[BreachExchange] Cybersecurity breaches will soon reverberate all the way up to the board level

Wed Dec 19 09:20:28 EST 2018

https://www.theglobeandmail.com/business/commentary/article-cybersecurity-breaches-will-soon-reverberate-all-the-way-up-to-the/

The topic of cybersecurity, understandably, causes a great deal of
uncertainty on corporate boards.

Technology is fast-moving, ever-changing and seemingly impossible to
stay ahead of. Furthermore, most board members have secured their
seats because they have valuable years of experience and expertise in
certain areas or industries. But cybersecurity is a subject very few
people have experience in. One of the biggest challenges, even for
some of Canada’s most sophisticated boards, is finding members who
actually understand this stuff.

This lack of knowledge can lead board members to take a hands-off
approach to issues such as customer privacy and data security.
However, with Canada’s new mandatory data-breach notification
requirement coming into effect, board members can no longer afford to
be deferential. Post Nov. 1, the ramifications of a corporate breach
will quickly travel all the way up to the board level.

The new requirement stipulates that organizations that experience a
data breach must report the incident to the Privacy Commissioner of
Canada, and notify affected individuals when there’s a “real risk of
significant harm to the individual.” Considering that only 10 per cent
of Canadian businesses affected by a cyberattack reported it to
law-enforcement agencies last year, there will soon be substantially
more high-profile hacking incidents in the news, potentially opening
up organizations to increased litigation and regulatory
investigations.

With lawyers and regulators involved, it becomes a question of
diligence. As a board member, you will be asked what specific steps
your organization took to protect your customers' information, so
you’d better be prepared.

STEP 1: MAKE IT A RISK-MANAGEMENT EXERCISE

The role of a board member is of course a strategic – not tactical –
one. You’re relied upon to set your organization’s course and ensure
the proper people are implementing the right strategy. For this
reason, cybersecurity should be viewed as any other threat.

Sure, you may not have the best grasp on the landscape, but it’s not a
question of understanding technology – it’s a question of risk
management. In exercising your fiduciary obligation to the company you
serve, you need to ask your security team to develop a detailed threat
profile, allot the appropriate resources and funding so the necessary
safeguards are in place, and monitor your team’s progress to make sure
key milestones are achieved.

STEP 2: CONDUCT A CYBERSECURITY ASSESSMENT

Has your organization completed a cyber checkup in the past six
months? This is essential for establishing a baseline. Without knowing
the current threat landscape, it's simply impossible for your security
experts to recommend remedial action.

When the question of budget allocation comes up to the board, you will
have to decide if you're investing enough in cybersecurity technology
and training. In order to make an informed decision, you need
up-to-date information to accurately assess risk.

STEP 3: UPDATE YOUR CYBER INSURANCE POLICY

While your company may be doing all it can to prevent a cybersecurity
breach, you still need a backstop to mitigate risk if and when
disaster strikes. Emerging as a stand-alone offering in recent years,
cyber insurance policies can cover the cost of legal and regulatory
investigations, including litigation, as well as expenditures for
public relations and digital forensics. Since breach preparedness is
one of the key factors insurers consider when underwriting cyber
insurance, it’s imperative for your organization to have a
comprehensive, well-communicated incident-response plan in place.
STEP 4: REVISE YOUR CRISIS-MANAGEMENT PLAN

Cybersecurity breaches are about to become much more public than they
were in the past. To protect your organization’s brand and maintain
consumer trust, communications need to be front and centre in your
crisis-management plan. Once a breach occurs, prompt and transparent
communications is your only pathway to minimizing damage to your
business, reducing potential claims from third parties and evading
reputational harm.

As a board member, it’s important to understand that effective
communication is about more than issuing a news release. Your
communications strategy needs to be fully aligned with your
IT-response plan to expedite a consistent and unified response to all
stakeholders. Staging a cybersecurity crisis simulation will also help
prepare your executives for the real thing, ensuring they respond
appropriately, and in real time, should the worst occur.

Corporate boards have always served a valuable oversight role. In this
critical and fast-changing area, Canadian businesses need their board
members focused on cybersecurity.