"/> "/>
Cyber security
Save

What Boards of Directors Need to Know About Cyber Incident Response

by Matt White, Alex Koskey

From Colonial Pipeline, to Acer, to JBS USA, cyberattacks have dominated the headlines throughout 2021. These attacks have become more sophisticated, more costly, and more harmful than ever due to the very real threat of cybercriminals stealing an organization's (and customers') sensitive information. The potential damage to the organization can be catastrophic.

The reality today is that cybersecurity is a critical business issue that must be a priority for every organization. As business operations become increasingly digitized, data has become one of the most valuable assets of any organization. This has resulted in increased expectations from customers, employees, regulators, and other stakeholders that an organization has developed appropriate resilience measures to protect against the evolving cyber threat landscape. The failure to do so presents substantial risks including loss of consumer confidence, reputational damage, litigation, and regulatory consequences.

An organization's cyber risk management and response program must now be an enterprise-wide effort with participation at all levels. Critically, this includes the board of directors, which needs to set the tone-at-the-top that cyber risk is a critical issue and must encourage and promote cyber awareness throughout all levels of the organization. Boards must recognize that cybersecurity is a strategic business enabler and has a direct impact on how the organization operates, innovates, and creates value on a daily basis.

An organization's board of directors typically has two responsibilities: (1) strategy and (2) risk management. It is nearly impossible to address those responsibilities today without discussing cybersecurity. Boards should be hyper-focused on oversight to quantify the risk of a cyberattack and the potential impact to the organization, and to identify the best methods to minimize risk and strengthen cyber resilience. This is no longer just an isolated issue for an organization's IT or security departments, and boards can no longer exclusively rely on management to provide a full and complete picture of the enterprise. Rather, boards must take an active role in aligning cyber risk management with business needs.

The following are some best practices that an organization can use to work with its board in addressing cyber risk and responding to an incident:

Educate board members on cyber risks: The board needs to be educated on the types of cyberattacks that are potential threats to the organization, the assets that are particularly vulnerable to those cyberattacks, and what investments can be made to combat those potential threats. Although board members have traditionally been reluctant to engage in cybersecurity discussions due to lack of familiarity with the subject matter, a high-level explanation will help promote engagement and focus in assessing these risks.

The board does not have to have expertise in information technology but must be educated on these risks in order to understand what questions to ask of management and other executives. Companies can utilize their existing relationships and expertise such as its cybersecurity and incident response counsel and forensic providers to prepare specific board training sessions to assist in this process.

Provide basic knowledge of information assets: The board should have general knowledge of the type of information that is generally collected by the organization, where that information is located, and how the organization identifies and manages risk with third-party vendors. Although the board doesn't need to be quizzed on the specifics of the organization's data mapping exercise, this will enable the board to better understand the controls and processes that should be enabled to protect business operations.

Devote adequate time to discuss cyber issues: As part of promoting a culture of cybersecurity throughout the organization, adequate time should be devoted during board meetings to discuss cyber issues. Key executives should present on critical topics to underscore that it is a priority, and management should periodically present on risk assessments and audits of the organization's security protocols.

Board members should also have access to cybersecurity expertise when needed, including legal counsel, forensic providers, and managed service providers (MSPs). These discussions help the board develop the organization's risk profile for cyber threats, establish expectations for the organization's cybersecurity program, and help ensure that resources are appropriately allocated to achieve desired goals.

The board can also understand how the organization's cyber risk protocols can impact significant business decisions, including potential mergers and acquisitions. As the cyber insurance market continues to rapidly develop, these sessions can also assist the board in understanding the organization's coverages in the event of an incident.

Maintain overview of regulatory schemes and legal obligations: Boards must be aware of the potential legal obligations regarding privacy and cybersecurity issues. This is complicated by the fluid state of privacy legislation at the state and federal levels, the cyber threat landscaping evolving by the day, and changes to the organization's work environment due to COVID-19. Organizations should also educate boards on potential regulatory reporting obligations in the event of a data incident. Understanding these legal and regulatory obligations will help the board identify the best methods to mitigate the potential risk and strengthen the organization's resilience.

Brief the board on incident response planning: Even though board members aren't going to be part of the actual incident response team, they should have a high-level overview of the organization's incident response plan. This would also include a discussion of how the board may be notified during an incident, the potential operational impacts that a cyberattack may have on the organization, and the role of board members in responding to external demands for information during an incident. Organizations should also consider involving boards in tabletop exercises, or conducting board-specific exercises, so they can see what a simulated response to a data incident may look like and the potential issues that may arise depending upon the facts.

Boards are being forced to change their mindsets regarding cybersecurity issues. What was previously considered an isolated technical issue has transformed into something that must be a factor in all strategic business decisions of an organization. Failing to do so can have dire consequences for the organization and its board. However, proper board preparedness and planning can be critical to insulating officers and directors from liability. Accordingly, organizations must work to educate their boards on cyber risks and the potential legal ramifications of those risks so that the board can align the organization's cyber risk profile with its business needs.

The idea of total protection from cyber threats is unrealistic. However, organizations are best served when their boards promote a culture of cyber awareness and integrate investments into cyber resilience with the overall strategic vision of the organization.

--

Matt White, a shareholder in the Memphis office of Baker Donelson, advises clients on cybersecurity and data privacy issues. He is a Certified Information Privacy Professional (CIPP / US, CIPP / E) and a Certified Information Privacy Manager (CIPM).

Alex Koskey, an attorney in Baker Donelson's Atlanta office, is a Certified Information Privacy Professional and represents financial institutions and organizations on data privacy, regulatory and compliance, and litigation matters.

This article was originally published by Reuters/Westlaw on August 18, 2021. Its use here is with the permission of Thomson Reuters.

MORE ARTICLES

Board composition +
Refreshing Your Board of Directors
Patrick R. Dailey, Ph.D. and Joel M. Koblentz
Battle For the Boardroom
Ludo Van der Heyden and Chris Howells
Night of the Living Board
Matt Palmquist
Strategy & innovation +
The "Third Team" Approach to Board Effectiveness
Denis Mowbray and Coral Ingley (both from Auckland University of Technology)
Tapping The Strategic Potential of Boards
Chinta Bhagat, Martin Hirt, and Conor Kehoe
Board supervision +
Best Practices: Non Profit Governance
McDermott Will & Emery
Value-Focused Corporate Governance
Christian Orglmeister, Marcos Aguiar, and Daniel Azevedo
The Trouble With Too Much Board Oversight
Olubunmi Faleye, Rani Hoitash and Udi Hoitash
Culture +
Corporate Culture, Not Lip Service, Counts
Luigi Guiso, Paola Sapienza and Luigi Zingales
Building a Forward-looking Board
Christian Casal and Christian Caspar
Team building +
Collaborate Better
Leigh Thompson
Five Things Every CEO Must Do in the Next Era of Globalization
Hans-Paul Bürkner, Arindam Bhattacharya, and Jorge Becerra
Outgoing CEOs Shouldn't Pick Their Replacements
David F. Larcker, Stephen A. Miles, and Brian Tayan
Compliance +
Leadership +
Risk management +
Exec. evaluation & comp +
Surviving the Sophomore Slump: Moves That Matter The Most
Roselinde Torres, Judy Johnson, James M. Citrin, and Susan S. Hart
Leapfrog Succession: Trend in Appointing CEOs
Roselinde Torres, Gerry Hansell, Kaye Foster, and David Baron
Cyber security +
Why Senior Leaders Are On The Front Line Against Cyberattacks
Tucker Bailey, James Kaplan, and Chris Rezek
Corporate Governance in the Age of Cyber Risks
In collaboration with RANE (Risk Assistance Network and Exchange)
The Board’s Role in Managing Cybersecurity Risks
Ray A. Rothrock, James Kaplan, and Friso Van Der Oord
Featured +

Your library is currently empty. Browse the Boardspan Library to get started.

We use cookies to personalize content and to provide you with an improved user experience. By continuing to use this site you consent to the use of cookies.
Please visit our cookie policy for further details.