The ransomware attack on Colonial Pipeline demonstrated yet again the failure of government and business to anticipate cybersecurity issues through traditional tools – risk and vulnerability analysis, implementation of technology and planning to minimize a cyber event, and crisis response protocol.  In the aftermath of this debacle, the public lined up to purchase gallons of gasoline because of a short-term shortage in gasoline.  These scenes of panic were a reminder of the impact that poor government and business risk management can have on public reaction.

The Biden Administration issued a response quickly to update the government’s cybersecurity practices.  Federal agencies were directed to take a variety of actions to share information, strengthen cybersecurity practice and use new technologies to reduce cyber vulnerabilities.

All of that is well and good but until the private sector is subject to various requirements relating to cybersecurity, not much is going to change. For example, there still is no actual federal corporate disclosure requirement to notify law enforcement and the public after a company suffers a cyber-attack or suffers a cyber incident.  Similarly, there are no specific standards set for any industry sector that companies must meet to protect against cyber-attacks.

Companies and corporate boards have to address the cyber risk situation.  To do so, careful planning, assessments and coordinated strategies have to be designed and implemented.