(Mathias Rosenthal/Fotolia)

Online threats such as cyberterrorism and hacks are the new ­normal for businesses of all sizes. It’s a matter of when, not if, these issues 
arise.

Recognizing the need for companies to prepare for and confront cybersecurity ­challenges, the National Institute of Standards and Technology (NIST) has issued ­guidelines (the “Framework for Improving Critical Infrastructure Cybersecurity”) to help corporations and government agencies prepare and plan for cybersecurity threats.

However, small businesses often lack the financial resources to hire adequate internal technology support to implement effective security 
measures.

In the face of the very real threats that confront small businesses, Congress is currently considering House Resolution 1224 (the NIST Cybersecurity Framework Assessment and Auditing Act of 2017), which would provide additional guidance for these companies on how to address cybersecurity and assess risks to their organization.

The NIST Cybersecurity Framework Assessment and Auditing Act

The NIST does not have any direct ­regulatory authority over private ­organizations, but has developed a cybersecurity framework—a set of guidelines and standards—that can be used to implement and assess cybersecurity risk management. The initial cybersecurity framework was intended to help protect the nation’s ­critical infrastructure, such as the power grid, but has been widely adopted by a range of organizations.

H.R. 1224 would create a government/industry working group to develop tools to gauge the effectiveness of the cybersecurity framework for entities analyzing their ­corporate risk.

By six months after the enactment of H.R. 1224, NIST will establish a working group to develop specific framework implementation ­models and measurement tools that private ­entities can use to adopt the recommendations.

By the end of the first year after the law takes effect, NIST will work with the working group to design metrics that quantify the effectiveness and benefits of the law so private businesses can analyze and assess their individual corporate cybersecurity risks.

Moving forward, NIST will constantly measure the effectiveness of these metrics and implement change when necessary in coordination with the working group.

It will also compile information (derived from the metrics developed and voluntarily submitted by businesses) on the how ­effective the framework is in addressing security threats.

NIST then promises to analyze the information it compiles to make improvements to the framework and share its conclusions and recommended best practices with private businesses, so they can more effectively improve their cybersecurity.

The Congressional Budget Office already has concluded the bill will not affect direct spending or revenues, potentially offering the legislation a fast track through Congress.

Impact on Small Businesses

Businesses of every size should be ­concerned with the guidelines issued by the NIST, but NIST has also released a document called “Small Business Information Security: The Fundamentals,” based on the original framework.

According to this report, we have approximately 28 million small businesses in the United States that produce approximately 46 percent of our nation’s private-sector output and create 63 percent of all new jobs in the country.

While larger companies have dedicated resources to assessing and mitigating cybersecurity threats, the National Cyber Security Alliance has found that 60 percent of small business close within six months of a cyberattack. While adherence to the framework is voluntary for most businesses, any company subject to HIPAA, SEC or FTC regulations should adhere to the NIST guidelines.

For example, while the NIST guidelines are not intended to be a standard, the FTC has advised that the guidelines are useful in assessing risk and developing a mitigation plan, which aligns with the FTC requirements for a reasonable process to secure data. The FTC routinely brings cases against companies that have engaged in unfair or deceptive practices that put consumer’s personal data at risk, effectively regulating cybersecurity. In addition, many states have breach notification laws, which requires a business to provide notice to a customer when its data have been accessed or stolen in a cyberattack. Compliance with certain provisions of the guidelines will provide a safe harbor in many instances.

Furthermore, any financial institutions subject to FTC jurisdiction are required to develop, implement, and maintain a ­comprehensive information security program to keep customer information secure. A “financial institution” is defined broadly as any business that is significantly engaged in financial activities, such as a real estate appraiser, auto dealer, check cashing business, accountant or tax preparer, real estate settlement service provider, mortgage broker and an investment advisory company. That criterion certainly encompasses a number of potentially smaller businesses. Retailers are not included, even though they may accept cash, checks or credit cards, but would be included in the FTC’s broader enforcement authority to stop unfair or ­deceptive practices.

In addition, the “financial institution” is required to oversee its service providers in securing customer information. Such oversight includes requiring—by contract—service providers to implement and maintain such safeguards. A “service provider” is any person or entity that receives, processes, maintains or is permitted access to personal information obtained by the “financial institution.”

For small businesses, the guidelines will require the adoption of written policies and procedures to safeguard its data from cyberthreats.

Conclusions

Compliance with the NIST guidelines is not mandatory. However, it enables a business to identify and implement cybersecurity best practices. Voluntary compliance with the guidelines, for a small business, typically involves an audit of current security practices, the business’ IT system and the type of data it stores or collects. Compliance further requires the adoption of written policies and procedures.

The goal of the working group authorized and created by H.R. 1224 is to improve the cybersecurity framework and to help private entities adopt the framework more effectively.

According to the NIST small business document previously referenced in this article, cyberattacks aren’t always aimed at financial gain. Some could be for revenge or just to cause chaos. Environmental disasters can severely damage computer systems, which could destroy information, leading to regulatory fines or legal fees and harming the reputation of your company in the eyes of clients or customers.

Because small businesses are often less prepared to handle these events, H.R. 1224 intends to identify the steps they need to take to protect their companies.