Is your company prepared for a cyber attack? This is a question that every director should be asking, and management should be providing regular updates to the Board on its level of preparedness. Cyber attacks are running rampant, and no company is exempt from an attack. If your company thinks so, then brace yourselves for a rude awakening.
Cyber attacks can cause serious damage to a company’s reputation, which says nothing of the financial impact that accompanies such an event. According to the National Association of Corporate Directors, if companies and governments are unable to effectively combat cyber threats, between $9 and $21 trillion of global economic value creation could be at risk.
Due to the growing volume and sophistication of cyber attacks, cybersecurity is an issue that every Board should be actively grappling with in order to mitigate the pitfalls associated with a breach. For companies and Boards, it is not the time or place for complacency when it comes to cybersecurity. Just because a company is small doesn’t mean that it is insulated against an attack.
In fact, hackers are nondiscriminatory, targeting large and small business alike. In a 2013 study conducted by Verizon’s RISK Team, 92 percent of cyber attacks by volume were perpetrated by people outside of the organization, whereas only 14 percent were conducted by insiders.
Outside Cyber Attack Perpetrators:
- Organized crime – 55 percent
- State-affiliated actors – 21 percent
- Activists – 2 percent
- Former employees – 1 percent
One of the greatest security threats facing businesses today is phishing. Seemingly innocent and trustworthy email messages masquerading as legitimate communications are causing employees at all levels of an organization to fall prey to phishing schemes. Why? Because they are relatively easy to execute and usually work. Top executives are not exempt either and are usually targets of more sophisticated and complex phishing scams.
Addressing cybersecurity should be a top priority for Boards and senior management. Companies would be well advised to solicit advice from both internal and external advisors. Internal advisors should be multi-departmental and include communications, legal, IT and risk management. Boards need to consider appointing a member well-versed in cybersecurity whose focus should be on understanding and developing strategies to manage cybersecurity risks and vulnerabilities.
Some companies have created a separate risk committee, while others utilize the audit committee to oversee this extremely important issue. The question remains as to whether risk oversight should be a function of the entire Board or handled in committee.
Before implementing an enterprise-wide cybersecurity plan, companies should do their homework and do the following:
- Conduct appropriate due diligence on any company they do business with,
- Develop a comprehensive cybersecurity policy for both the company and third-party providers,
- Develop an incident response plan,
- Develop a business continuity plan,
- Periodically review insurance policies to determine if the company is adequately protected,
- Conduct cybersecurity training programs for all employees,
- Conduct regular audits of cybersecurity effectiveness and
- Develop or update the crisis communications plan.
Currently, SEC regulations require that public companies assess and disclose any significant security risks. In the event of a breach, many state and federal laws also require companies to disclose the nature and scope of the breach to investors and affected individuals. This means that companies may face legal risks, as well as regulatory liabilities.
Cybersecurity needs to be a main topic on every Board’s agenda, and senior management should review its status and risk assessment at each meeting. In today’s society, it is not the time for management and the Board to put their heads in the sand and hope nothing happens. This issue deserves regular and ongoing discussions at the Board and senior management level. Only then can a healthy respect for cybersecurity be cultivated throughout the company.
Resources:
http://www.nacdonline.org/cyber
http://www.verizonenterprise.com/DBIR/
http://www.pwc.com/us/en/corporate-governance/publications/directors-and-it/risk.jhtml
http://blogs.law.harvard.edu/corpgov/2014/11/05/the-risky-business-of-cybersecurity/
https://forms.thawte.com/websurveys/servlet/ActionMultiplexer?Action_ID=ACT2000&WSD_mode=3&WSD_surveyInfoID=2351&toc=GLLSX-2351-04-26&brand=04&country=26&cid=A9CC4D30A054B9A0
https://na.theiia.org/special-promotion/PublicDocuments/GRC-Cybersecurity-Research-Report.pdf
http://www.blankrome.com/index.cfm?contentID=37&itemID=3309
http://www.blankrome.com/index.cfm?contentID=37&itemID=3146
http://www.citadeldirectorsinstitute.com/wp-content/uploads/board-oversight-cybersecurity-risks.pdf
http://www.theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-download-pdf-1852.cfm
http://www.networkworld.com/article/2458975/security0/homeland-security-wants-corporate-board-of-directors-more-involved-in-cyber-security.html
http://www.smithlaw.com/newsletter-74.html