Board Directors Need to Get Involved With Cyber Risk

Board Directors Need to Get Involved With Cyber Risk Governance

In recent years, regulators at global, federal, and state levels have been increasing their scrutiny over companies’ cyber security, including in communicating, managing, and handling risks, attacks, and breaches. To comply, boards of directors need to be aware of cyber security risks and shouldn’t merely rely on reports by senior IT executives.

Since threats have escalated, protection of assets must be done from the highest level. This requires the board of directors to get involved more proactively.

However, the board of directors isn’t identical. Former director of FBI James Comey once said there are two types of companies: those that are aware of being hacked and those that don’t even know that they have been hacked. Realistically speaking, companies can no longer be ignorant about cyber security. Even large companies like FedEx, Merck, Mondelez (owner of Oreos), Sony, Amazon, and others have experienced cyber attacks.

At least, there are seven steps in heightening proactivity in board oversight over cyber security.

First, the board must acknowledge the risk of cyber security.

It’s not the time nor the place to deny the massive repercussion of a cyber attack. It would do more than taking down a company’s website. It can wipe out all data and steal confidential information. Above all, in the aftermath of a security breach, customers might not trust again, which can cause another devastating blow to the company.

Second, priorities must be set straight.

Once the board directors have acknowledged the severity of a cyber attack, they must start creating the next following steps with the support of the management team, IT team, and external consultants. For this, a list of members of teams involved must be recorded, so they can be actively involved when the time to execute has come.

Third, reconsider existing cyber security policies and procedures.

Understanding the priorities, the next step is reconsidering existing cyber security policies and procedures. What to do when there is a threat? What to do when the system is being attacked? Has the company allocated sufficient resources to protect valuable assets? Who to contact when a threat or an attack occurs? How about other types of cyber crimes, like identity thefts and stalking of high-ranking executives?

Fourth, develop a comprehensive Incident Response Plan.

Carefully draft and develop a comprehensive Incident Response Plan by involving related business units and teams. Getting attacked would affect the whole company, not merely the IT department. For this, the response plan should include employees who might be at the receiving end of the attack. For instance, even a CCTV monitors can be hacked. Thus the security guards should also be involved.

Fifth, hire external cyber security experts.

Hire the best experts in cyber security, don’t only rely on your IT team, which might be more experienced in fixing computers and ensuring software applications work smoothly. Cyber security requires different sets of skills and the more clients that can be verified, the better. They need to be experienced in handling all kinds of attacks in all kinds of companies.

Sixth, reconsider insurance coverage protection.

What does your business insurance cover? Does it cover cyber attacks? Make sure that the amount covered would be sufficient for your company to stay afloat during the recovery period. It may take a while to bring things back to normal, during which regular services might have been interrupted. Make sure that customers are still served when the company recovers.

Seventh, consult with legal counsels on the required company disclosure in response to an attack.

What is legally required to disclose to the public during a cyber attack? Consult with the legal counsels to ensure that your company follows the laws in this matter and not in violation of any provisions.

In conclusion, preparing for a cyber attack isn’t being paranoid or a luxury. It’s a necessity in this increasingly riskier business environment. Failure to do so can cause irreversible damages to valuable assets and confidential customer data, which are key to running the business. Let’s be proactive.

Jose Ruiz serves as Alder Koten’s Chief Executive Officer providing vision, strategic direction and the roadmap for the firm’s future.

He is also involved in executive search work focused on board members, CEOs and senior-level executives; and consulting engagements related to leadership and organizational effectiveness helping clients create thriving cultures.

An important part of his time is spent on research work focused on organizational effectiveness centered on leadership and culture. Prior to joining Alder Koten, Jose was a Principal with Heidrick & Struggles’ Global Industrial Practice based in Houston, TX and Monterrey, Mexico.

His professional experience also includes leadership positions in engineering and operations management for manufacturing organizations in the US and Mexico. This experience includes serving as vice president and general manager at Holley Performance Products. Jose is a bi-weekly contributor at Forbes.com.mx writing about executive leadership and career development.

Jose holds a master’s degree in organizational leadership from Gonzaga University and a bachelor’s degree in mechanical and electrical engineering from the Instituto Technologico y de Estudios Superiores de Monterrey. He is fluent in English and Spanish.