For more information, see ABA's Regulatory Chart .
NIST RELEASES UPDATE TO CYBERSECURITY FRAMEWORK
On January 9, the National Institute of Standards and Technology issued a draft update to the Framework for
Improving Critical Infrastructure Cybersecurity. Comments on the draft are due by April 10 and can be sent to
firstname.lastname@example.org. The 2017 draft incorporates feedback received since its initial release in 2014 and
also includes comments from a December 2015 Request for Information and the 2016 Cybersecurity Framework
Workshop 2016. Updates to the Cybersecurity Framework include:
A new section on cybersecurity measurement;
Addition of considerations for managing cyber supply chain risks,
Clarification and expansion of key terms such as “authorization, authentication, and identity proofing; and
NIST is seeking public comment on this draft Framework Version 1. 1 on ( 1) topics not currently addressed in the
draft that could be addressed in the final; ( 2) how the changes made to the draft impact the cybersecurity
ecosystem; ( 3) if/how proposed changes would impact use of the Cybersecurity Framework; and more. Read
more. Access the draft update.
NIST Guide for Cybersecurity Event Recovery
Separately, NIST has published the Guide for Cybersecurity Event Recovery to provide organizations with
tactical and strategic guidance for developing, testing and improving recovery plans. As the guide calls for
organizations to create a specific playbook for each possible cybersecurity incident, it provides examples of
playbooks for handling data breaches and ransomware, as well as a checklist of elements to include in a
The purpose of this document is to support organizations in a technology-neutral way in improving their cyber
event recovery plans, processes, and procedures, with the goal of resuming normal operations more quickly. It is
not intended to be an operational playbook, but to provide guidance to help organizations plan and prepare
recovery from a cyber event and integrate the processes and procedures into their enterprise risk management
plans. Access the guide.
NEW YORK REVISES CONTROVERSIAL CYBERSECURITY PROPOSAL
The New York Department of Financial Services has revised its proposed cybersecurity regulations amidst
numerous objections from the financial services industry. The December 28 announcement invites comments on
the revised proposal for 30 days and pushes the effective date to March. The original proposal – the first of its
kind from a state regulator – required New York-chartered financial institutions to establish a cybersecurity
program with written policies and procedures, designate a chief information security officer, and meet a number
of additional requirements including annual testing, risk assessments, and periodic reviews of access privileges.
NYDFS received more than 145 comment letters; many citing the proposal’s “one-size-fits-all” approach, noting
that requirements do not take into account variations in the business models, IT system structures or risk profiles
of the institutions they affect. Other concerns include a lack of harmony between the proposal and federal
regulations, onerous reporting requirements and the high costs of compliance.
The December proposal more closely aligns with the NIST Cybersecurity Framework, and recognizes bank risk
management practices based on periodic cybersecurity risk assessments. Among the significant changes are a
flexible approach to staffing, including the use of third-party expertise and service providers, acknowledging
cyber risk management practices within a bank holding company structure, and phasing-in compliance over two
years. Read ABA’s comments on the original proposal. Read the revised December 28 proposal.