How do we control the cyberattack beast?

October 1st, 2022
x
Bookmark

Most companies believe that because they are small in size, they will never have to face a cyberattack. Hackers and cybersecurity criminals target every kind of business, as long as there is something of value, which includes assets, such as business plans, contracts, employee log in details, equipment designs, new product information and clients.

Once an attack has occurred most directors find themselves faced with difficult questions from insurance companies and shareholders, including questions regarding the measures they took to protect the company against the complex and evolving beast. An inadequate answer could lead to claims not being honoured. Not only do companies have to repair their reputational damage, they also need to deal with the financial impact of a cyberattack as well.

Guiding principles to strengthen cyber risk oversight

A director needs to –

  • ‘understand and approach cybersecurity as a strategic, enterprise risk’, not just a risk that the information technology (IT) department needs to focus on;
  • ‘understand the legal implications of cyber risks as they relate to their company’s specific circumstances’;
  • have access to cybersecurity experts and have regular discussions with management about cyber risk threats in the business. This could be a standing agenda item at the board meeting and the topic needs to be given enough time so the board members can consider all material matters. Another option would be to spend time outside the board meeting with the IT team, or bringing in an independent expert to assess the company’s information management systems;
  • set expectations for an enterprise-wide cyber risk management framework with enough staff members and a reasonable budget; and
  • have regular board and management roundtable discussions about cyber risk, financial exposure to risk, risk log updates and risk mitigation strategies such as insurance cover, which includes media liability, privacy regulatory defence costs/fines, reputation-based income loss and cybercrime (see Larry Clinton, Josh Higgins and Friso van der Oord Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards (National Association of Corporate Directors 2020)).

Suggestions a board member could make to lead senior management in the right direction

One of the first things an auditor or an insurance claims assessor would ask for – to check if a director has taken their fiduciary duty into account when the cyberattack occurs – is the historical board meeting minutes. Approved minutes reflect matters that the board members raise and help to protect directors against liability.

A few questions that a director could raise during a meeting include:

  • What steps are followed after a critical incident and how does the company mitigate loss after a cyber-attack (incident response)?
  • What are the most valuable assets and how does the IT system interact with those assets (adequate protection of assets)?
  • Do the board meeting minutes reflect occasions when cybersecurity was present on the agenda (updates on risks, mitigation strategies and the development of the company’s cybersecurity program)?
  • Is cybersecurity included in the areas of expertise that are considered by the board, does it appear in at least one board member’s biography?
  • Can all cyber risk related oversight responsibilities be assigned to a specific committee (audit, risk, technology) and discuss only material issues at the quarterly board meeting?
  • Does the IT team collaborate with compliance so that IT legislative updates are taken into account when developing the enterprise-wide cyber risk management framework?
  • How does the business measure the impact of cybersecurity incidents? Every business needs to assess the reputational damage and associated impacts, which includes reactions from shareholders, media, and investors.

The feedback given to the board members needs to be relevant to the audience, management is encouraged to use summaries, visuals, and less technical jargon. The aim should not be to overload the audience with information but rather to convey meaning and highlight changes. Management could also show performance against competitors and indicate the impact on the business with regards to costs and market share. Conversations in the boardroom should be based on the theme of enabling discussions and dialogue even when the topic is tricky.

Complete protection is an unrealistic target, cybersecurity is a serious business level risk, which needs to be continuously monitored. Directors need to consider their fiduciary responsibility and communicate regularly with management about any new cybersecurity developments in the company and the industry they operate in.

Tshepang Motaung LLB (Unisa) PLT (LEAD) Compliance Management Certificate (UCT) is a Consultant: Compliance Risk and Ethics at Fluidrock Governance (Pty) Ltd in Johannesburg.

This article was first published in De Rebus in 2022 (Oct) DR 40.

X
De Rebus