Page 55 - Cyber Warnings
P. 55







involvement following a cyber-security incident is to be expected, particularly for major incidents
in highly regulated industries.

Because the Directive provides structure and parameters around agency roles and
responsibilities, it not only helps set expectations about what an expect and from which agency
when the government gets involved, but it may also reduce duplication of effort and overlapping
requests from multiple federal agencies.

Notably, the Directive emphasizes the need for the government’s involvement in incident
response to be efficient and constructive, directing that the government response should take
into account the “need to return to normal operations as quickly as possible” when engaging an
entity in the wake of an incident.



Increased publicity following cyber incidents

The private sector should expect that the Federal Government’s involvement may lead to
increased publicity for cyber incidents.

While PPD-41 states that the government will “safeguard details of the incident” and “sensitive
private sector information,” it makes clear that the government need only determine that a
“significant Federal Government interest is served” by issuing a public statement about the
incident before making such a statement.

Although the Directive suggests that agencies “generally will defer to affected entities in
notifying other affected private sector entities and the public” and will “coordinate their approach
with the affected entities to the extent possible,” organizations must remain conscious that
controlling messaging and publicity following a cyber incident will be complicated by government
involvement, and the Directive will do little to curtail regulators in this regard.

For public companies, this may have additional implications related to SEC-required
disclosures.


Opportunity to Participate in the Development of Procedures and Plans


Finally, the Annex contains specific provisions calling for the SSAs to “coordinate with critical
infrastructure owners and operators to synchronize sector-specific planning consistent with this
directive.”


Likewise, the national incident response plan is to be “developed in consultation with . . . owners
and operators of critical infrastructure, and other appropriate entities and individuals.”


This gives private sector players an opportunity to have a voice in the government’s
development of incident response procedures for their industry.


55 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide

   50   51   52   53   54   55   56   57   58   59   60