Speaking at a Venable-hosted cybersecurity forum on September 25, Cyber Sticks and Carrots – How the NIST Cybersecurity Framework, Incentives, and the SAFETY Act Affect You, Wool said many of the [government] proposed incentives [to get infrastructure companies to bolster their cyber defenses] have already been discussed with industry leaders at National Institute of Standards and Technology (NIST) workshops held around the country. He added that the most promising of the NIST suggestions focused on remediation and liability limitation.
Wool said that legislation supporting liability limitation could create legal safe harbors for firms, but it’s probable that cybersecurity legislation will be postponed until next year. Firms are unlikely to get liability coverage for cyber attacks under the new infrastructure being established, he concluded.
Locaria addressed liability protections as they relate to the SAFETY Act – a post-9/11 law designed to boost development of counterterrorism technologies. The Act offers three levels of protection to organizations: certification; designation; and developmental, testing and evaluation designation (DTED). Elaborating on the significance of the three statuses, he explained that a certification is the highest protection, and immunizes companies from third-party liability as the result of a terrorist attack.
Locaria said that as cybersecurity legislation remains on hold, firms can get protection under the Act by conducting an internal technology assessment and submitting an application to the Department of Homeland Security. The law is an additional tool for companies to use when assessing their vulnerability to cyber attacks, he said.
Venable partner and retired Navy Rear Admiral Jamie Barnett moderated the Venable-hosted cybersecurity event on September 25.