Some firms warn that the framework could become a “standard of care” by which companies would be held accountable for cyber-related damages depending on the circumstances. Barnett said that, as a legal definition, a standard of care can take some time to develop, and the framework may very well be headed in that direction. “If it raises what people see as reasonable security, and you're not meeting that standard of care, then there may be liability.”
And though a standard of care may not transpire immediately, Barnett explained that insurance companies might rush to require clients to follow the framework or pay higher premiums if they want cybersecurity insurance.
He concluded, saying the framework “is serious. It does change things.”