Will Organizations Already Burdened by GRC Issues Participate “Voluntarily” in the Adoption or Non Adoption of the Cyber Security Framework?

Don Miller

It’s time again to discuss GRC (governance/risk management/compliance) in the context of data security for the managed file transfer process.  Concurrently, we can update everyone about recent events related to the Executive Order on Improving Critical Infrastructure Cyber Security (“EO”).

The National Institute of Standards and Technology (“NIST”) has issued and requested public comment on its Preliminary Cyber Security Framework (“Preliminary Framework”).  Most observers would agree that the Preliminary Framework contains few surprises, because it differs only slightly from the Draft Preliminary Cyber Security Framework that was released in August.  You can read our less-than-enthusiastic review of the Draft Preliminary Cyber Security Framework here, but basically, we feel it fails to either spell out an approach or outline substantive requirements that critical infrastructure owners must/should follow to protect against cyber security threats.

But like it or not, the Framework should not be ignored.  Nor can organizations take solace in the fact that adoption of the final Framework is voluntary.  Many of you have probably heard the old barb about a “voluntary” government initiative—i.e., there is nothing more mandatory than a government initiative encouraging voluntary participation.

So how can the government get organizations who are already burdened (perhaps overburdened) by cyber security GRC issues to participate “voluntarily”?  In the same way government usually gets “voluntary” cooperation with its initiatives—i.e., by offering incentives to encourage participation and/or disincentives for ignoring the Framework.  The Department of Homeland Security has already proffered a list of possible incentives, including tax credits, rate recovery, insurance bundles and liability limitations.

The EO also contains a provision allowing “prioritized, risk-based, efficient, and coordinated actions…to mitigate cyber risk” if affected agencies determine that current regulatory requirements are insufficient.  It is possible, therefore, that agencies would impose rules and regulations if participation in the voluntary program to adopt the Framework is determined to be insufficient.

A final version of the Framework is coming.  So all affected organizations should be proactive and get in front of the many GRC implications associated with adoption or non-adoption of the final Framework.  bTrade can help in that regard.  As a pioneer in the world of managed file transfer, our data security experts are well-positioned to answer any and all questions about data security in light of the EO.  We encourage those of you responsible for data security in your organization to contact us at info@btrade.com.