For quite some time, it has been apparent that the announcement of the NIST Cybersecurity Framework would be a seminal event. Though couched as a voluntary program, many expected that the Framework would become the de facto ground for liability. After all, if the National Institute for Standards and Technology has determined a baseline framework for optimal security in the cyber domain, what could be more negligent than failing to meet that minimum standard?
Unsurprisingly, the penny has begun to drop. Not, as one might have expected, in private sector tort suits, but in public sector regulatory action. Last week, the Securities and Exchange Commission announced its intention to conduct an examination of the cybersecurity of 50 broker-dealers and investment advisers subject to its jurisdiction. The questionnaire derives much of its content from the NIST Framework—so now the Framework will be the likely potential ground for regulatory action.
How ironic then, that in the same week, the GAO issued a report critical of the SEC for its own lack of adequate cybersecurity and oversight. Perhaps the cobbler’s children don’t have any shoes ….