Focus on: The board’s-eye view of cyber crisis management
It's not just business; it’s personal
Board members are increasingly being pulled from their elevated vantage point into the thick of cybersecurity issues. The possibility of being held personally liable in the event of a breach is one motivator to roll up their sleeves. Another is the ripple effect a cyber crisis can impose on an organization. Learn what actions boards can take to prepare for potential cyber threats.
The potential fallout
A website going down is one thing; the company going down is another. The fallout from security breaches can potentially include:
- Beyond business—this is personal. Board members of companies involved in a cyber incident may see impacts to their reputation and effectiveness as scrutiny and attention continue to mount over such events.
- Threats of operational impairment. A breach can trigger widespread disruption far beyond the initial point of attack and, in turn, greatly magnify losses. As each link in the chain is impaired, financial losses mount.
- Compromised growth. M&A and joint ventures can be particularly vulnerable to the fallout from cyber breaches, as cyber espionage in these deals has become all too common.
- Relationship risks. The tight integration many companies have with suppliers and vendors means their organization is susceptible to third-party risks. A third-party breach could quickly jump inside the organization’s four walls to compromise operations and create a liability issue.
- Beyond litigation—insurance implications. Data breach or cyber insurance policies are becoming an important part of a company’s preparedness plans. But insurance providers have become increasingly focused on examining the root cause of such breaches. If companies are found to be negligent, their insurance payouts may be reduced or declined.
A three-pronged approach
Boards should challenge management to assess the organization’s cyber posture and critically review its cyber crisis management capabilities. Crisis management starts with identifying and preparing for the risks of a cyber incident that may turn into a crisis and also building a broad portfolio of capabilities, such as event monitoring, crisis simulation and planning, real-time response, and crisis communications.
Preparedness in the face of potential cyber threats requires a three-pronged approach:
- Secure. Cyber risk management begins with securing risk-sensitive assets. If the assets at the heart of your organization’s mission are not properly protected, they are open to risks that can turn into major business-threatening crises.
- Vigilant. To be vigilant means that an organization is in a better position to predict and prevent security incidents; it has a custom approach to cyber intelligence that identifies threats specific to the organization’s environment and continuously evolves.
- Resilient. Organizations should respond rapidly to contain the incident and prevent its spread. While resilience requires investment in traditional technology-based redundancy and disaster recovery capabilities, the bigger picture also includes a broad set of cyber crisis management capabilities.
Boards should strongly encourage management to confirm that the organization is proactive, clearly understands the effectiveness of its cybersecurity program, and is focused on the right things:
- Know your crown jewels—not just what you want to protect, but what you need to protect.
- Know your friends—contractors, vendors, and suppliers can be security allies or liabilities.
- Make awareness a priority—within every internal department and among external partners.
- Fortify and monitor—diligently gather intelligence; develop situational awareness; build, maintain, and proactively monitor defenses.
- Prepare for the inevitable—test your incident management process.
How to start
Commit to evolving. The board should hold management accountable for implementing a cyber crisis management plan and for building resilience capabilities that address the unique risks to the organization. Furthermore, the plan should be regularly measured for effectiveness and should continually evolve over time. Cyberattacks are constantly evolving, and the board should confirm that the organization can evolve as well.
Test capabilities and learn from the results. In order to be effective during a cyberattack, the board should ensure the organization’s cyber incident response is tested and shown to be effective in a simulated attack. Results of simulations should be used to correct weaknesses in security, vigilance, and resilience.
Don’t try to go it alone. The board should ensure that its organization is prepared with subject matter experts who can be on the ground as soon as security is compromised. An external team can organize the chaos and keep your management team focused on running the business. The team should include not only cyber specialists, but also public relations, legal, and other professionals to enable you to act quickly to address the aftershock of the breach. An emerging boardroom practice is for directors to invite cybersecurity subject matter experts to provide advice and perspective to the board.
Download the PDF
The Focus on series is part of Deloitte’s commitment to provide insights that help board members and senior executives navigate the crisis management lifecycle, including readiness, response, and recovery.
Download or view the PDF to learn more about:
- The role the board plays in helping organizations determine how to respond to the new cyber threat landscape.
- Six different types of crisis triggers for which most organizations should be prepared.
- What steps your board should take to ensure your organization’s risk sensitive assets are secured.
- One board’s initiative to drive organization-wide cybersecurity.