This blog is part of our Board Oversight Series, an interactive collection of resources on Cyber Risk.
Despite its near-buzzword status, cyber risk remains one of the most critical and fast-evolving risks that today’s boards must oversee. Board veteran Betsy Atkins, who currently serves on four public company boards, describes the flood of cybersecurity advice that hits her email inbox daily: “I typically hit the ‘delete’ button,” said Atkins. “So much of this info is vague, biased, and impossible to put into action.”
Much of today’s cybersecurity literature focuses on threat identification and reduction–an important aspect of board-level cybersecurity discussions, but only the tip of the iceberg, explains Atkins.
Statistically, you’ve already been breached. They just haven’t stolen your data yet.
While the NIST cybersecurity framework offers a proactive roadmap for prioritizing assets and structuring defenses, today’s boards and management teams should spend equal time under the assumption that they’ve already been breached: What’s the notification process at the first sign of an intrusion? How can we measure what’s been lost? Which stakeholder groups are to be contacted, and when?
Following her recent episode on Inside America’s Boardroom, Betsy Atkins sits down with us once again to discuss her ‘data security lessons for boards’–some of which, she explains, were learned the hard way.
1. Establish the chain of command.
Like step-by-step driving directions, your board and management team should have a written escalation plan for a cyber breach at all severity levels: “What will your CISO and IT staff do the moment they suspect an intrusion?” asked Atkins. “Who is alerted first… second… third?”
This plan should detail the owner, the responsibilities, and the actions at each fork in the road: Who’s the initial point of contact on the board? When do remaining directors or members of management get notified? What is each person’s responsibility in various data-breach scenarios? At what point is the legal team and any outside vendors brought into the fold?
2. Line up any external partners.
As you prepare your cyber breach response plan, the board will need to consider which actions can be managed internally and which ones necessitate outside help. Atkins outlines a few external relationships to consider:
Legal, PR and IR: In the wake of a cyber breach, the board should also be prepared with specific messaging or disclosure for each audience. This communication should be both thorough and flexible, and it will likely entail several different versions of the same message to account for different ‘cyber breach’ scenarios. Depending on the size and structure of the organization, Atkins advises boards to enlist the help of a legal, PR and/or IR firm in developing these communications. At the least, these partners should be on call to assist in any damage control and communication efforts immediately following a data breach.
Forensic: Your response and recovery from a cyber breach will depend heavily on what kind of data was compromised and to what extent. Line up a forensic firm to review the damage (in the case of a cyber breach) and tell you what was lost. This knowledge is power in the midst of a cyber-related crisis.
Law Enforcement: Do you have a point of contact within the FBI or other relevant law enforcement agencies? “Your CISO should have these relationships already,” advises Atkins. Be sure to reach out to these groups before a breach happens. In many cases, the FBI will offer a range of educational resources for mitigating cyberattacks, which can even include one-on-one sessions with your board of directors.
Third-Party Penetration Testing: How is the company testing its current cyber defenses and patching weaknesses? “Ask for outside penetration testing and forensic data consulting to probe vulnerabilities, review your systems, and suggest upgrades,” said Atkins. “These ‘white hat’ hacking pros uncover back doors your IT staff hasn’t discovered — yet.”
3. Hold an insurance briefing.
“What’s included in your company (and D&O) insurance policies?” asked Atkins. “Do you have cyber insurance? What’s it going to cover?”
As a first step, boards should start with a briefing from their current insurance provider to understand the company’s coverage in the event of a cyber breach. If the organization does not have cyber insurance, the board should use that time to review the pros and cons. Adoption of cyber insurance is increasing in the U.S., as these policies tend to address gaps in traditional insurance coverage and include other emerging digital risks. In their analysis of cyber insurance plans, boards should understand which costs — both direct and indirect (e.g., business interruptions, incident response, regulatory fines) — are covered following a cyber breach and to what extent.
4. Outline a ransomware policy.
Imagine that you woke up one morning to find that the company’s global computer systems were frozen by malicious software. The hackers are demanding a ransom payment of several million dollars, otherwise precious organizational assets will be released or destroyed. What actions will your board and management team take? These are the kinds of scenarios the boards should be preparing for now, explained Atkins.
Have you already held the ethical debates about paying up? Who makes the decision about if and how much you’ll pay? Do you have a bitcoin account ready for such an emergency? (No time to set one up once the demand hits.)
Ransomware is expected to become significantly more rampant in the months ahead. In fact, by 2019, it’s predicted that a business will fall victim to a ransomware attack every 14 seconds (Cybersecurity Ventures). Today’s board members should be scanning the news and using other ransomware incidents as a dry run for their own company: If this happened to us, how will we respond?
While not exhaustive, the above guidelines offer several action items for boards and management teams that may not know where to start.
“You and your fellow directors now have a fiduciary duty to know about and mitigate digital dangers (the SEC has made this clear),” emphasized Atkins. “Learn the basics of info security and exposures. Act as your tech staff’s advocate on investing in new protections. And work to ask intelligent questions.”
The image of grey, 50-something board members trying to communicate with a 20-something techie with a man bun makes for a good Dilbert cartoon, but can lead to disasters in real life.
Click here to return to the Board Oversight Series, an interactive collection of resources on Cyber Risk.