., 2014 U.S. Dist. LEXIS 86798 (D.N.J. June 26, 2014)

Hoffman v. DSE Healthcare Solutions, 2014 U.S. Dist. LEXIS 69569 (D.N.J. May 21, 2014)

Hoffman v. Nordic Naturals, Inc., 2014 U.S. Dist. LEXIS 53125 (D.N.J. Apr. 17, 2014)

Hodges v. Vitamin Shoppe, Inc., 2014 U.S. Dist. LEXIS 5109 (D.N.J. Jan. 15, 2014)

Hoffman v. Lumina Health Products, Inc., 2013 U.S. Dist. LEXIS 176830 (D.N.J. Dec. 17, 2013)

Hoffman v. Cogent Solutions Group, LLC, 2013 U.S. Dist. LEXIS 176056 (D.N.J. Dec. 16, 2013)

Maniscalco v. Brother Int'l Corp., 709 F.3d 202 (3d Cir. N.J. 2013)

Feldman, et al., 2012 U.S. Dist. LEXIS 178924 (D.N.J. Dec. 18, 2012)

Prof'l Benefit Consultants, Inc. v. Claims & Benefit Mgmt., 2011 U.S. Dist. LEXIS 137978 (D.N.J. Dec. 1, 2011)

Dicuio v. Brother Int'l Corp., 2011 U.S. Dist. LEXIS 131553 (D.N.J. Nov. 15, 2011)

Suddreth, et al., 2011 U.S. Dist. LEXIS 126237(D.N.J. October 31, 2011)


www.gibbonslaw.com

United States ex rel. Pilecki-Simko v. Chubb Inst., 2011 U.S. App. LEXIS 18536 (3d Cir. N.J. Sept. 6, 2011)

Maniscalco v. Brother Int'l Corp., 2011 U.S. Dist. LEXIS 67772 (D.N.J. June 24, 2011)

Arcand v. Brother Int'l Corp., 2010 U.S. Dist. LEXIS 103942 (D.N.J. Sept. 29, 2010)

United States ex rel. Pilecki-Simko v. Chubb Institute, 2010 U.S. Dist. LEXIS 89326 (D.N.J. Aug. 27, 2010)

Shelton v. Restaurant.com Inc., 2010 U.S. Dist. LEXIS 59111 (D.N.J. June 15, 2010)

United States ex rel. Pilecki-Simko v. Chubb Inst., 2010 U.S. Dist. LEXIS 48345 (D.N.J. May 17, 2010)

Koronthaly v. L'Oreal USA, Inc., 374 Fed. Appx. 257 (3d Cir. N.J. March 26, 2010)

United States of America, ex rel. Pilecki-Simko and Giunta v. The Chubb Corporation, et al., 2010 U.S. Dist. LEXIS 27187 (D.N.J. March 22, 2010)

Maniscalco v. Brother Int'l Corp. (USA), 2010 U.S. Dist. LEXIS 20212 (D.N.J. Mar. 4, 2010)

Landsman & Funk, P.C. v. Skinder-Strauss Assocs., 2009 U.S. Dist. LEXIS 77470 (D.N.J. Aug. 28, 2009)

Landsman & Funk, P.C. v. Skinder-Strauss Associates, United States District Court, District of New Jersey, No. 08-3610 (June 30, 2009)

Koronthaly v. L'Oreal USA, Inc., et al., 2008 U.S. Dist. LEXIS 86419 (D.N.J. Oct. 23, 2008)

Koronthaly v. L'Oreal USA, Inc., 71 Fed. R. Serv. 3d 260, 2008 U.S. Dist. LEXIS 59024 (D.N.J. July 25, 2008)

Maniscalco v. Brother Int'l Corp. (USA), 2008 U.S. Dist. LEXIS 50122 (D.N.J. June 26, 2008)

Cooper Hosiery Mills, Inc. v. Honeywell Int'l, Inc., 2008 U.S. Dist. LEXIS 32033 (D.N.J. Apr. 16, 2008)

Parker v. Howmedica Osteonics Corp., 2008 U.S. Dist. LEXIS 2570 (D.N.J. Jan. 14, 2008)

Cooper Hosiery Mills, Inc. v. Honeywell Int'l, Inc., 2007 U.S. Dist. LEXIS 80933 (D.N.J. Nov. 1, 2007)

Jones v. Chubb Inst., 2007 U.S. Dist. LEXIS 72606 (D.N.J. Sept. 28, 2007)

Jones, et al. v. The Chubb Institute, et al., United States District Court, District of New Jersey, Civil Action No. 06-4937 (upholding validity of the class action waiver and compelling arbitration)

Americare Pharmacy v. H.D. Smith Wholesale Drug Company, United States District Court for the District of New Jersey, November 17, 2006

Bruno v. Mark Magrann Associates, Inc, et al., 388 N.J. Super. 539 (App. Div. 2006)

Steiner, et al. v. MedQuist Inc., United States District Court, District of New Jersey, 2006 U.S. Dist. LEXIS 71952 (September 29, 2006)

Jorge v. Toyota Motor Insurance Services, Inc., 2006 WL 2129026 (App. Div. August 1, 2006)

Raineer v. Aaron Rents, Inc., United States District Court, District of New Jersey, July 14, 2006. See related case below: Perez v. Rent-A-Center, Inc., 188 N.J. 215 (2006).


www.gibbonslaw.com

Dimich v. Med-Pro, et al., Supreme Court of the State of New York, County of New York, November 21, 2005, Index No. 113528/03.

Arons v. Rite Aid Corporation, et al., 2005 WL 975462 (March 23, 2005), Superior Court of New Jersey, Law Division, Bergen County.

Fink v. Ricoh Corporation, 365 N.J. Super. 520 (Law Div. 2003).

As Amicus Curiae:

Greenberg, et al. v. Mahwah Sales and Service, Inc., Docket Nos. BER-L-6105-15 (Represented New Jersey Automotive Coalition of Automotive Retailers ("NJCAR")), supporting Motion to Dismiss which was granted by the Court on January 8, 2016

Barbarino v. Paramus Ford, Inc., BER-L-2856-15 and Duke v. All American Ford, Inc., Docket Nos. BER-L-3010-15 (Represented New Jersey Automotive Coalition of Automotive Retailers ("NJCAR")), supporting Motion to Dismiss which was granted by the Court on September 11, 2015

Bosland v. Warnock Dodge, Inc., 197 N.J. 543 (2009) (Represented New Jersey Lawsuit Reform Alliance)

Perez v. Rent-A-Center, Inc., 188 N.J. 215 (2006) (Represented the Association of Progressive Rental Organizations (APRO), as Amicus Curiae, arguing for prospective application only of the Supreme Court's March 15, 2006 decision in Perez v. Rent-A-Center, Inc., 186 N.J. 188 (2006), which held that rent-to-own contracts are subject to the New Jersey Retail Installment Sales Act, N.J.S.A. 17:16C-1, et seq. ("RISA") and the limitations of New Jersey's criminal usury statute, N.J.S.A. 2C:21-19

EDUCATION Seton Hall University School of Law (J.D., cum laude)

Georgetown University (B.A.)

PROFESSIONAL ADMISSIONS State of New Jersey

Commonwealth of Pennsylvania

United States District Court for the District of New Jersey

United States Court of Appeals for the Third Circuit

Supreme Court of the United States

PROFESSIONAL ACTIVITIES New Jersey State Bar Association

American Bar Association Litigation Section Tort and Insurance Practice Section

Pennsylvania Bar Association

DRI Commercial Litigation Committee Drug & Medical Device Committee


www.gibbonslaw.com

Richard J. Hughes American Inn of Court Graduate

HONORS & AWARDS Listed in Chambers USA Guide to America's Leading Lawyers for Business, Litigation: General Commercial

Listed in Best Lawyers®, Commercial Litigation

Selected to the New Jersey Super Lawyers list, Class Action/Mass Torts

PUBLICATIONS & FEATURES

• "Seventh Circuit Affirms Dismissal of Data Privacy Class Action on Article III Standing Grounds," Business Litigation Alert, March 31, 2017 (By: Michael R. McDonald, Joshua S. Levy)

• "California District Court Dismisses Facebook’s TCCWNA “Website Terms and Conditions” Lawsuit in Light of Valid Choice-of-Law Provision," Business Litigation Alert, February 6, 2017 (By: Michael R. McDonald, Joshua S. Levy)

• "Nordic Naturals Vindicated Again with Third Circuit Affirming Class Action Dismissal and Granting Sanctions for Frivolous Appeal under FRAP 38," Business Litigation Alert, September 19, 2016 (By: Michael R. McDonald, Jennifer Marino Thibodaux)

• "E-Commerce in New Jersey Threatened by Rise of TCCWNA Class Actions," Business Litigation Alert, September 7, 2016 (By: Michael R. McDonald, Joshua S. Levy)

• "TCCWNA Back Before the New Jersey Supreme Court," Business Litigation Alert, August 23, 2016 (By: Michael R. McDonald, Joshua S. Levy)

• "Parties Must Clearly Agree to Delegate Arbitrability to an Arbitrator, Says the NJ Supreme Court," Business Litigation Alert, July 28, 2016 (By: Michael R. McDonald, Kate E. Janukowicz)

• "New Jersey Federal Court Confirms TCCWNA Doesn’t Reach “Omissions”," Business Litigation Alert, July 11, 2016 (By: Michael R. McDonald, Joshua S. Levy)

• "Contractual Limitations Period Bars TCCWNA Class Action," Business Litigation Alert, June 28, 2016 (By: Michael R. McDonald, Joshua S. Levy)

• "Wage-and-Hour Still Makes Hay, Class Action Lawyers Say," New Jersey Law Journal, May 19, 2016 (Christine A. Amalfe, Michael R. McDonald, quoted)

• "NJ Class Suits Over E-Commerce Disclaimers Causing Stir," New Jersey Law Journal, April 20, 2016 (Michael R. McDonald, quoted)

• "Third Circuit in Chesapeake Appalachia: Incorporating AAA Rules Not Enough to Satisfy the Onerous Burden of Overcoming Presumption in Favor of Judicial Resolution of Class Arbitrability," Business Litigation Alert, February 3, 2016

• "NJ High Court Poised To Reshape Arbitration Disputes," Law360, August 13, 2015 (Michael R. McDonald, quoted)


www.gibbonslaw.com

• "Class Action Plaintiffs Have Standing Based on Actual Injuries and Costs of Mitigation Following Corporate Hacking, Says Seventh Circuit," Business Litigation Alert, August 6, 2015 (By: Peter J. Torcicollo, Michael R. McDonald)

• "Class Action Certified in In re Yahoo Mail Litigation for Violations of Stored Communication Act and California’s Invasion of Privacy Act," Business Litigation Alert, June 25, 2015

• "Third Circuit Confirms Prospective Application of New Jersey Supreme Court’s Shelton Decision, Dooming Underlying Class Action," Business Litigation Alert, May 21, 2015 (By: Michael R. McDonald, Caroline E. Oks)

• "Third Circuit Clarifies Apparent Confusion Regarding Rule 23(b)(3) Ascertainability Requirement," Business Litigation Alert, May 19, 2015

• "Third Circuit Confirms That Challenged Expert Testimony Must Survive Daubert Challenges in Order to Demonstrate Conformity with Rule 23," Business Litigation Alert, April 20, 2015 (By: Michael R. McDonald, Caroline E. Oks)

• "Third Circuit Holds the Availability of Class Arbitration is a Gateway Question for Courts, Not Arbitrators," New Jersey Lawyer, April 2015 (By: Michael R. McDonald, Jennifer Marino Thibodaux)

• "Pennsylvania Supreme Court Holds the UTPCPA's "Ascertainable Loss" Requirement Cannot Be Manufactured by Voluntarily Hiring Counsel and Incurring Litigation Costs," Business Litigation Alert, January 20, 2015 (By: Michael R. McDonald, Kaitlyn E. Stone)

• "Best Practices for Defending a Class Action Complaint Before Even Filing a Response," American Bar Association Conference Materials, October 2014 (By: Michael R. McDonald, Caroline E. Oks)

• "Lack Of Prior Substantiation For Advertised Claims Is Generally Not A Cognizable Theory Of Recovery In Consumer Products Class Actions," The Metropolitan Corporate Counsel, October 2014 (By: Michael R. McDonald, Jennifer Marino Thibodaux)

• "Restaurant.com Again Escapes Consumer Class Action," Law360, July 11, 2014 (Michael R. McDonald, quoted)

• "In Today's World, Companies Face Large Exposure from a Wide Variety of Possible Data Breaches," E-Discovery Law Alert, October 29, 2013 (By: Luis J. Diaz, Kevin G. Walsh, Michael R. McDonald)

• "Cutting the Strings Pulling the Puppet Class Representative," For The Defense, July 2013 (By: Michael R. McDonald, Damian V. Santomauro)

• "Be Careful What You Wish For: Supreme Court Upholds Arbitrator’s “Erroneous” Class Arbitration Ruling," Business Litigation Alert, June 19, 2013

• "Rejecting Tele Aid, the Third Circuit in Maniscalco v. Brother Holds that the Laws of Consumers’ Home States Apply in Nationwide Class Actions," Business Litigation Alert, April 22, 2013


www.gibbonslaw.com

• "Supreme Court Prohibits Efforts to Evade CAFA’s Scope," Business Litigation Alert, April 12, 2013

• "Class Action Lawyers React To Supreme Court's CAFA Ruling," Law360, January 19, 2013 (Michael R. McDonald, quoted)

• "Third Circuit Rejects Volkswagen Class Settlement for Fundamental Intra-Class Conflict in Consumer Fraud Class Action," Business Litigation Alert, June 8, 2012

• "Third Circuit Affirms Dismissal of Off-Label Marketing Actions Against Schering for Lack of Standing," Business Litigation Alert, May 31, 2012

• "The Inferior Statutory Penalty Class Action," New Jersey Law Journal, May 21, 2012 (By: Michael R. McDonald, Damian V. Santomauro)

• "Consent to Class Arbitration: What is the Meaning of 'Silence'?" Business Litigation Alert, April 24, 2012 (By: Michael R. McDonald, Damian V. Santomauro)

• "Ninth Circuit Reverses Itself, Withdraws Opinion Which Held that Magnuson-Moss Warranty Act Prohibits Mandatory Arbitration in Warranties," Business Litigation Alert, April 19, 2012

• "Lack of Standing and Choice-of-Law Rules Doom Nationwide Consumer Fraud Class Action Against BMW," Business Litigation Alert, November 23, 2011

• "Ninth Circuit Rules that Magnuson-Moss Warranty Act Prohibits Mandatory Arbitration in Warranties, Creating a Circuit Split," Business Litigation Alert, November 1, 2011

• "Representations That Product’s Effectiveness is “Clinically Proven,” Though Not “Puffery,” Fail to Support State New Jersey Consumer Fraud Act and Implied Warranty Claims," Business Litigation Alert, October 25, 2011

• "The Complex Interplay Between Rule 23 and State Laws," For the Defense, September 2010 (By: Michael R. McDonald, Damian V. Santomauro)

• "A Federal Court May Not Place the Burden of Proof on a Subsidiary to Prove That It Does Not Have Control of Documents in the Possession of its Parent Corporation," Business & Commercial Litigation Newsletter, June 8, 2010 (By: Michael R. McDonald, Damian V. Santomauro)

• "Obtaining Class Certification in New Jersey Just Became an Even More Daunting Task," CADS Report, Section of Litigation, American Bar Association, Winter 2010

• "Raising The Bar: Obtaining Certification Of A Nationwide Class In A Tort Action Brought In New Jersey State Or Federal Court Just Became An Even More Daunting Task," Business & Commercial Litigation Alert, July 2009

• "Obstacles to Certification of Medical Monitoring Class Actions," New Jersey Law Journal, June 16, 2008 (By: Michael R. McDonald, Damian V. Santomauro)

• "Expansive Interpretation of RISA," New Jersey Law Journal, October 16, 2006

• "Redefining 'Ascertainable Loss'," New Jersey Law Journal, March 20, 2006


www.gibbonslaw.com

• "Has the New Jersey Supreme Court Quietly Reigned in Consumer Fraud Class Actions?" Class Action Reports, December 2005

• "Class Litigants Face Tougher Forum - Will closer scrutiny by federal judges curb costs?" New Jersey Law Journal, April 25, 2005 (By: Guy V. Amoresano, Michael R. McDonald)

• "Reducing Frivolous Litigation (Part 2)," Pharmaceutical and Medical Device Law Bulletin, Vol. 4, No. 9, Law Journal Newsletters, September 1, 2004 (By: Michael R. McDonald, Kim M. Catullo)

• "Reducing Frivolous Litigation (Part 1)," Pharmaceutical and Medical Device Law Bulletin Vol. 4, No. 8, Law Journal Newsletters, August 1, 2004 (By: Michael R. McDonald, Kim M. Catullo)

• "Sticking a Pin in Price Inflation Theory," New Jersey Law Journal, November 24, 2003 (Michael R. McDonald, quoted)

EVENTS

• Speaker, Gibbons Academy, "The Class Action Landscape in 2017," Newark, NJ, February 23, 2017 (Featuring: Michael R. McDonald, Caroline E. Oks)

• Speaker, New Jersey State Bar Association 2016 Cyber Security Conference, "Complex Litigation of Cyber Security Issues," New Brunswick, NJ, June 14, 2016 (Featuring: Michael R. McDonald, David W. Opderbeck)

• Webinar Speaker, New Jersey Civil Justice Institute, "TCCWNA Lawsuits: What is Driving Them and Who is Benefiting?," December 11, 2014

• Speaker, West LegalEdcenter, "Analysis of Recent U.S. Supreme Court Developments in Class Actions," November 22, 2013

• Speaker, Gibbons Academy, "The New Jersey Consumer Fraud Act - What You Need to Know," Newark, NJ, July 11, 2012

JUDICIAL CLERKSHIP(S) Law Clerk to the Honorable Herman D. Michels, Presiding Judge for Administration of the Superior Court of New Jersey, Appellate Division, 1987-1988.

Kenneth N. Rashbaum, a partner at Barton LLP in New York and head of its

Privacy and Cybersecurity Practice Group, advises multinational corporations,

financial services organizations, technology companies and healthcare

organizations in the areas of cyber-security, privacy and e-discovery. He

negotiates agreements for e-commerce organizations, drafts information

management policies and provides cybersecurity and privacy training. Ken also

provides breach response counsel, defense of governmental proceedings and

litigation following data breaches, and cyber insurance advice. He serves as

special e-discovery counsel for complex litigation and in matters in which

electronic evidence from beyond the U.S. is required. Ken serves as Chair of the

Disputes Division of the Section of International Law of the American Bar

Association and is also an Adjunct Professor of Law at Fordham Law School .

BIOGRAPHY

Marc D. Schein, CIC, CLICS

Risk Management Consultant

Marsh & McLennan Agency

565 Fifth Ave, Suite #0500

New York, NY 10017

+1 516-395-8504 | +1 866-795-1208 | [email protected]

Marc D. Schein, CIC, CLCS is a Risk Management Consultant at Marsh & McLennan Agency. He assists clients by customizing comprehensive commercial insurance programs that minimize or eliminates the burden of financial loss through cost effective transfer of risk. By conducting a Total Cost of Risk (TCoR) assessment, he can determine any gaps in coverage. As part of an effective risk management insurance team, Marc collaborates with senior risk consultants, certified insurance counselors, and expert underwriters to examine the adequacy of existing client programs and develop customized solutions to transfer risk, improve coverage and minimize premiums.

Marc is a seasoned professional with experience working in mul t ip le industries, including Food Services, Manufacturers and Distributors, Accounting and Law, Non-Profit, Real Estate, among others. His risk management experience includes: Cyber Security, Auto, Property, Valuable Items, Employment Practices Liability, Errors & Omissions, Group Umbrella, and Workers Compensation.

In 2011, Marc achieved his Commercial Lines Coverage Specialist (CLCS) designation. In 2014, he received his Certified Insurance Counselor (CIC) designation, and was appointed to the Ponemon Institute’s RIM Council (the pre-eminent research center dedicated to data protection, privacy and information security). In 2015, he was asked to join the Claims & Litigation Management Alliance's Cyber Committee. A sought after speaker and panelist on Data Breaches and Cyber Security, Marc has spoken before members of Congress and leaders in the Aviation Industry on Capitol Hill regarding the issues and costs of cyber breaches, and how to properly transfer risk to insure that an organization or business is properly protected from what might otherwise be financially devastating recovery costs. He is also a co-founding member of Clean Machine Charity and Founder of a Nassau County-based networking group. He also maintains membership in BNI International. A graduate of SUNY Oneonta, Marc was a Business Economics Major and Communications Minor who made Dean's List.

“As a Risk Advisor, I listen intently to the

challenges my clients are facing in their business. Then I collaborate with my risk management

team to design innovative, strategic, and cost-effective insurance programs that help my clients control premium

costs while providing the appropriate coverage.”

NEWARKP +1.973.848.4136F [email protected]

PRIMARY PRACTICEInsurance Coverage

SECONDARY PRACTICESComplex CommercialLitigation and Disputes

Cyber Law andCybersecurity

Privacy, Data Protectionand InformationManagement

John P. Scordo

OVERVIEWJohn Scordo is a partner in the firm’s Newark office and focuses his practice on data privacyand protection, insurance coverage, and complex commercial litigation. He counsels clientson data privacy and protection, best practices, breach preparation and response, andpost-breach regulatory liability and litigation.

He has extensive experience in the handling of litigation and the negotiation ofclaims/coverages under all types of insurance, including data breach liability, first-partynetwork security, general and professional liability, directors and officers (D&O),property/business interruption, fidelity, errors and omissions (E&O), title/closing protection,cargo, environmental impairment, excess/umbrella, securities form J, Side A DIC,life/accident, aviation, secured creditor impaired property, media/publishers, employmentpractices, health and group benefits, ERISA/fiduciary, and workers’ compensation/employers’liability.

He is a commercial arbitrator for the Financial Industry Regulatory Authority (FINRA) and iswell versed in the numerous data security and insurance coverage issues impacting thefinancial services industry. Mr. Scordo has also represented both purchasers and suppliers indisputes involving large commercial supply contracts and the Uniform Commercial Code(UCC), and defendants in personal injury/mass tort cases.

PROFESSIONAL BACKGROUNDPrior to joining K&L Gates, Mr. Scordo was a partner at a New Jersey law firm. He focused hispractice on insurance, data privacy and protection, commercial disputes, mass tort, andsecurities.

PRESENTATIONS“A Primer on Directors and Officers and Similar Professional Liability Insurance,”Association of Corporate Counsel New Jersey 14th Annual Full Day CLE Conference,September 16, 2016.

“Data Privacy & Cyber Security: Are You Sitting on a Landmine of Data?,” CEO Panel:Data Privacy & Cyber Security (IWNY Event), May 17, 2016.

“Post-Data Breach Litigation,” New York Law School Master Class, April 23, 2015.

“Emerging Coverage Issues Related to Cyber Risks: An Examination of Coverage Under‘Traditional’ CGL and Other Policies,” New Jersey State Bar Association Insurance LawSection, November 19, 2014.

“Cybersecurity: Best Practices to Prevent a Data Breach,” New Jersey Corporate CounselAssociation CLE Program, April 30, 2014.

“Cybersecurity Risks in the Financial Industry,” presented as in-house CLE to financialservices/broker/dealer, March 5, 2014.

“Claims Handling from the Policyholder Perspective: Practical Tips,” New Jersey State BarAssociation Insurance Law Section, November 21, 2013.

“Cyber Risks and Realities, and Insurance Coverage,” Association of Corporate Counsel,Western Pennsylvania Chapter, September 24, 2013.

“Cyber Liability Institute,” New Jersey Institute for Continuing Legal Education, December5, 2012.

“Lessons Learned from Superstorm Sandy and WTC,” K&L Gates and Marsh Conference:Legal and Insurance Lessons Learned from Major Catastrophic Events and ConstructionsClaims, September 10, 2013.

“Cyber Liability in the Age of the New Data Security Laws,” Massachusetts ContinuingLegal Education, June 29, 2010.

“E-Discovery: Is Your Company at Risk?” Association for Information and ImageManagement, May 11, 2010.

“Cyber Liability in an Automated Business Climate From Legislation to Litigation...How toManage the Risk,” Day Pitney Seminar, February 4, 2010.

Moderator, “Nanotechnology: The Next 10 Years,” Nanotechnology Health & Safety Forum,June 8-9, 2009.

“Cyber Insurance,” Mutual Service Office’s Internet and E/Commerce Seminar for Insurers ,October 2008.

“Electronic Discovery and Hot Issues Practicing in Federal District Court,” Association of theFederal Bar of New Jersey, March 2004.

PUBLICATIONSThe Supreme Court of New Jersey Defines a “Successful Claimant” Under New Jersey CourtRule 4:42-9(a)(6) for Fee-Shifting in Certain Coverage Actions, Insurance Coverage Alert,27 May 2015

SEC Division Offers Guidance on Disclosure of Cybersecurity Incidents and Ongoing Risks,Legal Alert, 21 October 2011

Comp Court is the Exclusive Remedy for Bad Faith, Court Rules, (Quoted)WorkCompCentral, 3 February 2011

Nanotechnology: Insurance and Risk Management Implications, The Risk Report, April2010

Why Your Data Can Reduce E-Discovery Abuses, (Interview) The Metropolitan CorporateCounsel, April 2010

Litigation After A Data Breach: The Heartland Experience, Legal Alert, 20 January 2010

Zurich North America Announces Development of Nanotechnology Risk AssessmentProtocol, Legal Alert, 30 July 2009

Insurance Company Takes Measures Against Unknown Dangers of Nanotechnology, LegalAlert, 16 October 2008

Coverage Issues Implicated in Network Security Insurance, The Metropolitan CorporateCounsel, August 2008

A Comparison of Available Cyber Insurance Policies, White Paper, Summer 2008

Producing Electronically Stored Information, The Metropolitan Corporate Counsel,December 2007

No Duty to Defend Mixed Claims Cases, New Jersey Law Journal, 25 June 2007

Bad Faith Claims Under New Jersey Law, The Metropolitan Corporate Counsel, June 2007

NJM v. Oscar Vizcaino – Summary of Case Decided by New Jersey Appellate Division thatRe-Affirms the ‘Burd’ Rule, Legal Alert, 7 May 2007

The Validity of a Discovery Subpoena Issued by an Arbitrator to a Third Party, TheMetropolitan Corporate Counsel, January 2007

On the Front Lines of the Electronic Discovery Debate, (Interview) The MetropolitanCorporate Counsel, February 2005

Electronic Data Production – Courts Begin to Set Parameters – Parts I & II, TheMetropolitan Corporate Counsel, January/February 2004

When a Buyer Requires Less Than Expected Seller’s UCC Remedies in RequirementsContracts – Parts I & II, The Metropolitan Corporate Counsel, October/November 2003

New Jersey Supreme Court Clarifies Choice-of-Law in Multi-State Environmental Cases,New Jersey Law Report, July 1998

New Jersey Insureds Can Seek Coverage for Employment-Related Claims Under VariousLiability Policies, New Jersey Law Report, 1997

PROFESSIONAL/CIVIC ACTIVITIESAmerican Bar Association (Tort Trial & Insurance Practice Section)

The IOLTA Fund of the Bar of New Jersey (former Chairman, Board of Trustees)

New Jersey State Bar Association (Insurance Section)

Professional Responsibility Rules Committee (former Member)

ADMISSIONSBar of New Jersey

Bar of New York

Supreme Court of the United States

United States Court of Appeals for the Third Circuit

United States District Court for the District of New Jersey

United States District Court for the Southern District of New York

EDUCATIONJ.D., New York Law School, 1988, (cum laude; Research Editor, New York Law School LawReview)

B.S., Rutgers University, 1985, (Meteorology)

ACHIEVEMENTSMr. Scordo has been quoted in the mainstream press on electronic discovery and insuranceissues. He has been interviewed and quoted in the Hartford Business Journal, NewarkStar-Ledger, and New Jersey Law Journal.

Mr. Scordo has been recognized as a leading litigation practitioner in Benchmark:Litigation, the Definitive Guide to America's Leading Litigation Firms and Attorneys, 2009.

Mr. Scordo founded and runs the unaffiliated website www.research-finance.com, a popularfinance website that focuses on academic research in the field.

REPRESENTATIVE EXPERIENCE

DATA PRIVACY AND BREACHLitigated a proposed class action against an online retailer for privacy violations arisingfrom unauthorized disclosure of credit card information.

Advised companies on post-breach investigation and notice obligations andmethodologies, and successfully managed public relations, regulatory and litigation risk.

Complied with and applied in-house breach response plans.

Advised on security policy, privacy policy and breach response plans.

Assisted financial institutions in assessing and purchasing network security coveragecovering both first-party and third-party risks.

Frequent speaker to attorney organizations, including Corporate Counsel Association, onin-house data privacy compliance and privacy issues.

Involved in cyber liability issues since 2007.

INSURANCE COVERAGE DISPUTES AND COUNSELINGRepresented an international trust and clearing company in policy negotiation andpurchase of “Form J” property/securities policies in the London markets following theOctober–November 2012 storm.

Representing a multinational bank in a property damage, business interruption, serviceinterruption, extra expense, civil authority, and ingress/egress claim following the October–November 2012 storm.

Counseled a New Jersey utility on insurance coverage issues arising under multiple liabilityand environmental impairment policies for underlying liabilities from manufactured gasplant sites.

Represented a Fortune 100 technology manufacturer in successfully obtaining temporaryand preliminary affirmative injunctive relief against its insurer requiring the issuance of adisability policy covering 40,000 employees.

Litigated a coverage claim arising from ERISA liabilities following a “cash balance plan”conversion.

Represented a multinational pharmaceutical company in a recovery under a cargo losspolicy following a plane crash at Newark Liberty International Airport.

Represented a multinational pharmaceutical company in its dispute under outside counselguidelines involving defense counsel fees.

Representing a multinational bank in an insurance coverage litigation in connection withunderlying personal injury claims arising from the September 11 WTC event.

Represented a multinational bank in a property damage claim arising from the September11 WTC event.

Representing a nationwide retailer in a claim under D&O policies in connection with fourunderlying securities actions.

Represented a private hedge fund manager and related public fund in the negotiation of acomplex insurance program utilizing D&O and E&O.

Represented a multinational manufacturer in the proof of loss, negotiation, and settlementof a multimillion dollar employee fraud claim under fidelity bond.

Represented a manufacturer in a broker malpractice claim involving 20 years of premiumspaid under workers’ compensation policies.

Representing a multinational manufacturer in the coordination of coverage for underlyingasbestos litigation.

Represented numerous nationwide manufacturers in various industries in the coordinationof coverage for underlying product liability, environmental, and asbestos liabilities.

Represented numerous manufacturers for underlying environmental liabilities arising fromclean-up of sites nationwide.

Represented a commercial and residential roofing manufacturer in the coordination ofcoverage for underlying asbestos liabilities.

Represented a New Jersey-based pharmaceutical company in the coordination of coveragefor underlying asbestos liabilities.

Counseled a multinational bank regarding claims under a D&O policy for underlyingmortgage-backed security litigations.

Provided policy wording and insurance structure advice following worldwide bankreorganization/recapitalization and subsidiary divestures.

Assisted with the establishment of a captive insurance program and related regulatoryissues to allow the sale of insurance to a payroll company’s customers.

Defended a major insurance broker in a malpractice action under a group excess liabilitypolicy.

Provided counsel in the dispute over the loss payee provision in a policy and proceedsfrom property loss.

GENERAL COMMERCIAL LITIGATIONObtained a temporary and preliminary injunction for an electronic retailer against amultinational manufacturer preventing the termination of North American televisiondistributorship. Lead trial counsel during multiple evidentiary hearings in the District ofNew Jersey.

Represented an international industrial gases and engineering company in multiple UCCcommercial disputes involving long-term requirements contracts for large, multi-tonnageon-site hydrogen, helium, and oxygen generation facilities located nationwide.

Represented hedge funds in litigation following an attempted “mini-tender offer.”

SECURITIES ARBITRATIONSCommercial arbitrator for FINRA for over a decade and presided over and decided manycomplex cases. Represented claimants and respondents in security arbitrations involvingallegations of unsuitability, churning, misrepresentation, unauthorized trading, failure tosupervise, and expungement.

MASS TORT DEFENSEDefended a Fortune 1000 energy and natural gas company in multiple personal injurycases arising from manufactured gas plants located throughout New Jersey.

Defended a security company in litigation over death and injuries following a dormitoryfire.

Represented a security company in litigation following an abduction, murder, and suicide.

Represented a global banking and financial services company in WTC respiratorylitigation.

OTHER EXPERIENCESupervised the production of millions of pages of records and privilege log using a team ofup to 40 lawyers, paralegals, and document coders located in Mumbai, India.

One of the first practitioners to lecture on e-discovery issues.

PUBLISHED OPINIONSWarner-Lambert Company v. LEP Profit International, et al., 517 F.3d 679 (3d Cir. 2008).

In re Alpharma Securities Litigation, 372 F.3d 137 (3d Cir. 2004).

2nd ANNUAL CYBER SECURITY LAW CONFERENCE: … · 2nd ANNUAL CYBER SECURITY LAW CONFERENCE:...

Documents

Transcript of 2nd ANNUAL CYBER SECURITY LAW CONFERENCE: … · 2nd ANNUAL CYBER SECURITY LAW CONFERENCE:...