The need for a financial sector legal standard to support the NIST Cybersecurity Framework

ABSTRACT

The National Institute of Standards and Technology (NIST) published the NIST Framework for Improving Critical Infrastructure Cybersecurity of 2014, followed by an updated version in 2017. The Framework, which was developed as a joint effort between the U.S. Federal Government and the private sector, serves only as a guideline and is not mandated by any legal authority. Currently, adoption of the Framework is voluntary. The Financial Sector, one of sixteen Department of Homeland Security critical infrastructure sectors, should be incentivized to adopt the framework, based on inconsistency and accountability of best practices implementation across the sector. Global cyber attack opportunists used the 2020 COVID-19 pandemic to exploit cybersecurity vulnerabilities and gaps in the U.S. Financial Sector. The NIST Cybersecurity Framework provides guidelines for strengthening cybersecurity and identifies areas of potential cyber attack impacts. This paper is a summary of the author's published 2021 doctoral dissertation, which includes research and analysis of reported Financial Sector risks, failures and impacts due to weak or lack of cybersecurity controls. The study also provides analysis of success stories of Financial Sector and other entities which have adopted the NIST Cybersecurity Framework. Dr. Goodwin is a Senior Member of IEEE. © 2022 IEEE.