Insights
The board director and cybersecurity
In recent years, regulators at the global, federal, and state levels have increased their scrutiny of corporate cybersecurity, including communication, management, risk handling, attacks, and breaches.
In recent years, regulators at the global, federal, and state levels have increased their scrutiny of corporate cybersecurity, including communication, management, risk handling, attacks, and breaches. To comply, the board of directors
needs to be aware of cybersecurity risks and should not rely solely on reports from senior IT executives.
As threats have grown, asset protection must start at the highest level. This requires the board of directors
to become more proactively involved.
However, not all boards are alike. Former FBI Director James Comey once said there are only two types of companies: those that know they have been hacked and those that don’t yet know they have been hacked. The question is no longer whether a company will be hacked. The real risk lies in when, how, and to what extent. Realistically speaking, companies can no longer ignore cybersecurity. Even large companies such as FedEx, Merck, Mondelez (owner of Oreo), Sony, and Amazon, among others, have experienced cyberattacks.
There are at least seven steps boards can take to become more proactive in overseeing cybersecurity.
First, the board must understand cybersecurity risks.
This is not the time nor the place to downplay the massive repercussions of a cyberattack. An attack can do far more than take down a company’s website. It can wipe out all data and steal confidential information. Above all, as a result of a security breach, customers may lose trust and never fully regain it, dealing another devastating blow to the company. The reputational risk is significant.
Second, the board must be both proactive and reactive.
Once the board has recognized the severity of a cyberattack, it must begin developing an action plan with support from the management team, the IT team, and outside consultants, including public relations firms. To do this, the board should keep a record of the team members involved so they can act quickly when the moment comes. It is advisable to run attack-and-response simulations.
Third, reconsider existing cybersecurity policies and procedures.
Once priorities are clear, the next step is to reassess existing cybersecurity policies and procedures. What should be done when a threat arises? What should be done when the system is under attack? Has the company allocated sufficient resources to protect its most valuable assets? Whom should employees contact when a threat or attack occurs? What about other cybercrimes, such as identity theft and the harassment of senior executives?
Fourth, develop a comprehensive incident response plan.
Carefully prepare and develop a comprehensive incident response plan that involves all business units and related teams. An attack will affect the entire company, not just the IT department. That is why the response plan must include employees who may be on the front line of an attack. For example, even CCTV monitors can be hacked, so security guards must also be involved.
Fifth, hire outside cybersecurity experts.
Hire the best cybersecurity experts available; don’t rely solely on your internal IT team, which may have more experience fixing computers and ensuring software applications run smoothly. Cybersecurity requires a different skill set, and the more clients an expert has successfully protected, the better. These experts need experience handling all types of attacks across all types of companies.
Sixth, reassess your insurance coverage.
What does your company’s insurance policy cover? Does it cover cyberattacks? Make sure the insured amount is sufficient to keep your company afloat during the recovery period. Returning to normal operations can take time, during which regular services may be disrupted. Make sure customers continue to be served while the company recovers.
Seventh, consult legal counsel on the disclosures your company is required to make in response to an attack.
What is your company legally required to disclose to the public during a cyberattack? Consult with legal counsel to ensure your company complies with applicable laws and does not violate any regulations.
In conclusion, preparing for a cyberattack is neither paranoia nor a luxury. It is a necessity in today’s business environment, where risk is constantly increasing. Failing to prepare can cause irreversible damage to valuable assets and confidential customer information, both of which are essential to the smooth functioning of any business. Let’s be proactive.
____
Jose Ruiz is Managing Director and Managing Partner at Alder Koten.