February 12, 2014

NIST cybersecurity framework sets voluntary guidelines

The National Institute of Standards and Technology on Wednesday released a cybersecurity framework for reducing risks to critical infrastructure, providing credit unions and other financial institutions with voluntary guidelines – not mandatory regulation – on which to base privacy policies, an approach supported by NAFCU.

NAFCU will provide more information in a summary and will seek input on the framework from its members. The framework is designed to work in tandem with a credit union's existing risk management strategy, if it has one. It includes methodology on how to protect individual privacy and civil liberties while enacting cybersecurity measures.

Credit unions are already subject to strict data security requirements under the Gramm-Leach-Bliley Act.

During the past year, NAFCU participated in a meeting with representatives from the Financial Services Sector Coordinating Council for Critical Infrastructure Protection, of which NAFCU is a founding member, and NIST, to discuss the framework. Last April, NAFCU submitted a comment letter to NIST on its initial notice of inquiry regarding the framework. NAFCU supported the initiative as it is voluntary, but it urged NIST to not take a one-size-fits-all approach as it develops the framework.

NAFCU's five-point plan also calls for national standards on merchant data security, liability if such standards are not met and immediate notification to financial institutions and their account holders when breaches occur.