Bill includes the use of the CIS Critical Security Controls as part of a reasonable cybersecurity program
Connecticut Governor, Ned Lamont signed HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” into law last week. The bill, introduced by Representative Caroline Simmons, prohibits the Superior Court from assessing punitive damages against an organization that implements reasonable cybersecurity controls, including industry recognized cybersecurity frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Center for Internet Security (CIS) Critical Security Controls (CIS Controls®).
Recommended ITech News: TeamViewer Recognized as a Finalist of the 2021 Microsoft Apps & Solutions for Microsoft Teams Partner of the Year
The Connecticut bill states that in the result of a data breach of personal and restricted information, the court may not assess punitive damages if the organization created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards for protecting PII and restricted information.
“It is critically important to do a better job of protecting businesses and consumers against cyber-attacks,” said Representative Simmons. “In Connecticut, we took a step to accomplish this voluntarily without regulation by incentivizing organizations to adopt cyber best practices, like the NIST framework and the CIS Critical Security Controls.”
Connecticut joins Ohio and Utah in legislative efforts to adopt an incentive-based approach for businesses to implement cybersecurity best practices.
Recommended ITech News: RapidDeploy Adds to Leadership Team with New VP of Marketing
“Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis,” said CIS Executive Vice President & General Manager, Security Best Practices, Curtis Dukes. “Connecticut’s cybersecurity bill introduces a critical interim step: incentivizing the adoption of cyber best practices like the CIS Controls, to improve cybersecurity and protect citizen data.”
The CIS Controls are a set of internationally-recognized, prioritized actions that form the foundation of basic cyber hygiene and essential cyber defense. Applying the CIS Controls provides a critical, measurable security value against a wide range of potential attacks. Analysis shows that implementing the CIS Controls mitigates the majority of cyber-attacks when evaluated against attack patterns in the widely referenced ATT&CK framework published by the MITRE Corporation. Specifically, the CIS Controls mitigate:
- 83% of all attack Techniques found in the MITRE ATT&CK Framework
- 90% of ransomware ATT&CK Techniques
- 80% of targeted intrusion techniques
- 100% of instances of web-application hacking techniques.
Recommended ITech News: iQvault Revolutionizing Cyber Security
Further, Implementation Group 1 (IG1), a subset of the Controls that is considered basic cyber hygiene, is effective in mitigating:
- 62% of all Techniques in the MITRE ATT&CK model
- 79% of malware ATT&CK Techniques
- 100% of the Insider Privilege and Misuse ATT&CK Techniques
Under the bill, organizations have to conform with revisions and amendments to identified industry-recognized cybersecurity frameworks (like the CIS Controls), laws, and regulations within six months after the revised document is published.
Recommended ITech News: New Study Finds 1 in 3 Untrained Users Are Ticking Timebombs When It Comes to Cyber Attacks
