Connecticut Becomes Third State to Incentivize Cybersecurity Best Practices for Businesses
Bill includes the use of the CIS Critical Security Controls as part of a reasonable cybersecurity program
HARTFORD, Conn., July 12, 2021 – Connecticut Governor, Ned Lamont signed HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” into law last week. The bill, introduced by Representative Caroline Simmons, prohibits the Superior Court from assessing punitive damages against an organization that implements reasonable cybersecurity controls, including industry recognized cybersecurity frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Center for Internet Security (CIS) Critical Security Controls (CIS Controls®).
The Connecticut bill states that in the result of a data breach of personal and restricted information, the court may not assess punitive damages if the organization created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards for protecting PII and restricted information.
"It is critically important to do a better job of protecting businesses and consumers against cyber-attacks,” said Representative Simmons. “In Connecticut, we took a step to accomplish this voluntarily without regulation by incentivizing organizations to adopt cyber best practices, like the NIST framework and the CIS Critical Security Controls."
Connecticut joins Ohio and Utah in legislative efforts to adopt an incentive-based approach for businesses to implement cybersecurity best practices.
“Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis,” said CIS Executive Vice President & General Manager, Security Best Practices, Curtis Dukes. “Connecticut’s cybersecurity bill introduces a critical interim step: incentivizing the adoption of cyber best practices like the CIS Controls, to improve cybersecurity and protect citizen data.”
The CIS Controls are a set of internationally-recognized, prioritized actions that form the foundation of basic cyber hygiene and essential cyber defense. Applying the CIS Controls provides a critical, measurable security value against a wide range of potential attacks. Analysis shows that implementing the CIS Controls mitigates the majority of cyber-attacks when evaluated against attack patterns in the widely referenced ATT&CK framework published by the MITRE Corporation. Specifically, the CIS Controls mitigate:
- 83% of all attack Techniques found in the MITRE ATT&CK Framework
- 90% of ransomware ATT&CK Techniques
- 80% of targeted intrusion techniques
- 100% of instances of web-application hacking techniques.
Further, Implementation Group 1 (IG1), a subset of the Controls that is considered basic cyber hygiene, is effective in mitigating:
- 62% of all Techniques in the MITRE ATT&CK model
- 79% of malware ATT&CK Techniques
- 100% of the Insider Privilege and Misuse ATT&CK Techniques
Under the bill, organizations have to conform with revisions and amendments to identified industry-recognized cybersecurity frameworks (like the CIS Controls), laws, and regulations within six months after the revised document is published.
The bill becomes law on October 1, 2021.
The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.