What Did They Say About Cybersecurity in 2016? 8 Proclamations from Regulators and the Courts

We at Trust Anchor have our ears to the ground. Here are some of the most important things we heard regulators, courts, and legislatures say about cybersecurity in 2016, and what they mean for you and your organization

There is no such thing as compliance with the NIST Cybersecurity Framework (FTC).
In September, the FTC dispelled a commonly held misconception regarding the NIST Framework: It “is not, and isn’t intended to be, a standard or checklist. . . .  there’s really no such thing as ‘complying with the Framework.'” The Framework provides guidance on process. It does not proscribe the specific practices that must be implemented.  Rather, the NIST Framework lays out a risk-based approach to assessment and mitigation that is “fully consistent” with the concept of “reasonableness” embedded in the FTC’s Section 5 enforcement record. Takeaway: Organizations should consider using the NIST Framework—or another framework—to guide their cybersecurity investments and program development. Use of the NIST Framework alone does not signal that an organization is secure.