Why Incident Governance is Critical for Utilities — And How One Risk Manager Got It Right

When it comes to critical infrastructure like water and wastewater, incident response isn’t just about reacting quickly — it’s about governing the process itself. Governance determines whether response efforts are fast, coordinated, and repeatable, or fragmented, confused, and delayed.

For water and wastewater utilities, the stakes couldn’t be higher: slow or disorganized response risks public health, regulatory compliance, and community trust. Yet incident governance across the sector is often inconsistent, underdeveloped, and reactive.

The Governance Landscape: Fragmented and Uneven

Across the water sector, some governance requirements exist — but they are patchwork at best:

• Statutory frameworks are partial. In the U.S., the Safe Drinking Water Act requires utilities serving more than 3,300 people to maintain risk assessments and emergency response plans, including cybersecurity considerations. But smaller utilities are outside this scope, and many plans remain paper exercises rather than operationalized capabilities.
• Guidance is disparate and voluntary. Agencies like CISA, EPA, and FBI have published incident response guidance for the Water and Wastewater Systems sector. Industry groups like AWWA and WaterISAC supplement with best practices. But much of this guidance is optional, advisory, and non-standardized — leaving interpretation and execution up to individual operators.
• Regulations vary widely by region. For example, in the United States, some states, like New York, are introducing formal cybersecurity requirements for public water systems, including grants to help utilities modernize. Elsewhere, there are few enforceable mandates beyond general emergency planning obligations.
• Testing and rehearsal aren’t mandated. Even where IR plans are required, few regulations compel utilities to run tabletops, simulate incidents, or prove readiness under stress. Governance on paper often fails when tested in reality.
• Resource constraints hold many back. Smaller, independent facilities often lack the staff, tools, and budget to invest in governance beyond bare minimum compliance. For them, response still depends on phone trees, binders, and institutional memory.

The result is a governance gap: uneven requirements, voluntary guidance, and insufficient enforcement. And in this gap, attackers find opportunity.

Why CISOs and Risk Managers Can’t Wait for Regulation

Waiting for a regulator to impose governance requirements is a losing strategy. Cyber adversaries move faster than policy does, and compliance often lags behind emerging threats. For CISOs and Risk Managers operating in critical infrastructure, governance has to be proactive.

That means:

• Establishing independent command channels that don’t depend on in-band tools like email or SSO-linked apps.
• Building incident-ready playbooks that clearly define roles, tasks, and escalation paths for a wide range of scenarios.
• Running regular exercises so governance is practiced, not theoretical.
• Delivering executive visibility through consistent reporting and situational updates.

The reality is that governance — not regulation — is what creates resilience. And it’s the CISOs who take initiative that set their organizations apart.

A Case Study in Proactive Governance

This was exactly the mindset of the Risk Manager of a Canadian water and wastewater utility serving nearly 400,000 residents. Recognizing the governance gap in his organization’s incident response process, he made modernization a top priority.

Instead of relying on outdated methods — phone trees, scattered documents, in-band tools vulnerable to outage — he implemented ShadowHQ to:

• Stand up out-of-band incident command, ensuring safe, reliable coordination even if core IT systems were compromised.
• Standardize response with playbooks, digitizing workflows for cyberattack, OT disruption, or business outage scenarios.
• Practice governance in action, conducting 10+ tabletop exercises a year across IT, OT, and business units.

The payoff was significant:

• Team activation in 10 minutes.
• Incident containment and resolution in 2–3 hours.
• Executive reporting time reduced by a full day with automated incident timelines.

What had once been a patchwork of documents and improvisation became a governance framework that was coordinated, fast, and reliable.

From Compliance to Confidence

This case study highlights an important truth: compliance may satisfy regulators, but only governance delivers resilience. In critical infrastructure, where downtime has cascading effects on communities, governance must go beyond checkboxes.

By proactively modernizing governance, utilities not only get ahead of regulators — they get ahead of attackers. And they build trust with their boards, their regulators, and most importantly, the communities they serve.

Read the full case study to see how a Canadian utility strengthened its governance, modernized its response process, and built resilience against the next inevitable cyber incident.