Whether coming from a team of hackers looking to mine customer databases, a ransomware perpetrator holding technology hostage or a saboteur hoping to disrupt operations, cybersecurity incidents are a costly affair. In downtime alone, the price tag of an unplanned IT outage is $8,850 per minute, according to a report by Ponemon Institute.
For boards charged with taking steps to reduce vulnerability and mitigate damage, that figure is just one component of the full financial ramifications of a cyber attack. “There are overt costs like interruption of operations and the time and effort spent dealing with a breach, and then there are soft costs, things like impact on morale and reputation,” Sonia Arista, chief information security officer at Everbridge, told directors gathered for a Corporate Board Member roundtable sponsored by Everbridge.
What’s more, much of the impact plays out over time, noted directors participating in the discussion. “It goes beyond things like employing lawyers and IT security specialists to get through that initial recovery process, to things like harm to a company’s reputation,” said Tom Ogle, CFO and VP of finance and IT at AIB International. “It’s hard to quantify concerns further out, such as whether a customer is going to be reluctant to engage with us again going forward.”
While there’s no way to entirely eliminate the risk of a breach, participants identified three steps that will help boards get a better sense of the costs entailed, which can inform the level of risk mitigation measures warranted:
Understand the full scope and breadth of cyber incident costs.
“In addition to the overt costs, consider areas of risk that you might not see outlined in your cyber liability insurance,” said Arista. “For example, you often see an increase in management turnover after an incident or the loss of intellectual property, such as a software company’s source code or a medical device development firm’s R&D.” A company may also see its stock price suffer in the wake of a high-profile data breach or be subjected to fines if regulators deem its data privacy measures inadequate. Familiarity with both direct and indirect costs can help boards assess the value of appropriate protective measures.
Get your cyber crisis plan ready.
A proactive approach to identifying the types of incidents most likely to occur and preparing for them will help position the company to cope with and recover more swiftly from a cyber event. AIB, for example, created ready-to-launch message plans for stakeholders in the event of a cyber crisis. “If you assume something’s going to happen, then you’re not trying to create a response on the fly,” Ogle explained. “So, we went ahead and spelled out who would be impacted, what our communication plans should be and got those ready to go.”
Boost the board’s IT IQ.
Ideally, directors should seek opportunities for continuous learning with regard to technological advancement and digitization in general, as well as company- and industry-specific cyber risks. At BlackRock, technology and cyber threats are standing items on the audit and risk committee agendas. “Given the sophistication and the frequency of some of the incidents, cybersecurity is a risk that gets heightened attention and is certainly top of mind for our board,” noted Michelle Evaul, managing director, enterprise risk management. “If an incident has occurred, the impact to Blackrock will be addressed, or, in the absence of a specific incident, we’ll cover a topic of interest, like a new threat vector or security in the cloud.”
Increasingly, conversations about technological advancements are, by necessity, becoming whole board topics. “Having the CISO present to the audit committee may not always be sufficient,” noted Arista. “Processing changes in the marketplace, blockchain and cryptography, 5G technology—it’s important that board members get adequate education about technology that may be or become pertinent to their businesses at any given point of time. There really should be broader conversations not only about cybersecurity but about the way digitization is manifesting itself in the organization. Board members and executive management have to be hypervigilant about these things as they’re defining their business strategy.