Specialty Podcast: NIST Incident Response Release 3 Aligns with Cybersecurity Framework

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Jay Stampfl (00:09):
Welcome everybody to another episode of Alliant Specialty Podcast. My name is Jay Stampfl, Managing Director, cyber leader here at Alliant Specialty. With me today are two of my esteemed colleagues, Mr. David Finz and Ms. Grace Michael. Welcome, guys.

Grace Michael (00:24):
Hello, Jay.

David Finz (00:25):
Hey. Thanks for having us on, Jay.

Jay Stampfl (00:27):
Yes, excited to talk about the NIST incident response release. With that, maybe we can start by explaining to our listeners what is NIST and more specifically the NIST Cybersecurity Framework.

David Finz (00:39):
I guess I'll take that one, Jay. NIST stands for the National Institute of Standards and Technology. It's now part of the U.S. Department of Commerce, but it was founded by Congress in the early 1900s to help our nation compete in the global marketplace. Originally that was about instituting standard weights and measures for American industry, but now they're involved in developing standards for everything from nanomaterials to skyscrapers. Now as far as information technology goes, the NIST Cybersecurity Framework, or CSF, consists of a series of standards, guidelines and best practices around cyber risk. The goal is to provide a common language and approach for addressing cybersecurity. Now it's important to note that compliance with the CSF is voluntary on the part of businesses, and the framework is meant to be flexible, so that it can be used by businesses of different sizes and industry sectors. The framework itself consists of three main components, the core, tiers and profiles. The core outlines what were originally five and are now six functions that require attention from an organization on a continual basis, and I'll let Grace describe those in further detail.

The different tiers represent the extent to which an organization has actually implemented the practices defined in the framework, and the profiles refer to the organization's current security posture as well as their target security posture, where they want to be essentially. Using the CSF allows organizations to better understand cyber risk. It helps them prioritize what actions they need to take and enables them to track their progress over time. It also fosters communication between the different business functions within the company around the whole issue of cybersecurity.

Jay Stampfl (02:30):
Got it. Thanks, David. You mentioned the the six functions of the cybersecurity framework. What are those, and where does the incident response come into play?

Grace Michael (02:37):
Yes, absolutely. I can take that on, David. We're going to now talk about the foundation of incident response, and that goes back to the framework and basically there are six functions, and those have changed recently. There's now a CSF release 2.0, and that one added a sixth function. I'm going to start with that sixth function because of the overarching function. There's govern, and that govern function establishes the risk governance for the controls at play: identify, protect, detect, response and recover. All of these functions make up the security controls, and what incident response does is it emphasizes those security controls. Now, how that comes into play is incident response release two, the previous version, actually falls under the response function.

It focuses on addressing the cybersecurity incidents effectively, but in a silo. That response function is, we'll go more into detail later, but it goes into phase three, which is containment, eradication and recovery efforts to minimize damages and prevent future occurrences to our clients. Now, incident response release three, a teaser, falls into the broader three functions of that six functions, which is detect, response and recover. Fundamentally, a well-defined incident response plan ensures that our clients that we support and act swiftly when a breach or an attack occurs.

Jay Stampfl (04:04):
Great. Thank you, Grace. What is the gist of this latest update to the incident response recommendation and why did NIST issue this update?

David Finz (04:11):
This latest version was released on April 3rd of this year, and in essence, NIST wanted to make sure that organizations were effectively integrating incident response into their cybersecurity risk management practices. But the main reason for issuing this update to the incident response recommendations, in my view, was to align NIST's guidance around incident response with the current framework, especially with the recently added govern function that Grace just referenced. NIST also wanted to make sure that organizations consider incident response as an integral part of their overall cybersecurity strategy rather than treating it as a separate activity on its own. The recommendations here have been updated to help businesses better prepare for, better respond to and better recover frankly from a cyber incident. The guidance appears to reflect lessons learned from actual incidents, and it incorporates our current understanding of threat actors and their methods of attack.

Now, as far as the specific revisions, NIST really overhauled its incident response guidance, and they've embedded incident response planning within all six functions of the cybersecurity framework. They've included a new lifecycle model that is based on these functions, and there's a sharper focus on the proactive measures that businesses can take to reduce the frequency and the severity of cyber incidents. There's also new guidance around managing and recovering from an attack, including the reporting of incidents and communication with stakeholders. Last but not least, there's an increased emphasis on developing documented procedures around the critical actions that need to be taken during a cyber event. Things like shutting down portions of the network or redeploying authentication platforms to try to contain the threat and to limit the impact on operations.

Jay Stampfl (06:09):
Thank you, David. Grace, David mentioned the lifecycle, so how has the incident response lifecycle model changed over time?

Grace Michael (06:16):
Yes, and I won't go too far back, Jay, on this. I'll go back to the most recent iteration, so release two. This was about a dozen years ago, so it was about time, but the most recent lifecycle, Jay, was just four phases, and I mentioned earlier that they were siloed. Those four phases were preparation phase, are you ready for an incident silo? Phase two, can you identify and analyze that incident? And if so, then you can either, yes, it's an actual incident and you move on to phase three or it's not, it was a false positive. So, if it was an actual incident, you go to phase three, another silo, and in that you do your response, your eradication and your containment. Then lastly was the post-incident activity of phase four. Now, what has changed, Jay? That's such a great question. Just last month, just in April 2025, it's now May, but just in April 2025, NIST in its wisdom again, having taken to account that step from the framework 2.0 and the govern function, released special publication 800-61 Revision 3. I'm getting really specific because this revision tied to that govern function, Jay, really blew incident response out of the water. I say that because it isn't just focused on one incident or one event.

With this Revision 3 upgrade, the perception is away from the standalone process into more of a continuous improvement, and let me explain why. David mentioned it earlier. Lessons learned is more predominant now, and so lessons learned from incidents, they shouldn't be shelved after an incident. But controls identified to be considered for implementation, that lessons learned and identifying a gap, doing a corrective action, well, you're implementing it into the company's broader cybersecurity strategies, so now there's more of an improvement and so on. The revised framework categorizes incident response into now three, not just respond if you recall in release two, but now there are three primary functions at play here, detect, respond and recover. While governance, identification and protection activities are considered foundational cybersecurity risk management practices. This shift, Jay, reflects a growing complexity of cyber threats in many of our clients' environments. There's a constant awareness and an ongoing monitoring for potential business disruption activities. No longer that one and done, and a need for companies to integrate incident response into their overall security posture, Jay.

Jay Stampfl (08:36):
Great, thank you. David, just pivoting here for a second on the insurance world. How do the cyber insurance underwriters rely on the NIST cybersecurity framework in assessing risk?

David Finz (08:47):
The NIST framework does help underpin the types of questions that underwriters ask about the security controls, the business processes and the incident response planning that an organization has in place. It's important to remember that compliance in and of itself does not equate to security. While adherence to the NIST framework doesn't guarantee that you won't have a cyber incident, it demonstrates to the underwriters that you have fostered a, what I'll call a culture of cybersecurity awareness, that you've given some thought to how your current security posture lines up with the evolving threat environment and that you've taken steps to get the right controls in place. All of that translates into better pricing and coverage terms.

Jay Stampfl (09:31):
Got it. Okay, great. Grace, with this latest release, how's Alliant helping clients adapt to this?

Grace Michael (09:38):
Terrific question, Jay. It's actually one of my favorites. Establishing incident response strategy, an overall strategy, like soup to nuts, of the plan, the tabletop and so on. It's one of our most popular product offerings that many of our clients across various industries have already signed up for. Alliant Cyber works closely with our clients to ensure the right strategy is adapted. This starts with a kickoff meeting, where we discuss the NIST framework thoroughly. We leave no stone unturned, Jay, until our client has a clear understanding of what they're signing up for, including the timeline to implement an entire IR program. It's not a big haul because we're there with them to work beside them. Then we have the incident response. So after the kickoff, then we have the incident response planning sessions where we right-size an incident response plan to the client's environment, ensuring the appropriate recovery strategy to help the client reduce their risk during an incident to a level acceptable not only to the client across the table from us, Jay, but also their leadership, their stakeholders and sometimes to their board. Once the incident response plan is established, this is followed by training the client on their incident response plan prior to a tabletop exercise. One of the standard advantages of working with Alliant is during the tabletop scenario, we discuss the implications of an incident to the client's cyber policy that we help broker.

Now, prior to Release 3, Jay, of NIST, Alliant had already, I'm so proud of this, Alliant had already prioritized identifying the risk to our clients. Again, NIST Release 3 was only released April 2025. As far back as when CSF 2.0 in first quarter 2024 was released, we already started saying, hey, governance is so important, we want to integrate that into our clients’ IR strategy and build it into Alliant's offering. We've been doing this for over a year. An integral part of the incident response strategy is that we offer a post tabletop exercise lessons learned. It's part of that cycle we talked about, Jay. Now it's in an interactive session, virtual format, where gaps, threats and risks are disclosed and corrective action plans are discussed. Jay, we were discussing those a year ago ago. These are my favorite sessions by far as our clients are fully engaged, and we typically have a terrific mix of technical and non-technical employees and client department functions, management and leadership in attendance. During this, every segment of the incident response strategy, Jay, in compliance with Release 3, just ahead of schedule.

Jay Stampfl (12:01):
Great. Final question I have here is what can business leaders do if they would like to find out more?

David Finz (12:06):
Jay, we're happy to schedule an introductory consultation to see if our risk assessment tools are a good fit for an organization's needs. While the process is designed to help firms become a better risk in the eyes of the underwriters, you don't need to be a current client of ours to engage in this process. Folks can reach out to Grace or to me directly. They can also visit our website at www.Alliant.com and find out more about how we can help our clients find the more rewarding way to manage risk and obviously that includes cyber risk.

Jay Stampfl (12:51):
Fantastic. Well, David, Grace, thank you so much for being here today and such great information. Thank you.

Grace Michael (12:58):
Our pleasure. Thank you, Jay.

David Finz (13:00):
Thanks, Jay.