As the sophistication level of cyber attackers continues to rise there is no business, regardless of size or location, that isn’t at risk. Today’s ransomware attackers are well funded, business savvy and deeply experienced in cybersecurity hacking methods. A board’s duty of care requires it to provide—and now disclose—sufficient oversight. Matt Gorham, who spent 25 years with the Federal Bureau of Investigations and is currently leader of PwC’s Cyber & Privacy Innovation Institute, shared best practices from companies that fared best following an attack.
1. Plan well.
Aside from ensuring good cyber hygiene, those companies that fared best when targeted had a good incident response plan as well as good business continuity, disaster recovery and crisis management plans, said Gorham. “They had also exercised those at the operational level to make sure they didn’t work at cross purposes during the time of an actual incident.”
2. Reduce time to decisions.
Those companies would also do exercises at the executive level to “ultimately refine and shrink the decision-making process because traditionally, you get a 72-hour window,” said Gorham. “[The bad actors] know you can’t get those fulsome answers if you haven’t asked the questions. So asking those questions in the exercise allows you to shrink the decision-making process during the actual incident and gives you a little more agility.”
3. Make decisions in advance.
Questions best asked and answered well before an incident takes place include:
• Communications, both external and internal. “What are you going to say? Who are you going to say it to? How are you going to say it? And what will you disclose to the markets?”
• The pay/no pay decision. “What is your policy on paying a ransom? Does it align with your corporate values? If not, are there occasions you might pay it anyway? What factors would you consider? What is the process? Who will ultimately make that call?”
• Law enforcement/regulator contact. “Who are you going to contact? What’s the value proposition? What would the process be?”
4. Conduct board-level table-top exercises.
“The way I’ve seen it done best is after that initial executive tabletop exercise, you do another executive tabletop exercise, somewhat truncated, but with the board playing the part of the board. So when management is working through it, the board is able to see and get the educational value and understanding of how the company is navigating it—when they would turn to the board, what they would tell the board, and what would the board’s questions be.”