On July 10th, Governor Malloy released the “Connecticut Cybersecurity Strategy” (available for download here). The “Strategy” is a call to arms for state and municipal government, private business, higher education, and law enforcement in the fight against cyber attacks. The 39-page document describes particular cyber threats and their potentially catastrophic impacts on Connecticut business, health, and public safety; it proposes general plans of action for each stakeholder group; and it identifies available resources for plan execution. The Strategy calls for action in seven areas: executive awareness and leadership; literacy; preparation; incident response; recovery and continuity; communication; and verification. Although the Strategy applies to Connecticut business broadly, the document highlights the roles particular to the critical infrastructure, financial services, insurance, and defense industries.
We recommend that business leaders get familiar with the Connecticut Cybersecurity Strategy. It proposes a voluntary collaboration and contains no mandates for business. However, the Strategy expressly declines to rule out future regulatory and legislative action. The Strategy is a first step and presents “a pathway to a more detailed, operational action plan.” The State recently took a similar approach with respect to the cybersecurity of public utilities. In that context, it issued a strategy document in 2014, followed by an operational action plan in 2016, which has resulted in annual, confidential reporting on utility company cybersecurity programs.