By now, we’re all a little cyber fatigued. The names of cyber attacks and the high-profile companies victimized by them appear in headlines with such regularity that infiltration feels inevitable. At the same time, intensifying regulatory requirements demand that boards remain vigilant about safeguarding data.
The good news? Understanding four types of risks and what can be done about them can help directors vet a company’s cyber practices, says Melissa Hathaway, the former head of cyberspace policy review for President Barack Obama and the former leader of President George W. Bush’s National Cybersecurity Initiative. Her breakdown:
As a board member, you don’t need a deep understanding of technology to ask questions that can help your company strengthen its defenses. One area to check is your technology debt, or how much of your hardware and software is outdated and no longer supported by the provider.
“If you’ve got no way of keeping the systems current—no patching cadence—your systems are 100 percent vulnerable, 100 percent of the time,” notes Hathaway. “So, how are you managing that risk, and what is your timetable for a capital refresh? Those are board-level discussions.”
Boards also need an understanding of which assets, services and data that might be compromised in an attack are most critical and how quickly the company will be able to recover them. Topping most lists is the active directory, a frequent target of malware.
“The active directory is essentially the Rosetta Stone for what employees are allowed to do in your company,” says Hathaway, who says part of the recent SolarWinds hack involved infiltrating active directories to create new personas, then escalating their privileges to gain data access. “Companies can mitigate that risk by keeping an up-to-date active directory offline.”
Staying on top of a constantly evolving regulatory landscape is also critical, particularly for global companies operating in countries with increasingly strict requirements. “If you operate in Russia or China, for example, you have to allow those governments to put their equipment on your infrastructure,” says Hathaway. “And the definition of personal protected data is much broader in certain places—Brazil and California—than others.”
Given the penalties running afoul of mandates can incur, directors should be asking for regular briefings about compliance across all jurisdictions in which a company operates in areas like data protection, data privacy and breach reporting requirements. It’s important to acknowledge that some requirements, such as accommodating content takedown requests or continuity of service requirements, will apply more to some businesses than others, as well as that meeting them all may not be feasible.
“Then it becomes, what’s our risk appetite?” says Hathaway. “Do we want to change the technology, change the way we operate, or maybe even rethink being in that market if the revenue doesn’t justify the risk?”
Often intertwined, technical, operational and legal risk all lead to potential costs. Companies may need to devote funds to upgrading cyber insurance policies, invest in replacing outdated systems in order to enable regular security updates or boost liquidity to cover the cost of an inevitable eventual event. Europe’s General Data Protection Regulation (GDPR), for example, allows the EU’s Data Protection Authorities to issue fines of up to €20 million.
Cyber risk assessments of target companies should also factor in M&A valuations. “Consider what happened to Marriott, which really should have treated Starwood as a tainted asset when it had a major breach during the deal process,” says Hathaway. “They went ahead and integrated anyway, and the second breach ended up incurring one of the largest GDPR fines plus class action lawsuits.”
Directors don’t need to be technology experts to help companies strengthen their defenses in these three areas. Rather than a deeply technical conversation, the board’s approach should be holistic, asking: What do we, as a company, need to do from a technological perspective to mitigate risks of delivering our product or services in the markets we’re in?
“Then, for the risks we can’t mitigate, the question is, ‘What are we going to do to manage through them, whether that’s recovery planning, insurance or a reserve on the balance sheet?’” says Hathaway. “Boards just need to tackle it in a comprehensive and intelligent way.”