On Tuesday, the White House approved a presidential policy directive (PPD) to help the federal government coordinate with the private sector when responding to cyber-attacks. The PPD is the U.S. government’s first cyber-attack response manual. Lisa Monaco, assistant to the president for homeland security and counterterrorism, explained this new PPD “establishes principles governing the federal government’s activities in incident response; distinguishes between significant cyber incidents and “steady-state” incidents; categorizes government activities into “lines of effort” and designates a lead agency for each line of effort; and creates mechanisms to coordinate on incident response, instituting a Cyber Unified Coordination Group to enhance coordination procedures within individual agencies.”
The PPD, known as PPD-41, contains two interesting features that could have a direct impact on the insurance industry. First, the response manual detailed five principles to model a cyber response plan: shared responsibility, risk-based response, respecting affected entities, unity of governmental effort, and enabling restoration and recovery. This could not only impact how organizations respond to breaches, but also impact what an insurance company is required or prevented from doing when responding to a cyber-attack.
Second, the presidential policy directive includes a five-level grading system. While we have yet to witness a cyber-attack large enough to reach what will be described as Level Five, which would need to directly impact infrastructure, government stability or American lives, the recent hack on the DNC would most likely earn a lower grade, according to Reuters. This grading scale could impact the level in which the federal government becomes involved with investigating, responding to and covering financial losses from a cyber-attack, impacting the insurer’s role when handling a claim. While Obama’s PPD-41 is the first of its kind in regards to cyber, it exemplifies the effort the White House is putting into the recently established Cybersecurity National Action Plan (CNAP).