Three years ago, the National Institute of Standards and Technology (“NIST”) released the “Framework for Improving Critical Infrastructure Cybersecurity.” In the intervening years, NIST and numerous other US government departments and agencies have continued to release guidance on how to improve cybersecurity using a tailored risk management framework. In recent months, NIST has continued this trend. In December 2016, NIST released a new guide for “Cybersecurity Event Recovery” (SP 800-184), and in January 2017, NIST published the draft “Framework for Improving Critical Infrastructure Cybersecurity v. 1.1.” Each issuance reflects NIST’s focus on developing risk-based approaches for protecting against cyber attacks. This Legal Update outlines the guidance and key implications for businesses.

Continue reading.