Cyber & IT Supervisory Forum - November 2023

INJECT 3 : Tuesday, early a Ō ernoon, June 7: While internal IT teams con Ɵ nue their urgent work to contain the ransomware and execute their incident response plan, it is discovered that news of the incident has leaked to social media pla ƞ orms and is quickly beginning to spread to the company’s customers. Customers are expressing their concerns and seeking informa Ɵ on about the situa Ɵ on, pu ƫ ng pressure on customer support teams to provide Ɵ mely and accurate updates. Addi Ɵ onally, media outlets have learned of the incident, and reporters are reques Ɵ ng details about the a Ʃ ack. This surge in external communica Ɵ on requests escalates the urgency of managing the incident's public ‐ facing aspect. 1.) How would you priori Ɵ ze communica Ɵ on e ff orts between media, customers, and regulators in this situa Ɵ on and why? 2.) In your opinion, should the organiza Ɵ on wait to respond un Ɵ l the media makes formal inquiries? a. Should the organiza Ɵ on proac Ɵ vely issue a press release, or engage in other public outreach such as social media pos Ɵ ngs? b. Who might be responsible for deciding and ini Ɵ a Ɵ ng these e ff orts? 3.) What customer and regulatory repor Ɵ ng requirements must be considered in this situa Ɵ on? a. Are there any other par Ɵ es that should be no Ɵ fi ed? MANAGEMENT OF EXTERNAL COMMUNICATIONS AND RECOVERY:

INJECT 4 : Monday, 9:00 am, Monday, June 13: Company opera Ɵ ons have now largely returned to normal, although some behind ‐ the ‐ scenes IT sta ff work con Ɵ nues to bu Ʃ on up systems and the company’s network.

RETURN TO OPERATIONS AND LESSONS LEARNED:

1.) How might the organiza Ɵ on address lessons learned during the event to help prevent the incident from reoccurring and to make response processes more e ff ec Ɵ ve if another incident occurs?

END OF PRIMARY EXERCISE ______________________________________________________________________________

8