The recent hacking of software provider SolarWinds and the FireEye cybersecurity firm has moved cybersecurity to the top of every corporate board’s agenda for 2021. If one of the top cybersecurity firms can be hacked, every company is at risk. Boards need to take steps to regularly assess and address their company’s vulnerability to hackers if they haven’t done so already.
The hack of SolarWinds was ingenious. Hackers inserted malicious code into regularly occurring Orion software updates from SolarWinds — a way into customers’ internal systems that would always be allowed. In a Securities and Exchange Commission filing, SolarWinds reported that 33,000 customers may have been affected but “fewer than 18,000” were potentially compromised. While subsequent software updates have eliminated the problem, authorities estimate that companies could have been compromised as early as Spring 2020. SolarWinds customers that may have been affected should assume that they were breached, and need to develop new defense and response systems to deal with cybercrimes.
The hacking of FireEye presents a problem for all companies, whether they were using SolarWinds’ Orion software or not. Hackers stole sensitive tools that FireEye uses to find vulnerabilities in clients’ computer systems, so theoretically they can use those tools to find vulnerabilities in any company’s system. Or hackers could advance upon FireEye’s technology to cause unknown havoc in the future.
These hacks demonstrate how much more dangerous the risk of being hacked has become. Corporate boards can begin dealing with this evolving threat by taking a number of actions, but these efforts must be revisited more than once a year:
• Conduct a fully transparent cyber risk assessment with the CEO and management team.
If there are any vulnerabilities in your internal computer systems, you need to find them now. That means the board and management need to be brutally honest about the cybersecurity efforts to date and being open to fierce criticism about how things have been handled.
In most cases, this type of risk assessment cannot be done without outside help. Having a cybersecurity firm like FireEye check for vulnerabilities may be mandatory now that FireEye’s tools have fallen into the hands of criminals. It’s advisable for companies to list all the ways their computer systems are accessed (by customers, suppliers, employees) and determine what type of risk is associated with each of those interactions. How could those interactions go wrong? Does the company currently have defenses in place to prevent problems? What can be done to strengthen current defenses?
• Consider whether the board has enough cybersecurity knowledge.
Going forward, boards are going to need to anticipate challenges associated with technology, especially cybersecurity issues. Does the board have enough members with cybersecurity experience? Directors who have experience dealing with data breaches and security issues will help the board decide whether to appoint a special committee to review cybersecurity protocols and have members of management (CIO) brief the board on a regular basis. The board will need to approve recommendations that management makes regarding cybersecurity, so directors must be able to tell whether management’s plans will be adequate or not. Adding a board member with cybersecurity knowledge might help.
• Review cyber breach protocols and emergency response measures.
Unfortunately, boards must prepare for the probability that they will be hacked. Review and update cybersecurity protocols and the emergency response measures the company will follow in the case of a breach. This may require the board to conduct “worst case scenario drills” where the worst breach possible is imagined and management determines what the proper response should be to limit company risk and liability, while also responding appropriately to customer concerns and media coverage. Everyone in the company must understand and execute their role during a cybersecurity lapse, but the only way to prepare is to run through emergency drill ahead of time. These drills will show areas involving cybersecurity that the company must improve and it will also help determine what cyber defenses will cost.
• Meet with key shareholders – share information on cybersecurity.
While boards may not want to discuss vulnerabilities to cybercrime with shareholders, reaching out to some of the largest shareholders can be helpful. Many shareholders must protect financial interests and personal data that require that they have robust cybersecurity measures in place. Finding out what shareholders are doing to safeguard their important data can yield solutions directors might not have thought of.
• Check with the Department of Homeland Security and other cybersecurity industry experts.
Stay up to date with cybersecurity alerts from the Department of Homeland Security and suggested security measures offered by the U.S. Department of Commerce’s National Institutes of Standards and Technology and other organizations.