Every board now knows its company will fall victim to a cyber-attack, and even worse, that the board will need to clean up the mess and superintend the fallout.
Yet cyber-attacks can be extraordinarily complicated, and once identified, demand a host of costly and detailed responses—including digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies, fulfillment of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan; the list goes on. And besides the more predictable workflow, a company is exposed to other even more intangible costs as well, including temporary or even permanent reputational and brand damage; loss of productivity; extended management drag; and harm on employee morale and overall business performance.
So what is the role of a board of directors amid all of this complex and bet-the-company workflow? Corporate directors clearly have a fiduciary duty to understand and oversee cyber-security, but there is no need for board members (many of whom have limited IT experience) to panic.
David Fontaine, general counsel of Altegrity, which owns Kroll, a top-tier provider of incident response services, explains the dynamic: “Cyber-security engagement for members of the board does not mean that board members need to have computer science degrees or personally supervise firewall implementation or intrusion detection system rollouts. Instead, board oversight of cyber-security entails, most importantly, asking the right questions and being thoughtful, deliberative and informed about cyber-security and its attendant risks.”
Along those lines, below is a list of topics and questions relating to one of the more important cyber-security considerations for corporate directors: cyber-security policies and procedures. It is a good starting point to facilitate meaningful board oversight and supervision of a company’s cyber-security risks and vulnerabilities.
Incident Response Plan. Just like a fire evacuation plan for a building, a company should have a plan to respond to data breaches; a plan less about security science and network fortification and more akin to the relatively new nomenclature, so-called “incident response.” In the absence of an incident response plan, many organizations allow what could have been a relatively contained incident to become a major corporate catastrophe, because they neither thought through all of the elements necessary for an effective response, nor put the necessary mechanisms in place to ensure these elements were addressed in their plans.
Is there a current incident response plan? If so, when was the plan last updated? Who prepared and approved the plan? What are the general principles of the plan? Has the company ever run any mock exercises to test the plan’s efficacy? Does the plan contain a current network topology diagram that is adequately documented and, if so, is it periodically re-assessed and revised as internal systems and external factors change?
“Preparedness is key, and keeping up with the latest developments in cyber-security and the latest tools and techniques being utilized by cyber-attackers is a career within itself—which requires relying on subject matter experts, including those who build relationships with law enforcement.”
Nick Oldham, Former Counsel, Cyber-Security Investigations, Justice Department
Overall Approach to Cyber-Security. Bret Padres, former agent with the U.S. Air Force Office of Special Investigations, who led incident response for the government, now managing director of incident response at Stroz Friedberg, often encounters companies where cyber-security is not properly prioritized by executive management. “Cyber-security is a business imperative, yet too often we are surprised to encounter situations where cyber-security is too far down on a C-Suite priority list—or because it is so complex, simply delegated to lower-level technical personnel,” Padres explains.
Is there a commitment from the top down, both culturally and financially, to rigorous cyber-security? Who in leadership is driving the agenda? Is it a C-level accountability and part of the day-to-day business focus? Do current reporting lines and assigned areas of responsibility make sense? Given the responsibilities and accountability needed to execute the incident response plan, are the right employees, possessing the appropriate skill sets, adequately empowered? Is the individual charged with overseeing cyber-defense the same person who reports up the chain about breaches and who would oversee any response–if so, does that dual-rule indicate a conflict of interest?
Business Continuity Plans in Case of Cyber-attack. The importance of a business continuity plan in the event of a natural disaster is widely recognized and accepted. Yet too often such plans are not evaluated in the context of assessing cyber-security risks.
Has the company properly evaluated the effectiveness of its business continuity plan in the context of a cyber-attack? Does the business continuity plan need to be reconsidered and refreshed with these additional considerations in mind?
Personnel Continuity. Competition for talent in the information security space is intense, while the pressure on IT security senior executives is infinite and exhausting. Moreover, despite their rapidly rising salaries, turnover remains constant and there is a serious shortage of experienced and capable IT senior executives. What is the company doing to recruit and retain IT security talent?
GUEST COLUMNIST BIO
John Reed Stark is President of John Reed Stark Consulting (www.johnreedstark.com), a firm that advises companies and corporate boards on data breach response, cyber-security and digital compliance.
Stark’s experience with data breaches touches upon all aspects of cyber-incident response, especially during early phases of crisis management, forensic analysis, malware reverse engineering, and law enforcement/regulatory liaison and containment, as well as the later phases of data-review, remediation, and disclosure and reporting. Stark also handles expert engagements pertaining to technological aspects of investigations, prosecutions, and enforcement matters conducted by the SEC, U.S. Department of Justice, and FINRA, and he also provides expert testimony on securities regulation on behalf of individuals, entities, and government agencies, including in opposition to, and on behalf of, the SEC and other government agencies.
Stark’s lengthy career includes: almost 20 years with the SEC’s Division of Enforcement, the last 11 of which as founder and chief of the SEC’s Office of Internet Enforcement; over five years as managing director (three of which heading the Washington, D.C. office) of an international cyber-security and data breach response firm; and an early stint as special assistant U.S. attorney in Washington, D.C., where he prosecuted federal cases relating to guns, drugs, and domestic violence.
In addition to authoring several dozen articles about law and technology, Stark served as adjunct professor at Georgetown University Law School where he taught a course on cyber-crime for 15 years and has given numerous lectures on cyber-crime at the FBI Academy in Quantico, Virginia.
Relatedly, when a company loses key senior IT security personnel, it is not only a red flag but also an opportunity for a board to examine succession plans, and to obtain an unbiased, albeit possibly disgruntled, view of any cyber-security flaws. The art and the benefit of the exit interview is lost on so many companies today–too often because departing employees are dismissed as resentful and unreliable. In the case of a resigning IT executive, a proper exit interview may reveal critical cyber-security weaknesses.
Keeping Up With Cyber-Security Threats. Staying current about the latest cyber-security trends, software patches, data breach techniques, and so forth requires continual educational efforts and outreach. Like meeting with the neighborhood beat-cop to stay informed about local crime, staying current on cyber-security threats similarly requires liaison efforts with federal and state law enforcement and regulatory authorities. Nick Oldham, former counsel for cyber-investigations at the Justice Department’s National Security Division, now counsel at King & Spalding, says preparedness “is key and keeping up with the latest developments in cyber-security and the latest tools and techniques being utilized by cyber-attackers is a career within itself—which requires relying on subject matter experts, including those who build relationships with law enforcement.”
What steps does the company take to liaison with law enforcement and regulators regarding emerging cyber-security modus operandi? How has the company considered the rules, practices, and procedures governing the sharing of intelligence with government agencies? Is sharing customer information with federal and state law enforcement authorities permissible or even tolerable, given the sensitivities customers may have toward the privacy of their data?
IT Budgeting. Cyber-security budgetary priorities can shift quickly, and a yearly budgetary cycle might not be swift or agile enough to manage rapidly emerging cyber-threats.
How does cyber-security budgeting work? How are emergency items identified and funded? Does the budget appropriately provide for contingencies in the event of a cyber-attack or cyber-security need?
Training Programs. The weakest link of cyber-security vulnerability at any company will always be its employees, so proper cyber-security employee training is critical.
How often and how effective are the firms’ cyber-safety training programs? Who participates in the training, and how does the company handle policy violations, especially violations by senior executives, who studies have shown are typically the least compliant with cyber-security policies?
Unfortunately, the public’s view of cyber-attack victims is less about understanding and sympathy, and more about anger and vilification. Given in particular the 47 or so separate state privacy regimes, together with a growing range of federal agency jurisdiction, instead of accepting a helping hand, cyber-attack victims are instead accepting service of process of multiple subpoenas. The world of incident response is an upside-down one: Rather than being treated like criminal victims, companies experiencing data breaches are often treated like criminals themselves, becoming defendants in federal and state enforcement actions, class actions, and other proceedings.
To make matters worse, this is just the beginning of a new era of data breach and incident response, where trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year. Members of corporate boards therefore have no choice but to become actively involved in ensuring the organizations they oversee are adequately addressing cyber-security, approaching the subject much the same way an audit committee probes a company’s financial statements and reports: with vigorous, skeptical, intelligent, and methodical inquiry.