April 26, 2019 - by Prasanthi Vasanthakumar Governance
A cyberattack is every board director’s worst nightmare. From automotive giants like Nissan and the ubiquitous Uber to Sony Pictures and the controversial Ashley Madison, the past few years have proven that any organization is fair game for the digital predator. Just last month, Bell Canada took a cyber hit. Even digital pioneers like Facebook and Twitter, companies whose entire value proposition is embedded in cyberspace, had their products’ legitimacy compromised by Russian bots. While hacker motives vary, the outcome is always the same: Businesses take a reputational and financial hit, and often, boards of directors come under fire.
Equifax: Catching the big one
Nowhere is this more evident than in the case of Equifax. As a company that deals with millions of customers’ sensitive financial information, Equifax fell harder than others after its cyber-breach. Although it was difficult to pin the blame squarely on poor governance, the board was said to have essentially “gone fishing” because of its infrequent meetings, long director tenure and insufficient cybersecurity expertise.
But is Equifax alone? A recent survey finds nearly two-thirds of Canadian companies have experienced a recent, significant cyber-incident, while an overwhelming 98 per cent say their cybersecurity function doesn’t meet their organization’s needs. With discouraging numbers like these, can directors stay ahead of an impending cyber Armageddon? Or are all governance efforts doomed to fail? The answer depends on how well you manage risk.
Lost in translation
For many boards, the challenge lies in understanding current cyber realities. Most directors aren’t well-versed in risks of the dark web variety, and decoding cyber-speak isn’t their forte. However, it often comes down to speaking the same language as your information security team. In addition to asking the right questions of their security executives, directors should help these tech wizards understand the business. A two-way exchange allows a company to align its cybersecurity plan with financial and strategic objectives.
A good place to start – and perhaps where Equifax failed – is to consider the value and sensitivity of company data in relation to your cybersecurity plan. Once your company has this figured out, it’s easier to nail down budget and protection tactics.
A breach is pretty much inevitable
No matter how robust your cybersecurity protocol, chances are your organization will fall victim to a hacker’s handiwork at some point. With this eventuality in mind, a long-term mitigation plan is your best defence.
Cyber insurance, now a booming business, is one way to mitigate the financial fallout of a breach. Directors, of course, have their own Directors & Officers (D&O) liability insurance, but as Uber would tell you, questionable handling of a cyber breach could potentially negate standard D&O coverage. Thus far, individual directors have never been held personally liable for a cyber breach. However, Canadian boards should be aware of the strict new security breach notification requirements expected to take effect this year.
Full disclosure?
Indeed, a poorly-planned approach to a breach disclosure can hurt your organization financially, but the reputational scars you sustain may run far deeper. The Securities and Exchange Commission was deeply criticized for delaying disclosure of a 2016 breach, raising the possibility of illegal stock trades. Similarly, in the six weeks it took Equifax to disclose its breach, three executives had unburdened themselves of company shares worth $1.8 million. Although it was later shown these executives had no knowledge of the hack, the damage was done.
In contrast, Metrolinx was quick to reveal a recent cyberattack, even though customer information wasn’t stolen. The government agency used the opportunity to highlight its speedy response and work with “ethical hackers,” essentially projecting itself as an open, proactive and secure organization. Nonetheless, some experts argued the attack opened up a “frightening new chapter” in cybersecurity.
The vicious cycle of trust
With ransomware and Russian bots on the loose, cyberspace is a place of shrinking trust and growing fear. Yet ironically, the human instinct to trust is what gets us in trouble in the first place – which is why company employees falling prey to phishing is the top reason breaches happen. It’s more important than ever for directors to work with management to develop a company culture of proactive security.
As cyber-insecurity grows, companies will lean on strong board leadership to oversee a comprehensive cyber-defence strategy. As a director, knowing you’ve covered all your bases – and staying on top of the latest trends in a rapidly evolving landscape – should, at the very least, help you sleep better at night.
SIDEBAR
ICD resources
Knowledge is your best weapon. The following ICD resources can help board directors manage cybersecurity:
- Short course: Audit Committee Effectiveness
- Short course: Enterprise Risk Oversight for Directors
- Webinar recording: Identifying, Monitoring and Overseeing Insider Threat (for members only)
- Webinar recording: Fundamentals of IT Oversight (for members only)
The ICD will also be rolling out a brand-new short course, Mastering Boardroom Communications, to foster better communication between directors and executives.
Originally published in the Institute of Corporate Directors’s Director Lens, February 2018.” (for HACKS AND BREACHES)