Legislative Branch Activity
- Tuesday, February 25: The Senate Banking, Housing and Urban Affairs Committee will hold a hearing titled “Reauthorizing TRIA (Terrorism Risk Insurance Act): The State of the Terrorism Risk Insurance Market, Part II.”
- Thursday, February 27: The Senate Armed Services Committee will hold a hearing to examine the U.S. Strategic Command and U.S. Cyber Command in review of the Department of Defense’s FY 2015 defense authorization request. Admiral Cecil Haney, Commander of the U.S. Strategic Command, and General Keith Alexander, Commander of the U.S. Cyber Command, are both scheduled to testify at the hearing.
Executive Branch Activity
NIST Cybersecurity Framework
At a White House event on February 12, the National Institute of Standards and Technology (NIST) issued the final version of its Cybersecurity Framework as required by the President’s February 2013 Executive Order (EO). NIST Director Patrick Gallagher recently noted that NIST expects the document to evolve over time as new cyber threats emerge and companies begin implementing the Framework to better protect their networks from cyber attacks. NIST plans to travel the country over the next few months to urge support of the Cybersecurity Framework and will host two more workshops on the final Framework – one in April to discuss privacy issues and one in late summer to assess the implementation of the Framework.
In addition to the work that NIST is doing to implement and promote the Cybersecurity Framework, the Department of Homeland Security (DHS) is also engaging with the public through its Critical Infrastructure Cyber Community program, also known as the C3 Voluntary Program. This program is designed to coordinate the implementation of the Cybersecurity Framework across critical infrastructure sectors. The program will also offer cyber resilience reviews through free assessments of an organization’s information technology resilience, as well as other information about cyber threats and how to respond to them. White House Cybersecurity Coordinator Michael Daniel also recently noted that the White House plans to issue more details in the coming months about potential incentives for companies that choose to adopt the Framework.
The Securities and Exchange Commission (SEC) announced that it plans to hold a roundtable on March 26 to discuss the challenges that cyber threats present for public companies and financial markets. The recent data breaches at the Target Corporation and Neiman Marcus prompted the SEC to schedule the event. In 2011, the SEC issued informal staff-level guidance for public companies to use when determining whether to disclose to shareholders about cyber attacks that occur and the impacts it has on a company’s financial condition. Senate Commerce, Science, and Transportation Committee Chairman John Rockefeller (D-WV) has repeatedly called on the SEC to issue formal guidance to require companies to disclose cyber threat information more often to shareholders. This issue may also be a topic at the roundtable next month.
National Infrastructure Protection Plan
In December 2013, DHS issued an updated version of its National Infrastructure Protection Plan (NIPP) that provides an outline for how the federal government should work with critical infrastructure sectors to manage risks, including cyber threats. Last week, DHS began working on the implementation of the NIPP by launching a working group that included federal regulatory agencies, sector coordinating councils, and state, local and tribal authorities. The working group plans to meet on a monthly basis throughout the next several months to develop priorities for the implementation of the NIPP and to draft sector-specific planning guidance that is set to be released this summer.
- Wednesday, February 26: Patton Boggs will host the third in a series of webinars focused on cybersecurity issues. The webinar titled “Cybersecurity Impacts on the Health Care Sector: More Than Just HIPPA/HITECH – What Does the New Cybersecurity Framework Mean to You?” will help companies operating in the health care sector to understand how cybersecurity-related policy issues affect their business.