11 March 2020

8 min read

Up and Out, In and Down: The Board’s Responsibilities in a Cyber Incident

Cyber security
People discussing documents behind a glass wall

A company’s board has a key role to play in managing cyber risk and incident response – both as a collective and as individuals with legal fiduciary responsibilities. Regulators will look to boards first for answers when a cyber breach occurs; accountability is even more acute in a regulated industry such as financial services. Those found wanting may face career-limiting personal as well as corporate penalties.

It is critical for boards to understand their role, and to do that they need to look "up and out" as well as "in and down" when something goes wrong. Understanding that the company exists within a wider cyber ecosystem, not in a bubble, is central to managing an effective response. Leadership – before, during and after a cyber incident – is the board’s particular responsibility. What does this mean in practice?

Leadership – before, during and after a cyber incident – is the board’s particular responsibility.

Before a cyber incident

Although governments can struggle to safeguard their IT systems from the most sophisticated attackers, there is no excuse for a board to give up on cyber risk. The vast majority of cyberattacks are not sophisticated; simple actions can significantly reduce a company’s vulnerability and the risk of succumbing to an attack.

It is the board’s responsibility to hold the executive to account for what they are doing to mitigate cyber risks. This means ensuring that cyber risk is regularly on the board’s agenda, that it features in the company risk register, that the board actively sets a cyber risk appetite for the company, and matches it with an appropriate budget to reduce the risk to meet the appetite. Stating you have "zero appetite" for a major cyber security breach is evading the issue, unless you match that statement with limitless funds for cyber security. The board has to do better than that; it must be actively engaged in deciding how much risk it will live with, and how much it will spend to achieve that. The board must also consider not only "how much", but "where" the money is spent and "how" that achieves the outcome it has prescribed. It should delegate operational responsibility for managing cyber risk, but cannot delegate accountability. If board members don’t understand how the cyber risk is being mitigated, how will they demonstrate they have fulfilled their fiduciary duties?

"Cyber" is often thought of as a deeply technical subject – it is, at one level. But it is also very much about people. The majority of cyber breaches happen because a person (usually an employee) makes a mistake. Good quality training is an essential part of all successful cyber risk mitigation strategies, and boards don’t need to be technical experts to ensure that all their staff are benefiting from this. Getting the basics right is within the capability of any board that engages seriously with the subject, and can make a huge difference to the vulnerability of the company. Indeed, failure to do that looks like negligence. Achieving the right balance between human and technical mitigation, ensuring that the basic "technical" safeguards are in place (keeping systems up to date, having an effective data backup strategy), having and testing a cyber incident response plan – these are the basics.

But boards should also periodically seek independent assurance that those responsible for mitigating cyber risk on their behalf (whether internal or external providers) are doing their job effectively at a deeper level. Just as you need financial processes to be audited regularly to manage financial risks, so you need regular cyber audits to be able to gain assurance and demonstrate due diligence in discharging your responsibilities.

You need regular cyber audits to be able to gain assurance and demonstrate due diligence in discharging your responsibilities

 
Key questions
  1. Does the board understand all the threats the company faces?
  2. Does it understand which company assets may be of interest to different threat actors? (Don’t assume it’s all about financial systems and client data; are they after your IP, your M&A strategy, is your company a "soft back door" to partners who may be the real target?).
  3. Do you really know whether your IT systems are being configured securely on the cloud, and your staff training programme is up to date with the latest threat information?
  4. If you get hit with ransomware, are you going to pay or not? How are you going to manage the situation? (Don’t make these decisions under extreme pressure; work through your options and decide your policies and your mitigation measures in advance).

 

During a cyber incident

Leadership is vital; poor leadership can quickly escalate a crisis into a catastrophe.

 
Key questions
  1. Do you have a plan, that has been regularly stress tested?
  2. Do you and your people understand your roles and have you practiced them? (If not, the board has failed in its duties).

Communications – understand that you will be operating in "the fog of war"; in other words you won’t have a clear picture of what has happened, how bad it really is, for days or weeks after an incident. Yet you will still be expected to communicate right from the start – to your staff, to the regulator, to the police, to your customers, to your clients, to your partners and suppliers, to your shareholders and investors, to the market, and to the media.

 
Key questions
  1. What are you going to say?
  2. What tone will you adopt?
  3. Who is going to be the spokesperson?

Too often we witness a slow motion train wreck play out over days or weeks – a company tries to hide the problem, then deny it, then downplay it, then gives assurances that turn out to be wrong, and eventually is forced to come clean, their reputation in tatters – usually having lost a CEO along the way. Make sure this isn’t you; have a plan, practice it, and implement it.

Key questions
  1. Internally, who is managing the crisis?
  2. If the answer is "the CEO", who is running the company?

 

It’s a really bad strategy to rely on "heroic endeavour" in times of acute crisis. People get tired quickly, and you can’t work off snacks, pizzas and no sleep for long. In fact, studies show the physiological impact of tiredness is very similar to the impact of alcohol. Do you want a drunk running your crisis response? If not, who is in charge after the first shift has gone home to bed?

It is vital that the board maintains some distance from the operational cyber response – otherwise it will get sucked into frenetic activity managing tactical decisions and nobody will be thinking strategically. More than ever during a crisis the board should be looking "up and out" and leading the company in its widest context, leaving the crisis response team to do its job. Vitally, the board should judge when to step in and call for external reinforcements if internal resources are clearly struggling.

The board should judge when to step in and call for external reinforcements if internal resources are clearly struggling

After a cyber incident

Truly resilient organisations learn and grow from such experiences; poorly led ones can enter a downward spiral of blame, staff loss, and eventual extinction. Partly the outcome is a function of size – over half of all SMEs hit by a serious cyber breach go out of business as a result. Larger organisations have a better chance, but the board’s role is to ensure that your company becomes truly resilient and better able to face the next crisis.

Over half of all SMEs hit by a serious cyber breach go out of business as a result

That is not the same as "return to business as usual". That may not be possible, or desirable. After a really serious incident the company may never return to the way it was – there will be a "new normal", a new and better way of doing business that may involve a significant change of business model and approach. This is akin to recovery from a major fire – don’t assume you should rebuild an exact replica of what was there before, see it as an opportunity to reinvent yourself into something new.

It is the board’s responsibility to have a plan. Understand that there is a high probability that a member of staff will trigger a crisis through an error. Understand too the cultural impact it has on trust and morale, depending on how the company responds to that. And the impact that has on whether, in the future, staff will choose to report errors or try to hide them, delaying a vital early response.

Identifying and learning lessons honestly, facing shortcomings positively, investing to improve, being realistic about what is achievable – these are the hallmarks of an effective board response. Getting an expert external perspective on what happened and what to do about it can be important in really getting to the bottom of issues and enabling transparency, especially about failures in governance and control that sit with the board.

Conclusion

The board is accountable to many stakeholders, inside and outside the company, for ensuring that the organisation takes effective steps to reduce cyber risk. That includes having an effective crisis response plan, and a plan for recovery after the crisis. The company exists within a complex ecosystem of attackers, regulators, stakeholders, and responders – the board must understand that ecosystem and look ‘up and out’ as well as ‘in and down’ if it is to be effective in its role.

 


About the author:

Giles Cockerill has 36 years of experience in risk management, specialising in cyber security and technology. The majority of Giles’ working career has been for the UK government where he worked at the highest levels across various organisations. During his time in government, Giles accumulated deep specialist knowledge in the defence against hostile threats, including online capabilities and the response to major security incidents including cyber-attacks and catastrophic IT events.

Since leaving government in 2016, Giles has leveraged and built on his cyber security experience in the private sector regularly advising boards and senior management teams around cyber security and technology risks and how to better understand and mitigate against them.

Giles’ expertise in applying technology solutions to manage hostile threats has been recognised in his appointment as a Fellow of the Institution of Engineering and Technology, and a Fellow of the British Computer Society. Giles was appointed CBE for ‘Services to Defence’ in the Queen’s Birthday Honour List in 2014.

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.