By Cristin Flynn Goodwin and Nadia Amrani
Posted May 15, 2025, on the Advanced Cyber Law blog
Recently, Advanced Cyber Law Managing Partner Cristin Flynn Goodwin was invited to brief the American Bar Association’s Cybersecurity Legal Task Force on the topic of resiliency. Her remarks, called “Rethinking Resiliency” are available at the link at the end of the post. The post below reflects a summary of Flynn Goodwin’s remarks.
Defining Cyber Resiliency
Cyber resiliency is a complex topic to discuss and, by extension, to implement. Cyber resiliency covers individuals, devices and networks, governments at local, state, and national levels, critical infrastructure, and various organizations. The fact that laws, policies, and regulations frequently change further complicates discussions on cyber resilience and the implementation of cyber resilience practices. Focusing on standards when advising on resiliency matters helps significantly, due to the dynamic and ever-changing nature of this environment.
A standards approach allows a firm to have “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”[1] Rather than viewing cyber resiliency as a checklist to meet compliance and regulatory requirements, it emphasizes the importance of an organization’s capabilities to continue its operations. It is important for attorneys advising firms to keep that dynamic nature in mind when thinking about obligations and contractual commitments.
Upcoming changes to national resiliency policies
On the last day of the Biden administration, it released the National Resilience Strategy, which was a heavily matrixed policy approach to achieve national resilience. The strategy included four resilience pillars: Governance, Social and Community, Economic, Infrastructure; seven principles to guide its implementation: Adaptive, Protective, Collaborative, Fair and Just, Human-Centered, Interdependent, Sustainable and Durable; thirteen foundational characteristics across the four pillars; and ten throughlines across all pillars.
The Trump administration promptly rescinded the National Resilience Strategy and issued Executive Order 14239 (EO 14239) two months later, moving focus onto individuals and local governments:
“It is the policy of the United States that State and local governments and individuals play a more active role in national resilience and preparedness, thereby saving American lives, securing American livelihoods, reducing taxpayer burdens through efficiency, and unleashing our collective prosperity.” [2]
While the new National Resilience Strategy will not be issued until June 18, one can expect that it will reflect this administration’s decentralized approach by involving state and local governments.
The European Approach to Resiliency
European countries have recently taken proactive measures in resilience policy. The United Kingdom’s Cyber Security and Resilience Bill [ 3], set to be introduced to Parliament later in 2025, is similar to the EU’s Digital Operational Resilience Act (DORA)[4]and NIS2 Directive, but broader in its scope. The bill will require companies to notify customers about significant cyber incidents. This new stipulation makes it mandatory for companies that may have previously been hesitant to disclose such incidents to report on cyber incidents and confirm customer notifications to regulators, establishing a path for auditors to verify compliance.
Ukraine – National Resiliency in the Cloud
Traditionally, many countries require that sensitive government data be stored in data centers located within their borders. One of the most fascinating developments in resilience over the past few years has been what Ukraine has achieved since Russia’s invasion. After martial law was declared, Ukraine moved all its essential government services to the cloud, beyond its borders. Now, crucial Ukrainian services are being managed in outside locations, such as Poland, and throughout the cloud, all supported by private sector firms. This shift is groundbreaking as it changes the default assumptions we have regarding resilience and national security.[5] The Ukrainian case is also interesting in that it highlights the importance of the private sector. The private sector has successfully kept Russian nation-state actors out of Ukrainian cloud services. It is a demonstration of the private sector’s strength to match nation-state actors in offensive and defensive capabilities, with the added right to terminate a nation-state’s offensive capabilities under its Terms of Service. This dynamic is highlighted in this case, as well as in recent growth in resilience positions within the private sector.
Advising Clients on Resiliency
Companies are selling resiliency services to clients as a part of overall business continuity and risk management strategies, and for good reason. The ability to have access to essential data and critical services at all times is important to many businesses. For lawyers counseling clients around cyber resiliency, the key is to get the client to think about resiliency beyond guidelines and checklists and focus on “Minimum Viable Operations.” Similar to the startup world’s concept of a Minimum Viable Product, Minimum Viable Operations asks, “What is the least amount of data, personnel, access, functionality, etc. needed to operate under stress? For how long? What is absolutely critical to ensure resiliency?” The answer to those questions informs how to think about resiliency.
In counseling clients, the importance lies in defining the problem space and leveraging the “5 Why’s” exercise (asking “why?” 5 times to get at the root cause or issue). It’s important to separate the technology from the underlying problem that’s being solved – most of the time, resilience isn’t an AI problem, it’s a business problem that’s leveraging technology to solve it. Resilience also requires attorneys to think cross-jurisdictionally, and to make sure that the definition of resilience that’s being applied is agreed-upon by all parties. At the end of the day, resilience is the result of the “what if” coming to pass, and so it is essential for attorneys to think outside the box to help clients stay resilient.
Link to the ABA Website and presentation (listed under Webinar Recordings): https://www.americanbar.org/groups/cybersecurity/Events/
[2] 2025-04973.pdf
[3] Cyber Security and Resilience Bill – GOV.UK
[4] Regulation – 2022/2554 – EN – DORA – EUR-Lex
[5] How technology helped Ukraine resist during wartime – CEE Multi-Country News Center
