ARLINGTON, Va. A number of credit union and bank executives have been ignoring the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cyber Security, waiting for the federal government to issue more definitive guidance.
The 39-page Framework document is intended to promote the protection of critical national infrastructure a major goal of the Obama Administration.
But compliance is voluntary, and officials had already begun talking of a Version 2.0 by the time the original was released in February.
Speaking Thursday at the National Association of State Credit Union Supervisors Cyber Security Symposium here, Julia Philipp, deputy director of cyber intelligence in the Treasury Department's office of critical infrastructure protection and policy, said no timetable for release of Version 2.0 has been set.
When it does come out, though, Philipp said the revised Framework would likely come with a set of incentives.
"The government is looking at incentives for institutions that have adopted the NIST Framework," Philipp said. She added that the inducements under consideration include discounted cyber security insurance and some degree of regulatory streamlining."
Kevin Yaeger, president of the $26 million-asset Post Office Credit Union in Madison, Wis., said he would "absolutely" take advantage of incentives like the ones Philipp hinted at if they are part of a Version 2.0 of the Framework. Until a revision is released, though, Yeager said he would hold off on considering implementation.
"I don't think there is much awareness of the framework, because it is not a final document," Yaeger said. "Implementation takes a lot of work. The last thing I want to do is devote 100 hours to it and have to redo everything."
Similarly, Tom Schauer, chief executive of consulting firm Trust CC, said he has advised his clients to hold off on considering the Framework, at least until Version 2.0 is released.
A number of industry experts have speculated that compliance with the Framework will eventually become mandatory for CUs and banks. Philipp said there are currently no plans that go beyond the offering of incentives.
Schauer, however, said other circumstances might force financial institutions to take up the framework. He said courts are likely to adopt the framework as a baseline for determining whether an institution had met its duty to establish an effective deterrence against cyber attacks.
Cyber security is an issue of increasing concern to financial institutions of all sizes. According to PriceWaterhouseCoopers, the number of major cyber security incidents jumped 25% from 2012 to 2013, to more than 3,700.
Ian Harper, a consultant who served previously as chief information officer at $18.5 billion-asset Pentagon Federal Credit Union in Alexandria, Va., said that a credit union or bank that falls victim to a data security breach is almost certain to end up in court.
"If you have a breach, expect a class-action lawsuit," Harper said.