While cyber security is an important issue for boards, it has not always been top of mind. Because a major corporation like Equifax had a breach in its IT system, many companies are rethinking how to secure cyber security.
Boards around the world are examining the Equifax case to determine how to best secure their organizations valuable information stored in their IT systems. So who is responsible? Since the CEO has stepped down, it is apparent he was being held accountable. However, where was the board of directors?
In today’s world of cyberspace, corporate boards have to think about more than governance, CEO compensation and strategy.
As it stands, it is in the board’s best interest to ensure the company is not exposed to debilitating risks. Companies have workplace safety standards and sexual harassment policies to mitigate lawsuits. They even have disaster recovery plans in the event of natural disasters or occurrences like the World Trade Center plane crash. These plans and policies are in place to keep business running smoothly and perpetually. It protects customers and employees.
However, with sophisticated computer hackers around the world, it is no news that computer systems and valuable information can be breached and stolen. There are hackers who breach computer systems as a business. They ask for ransom in the amount of tens of millions of dollars. If it is not paid, they threaten to release the companies secure information, which sometimes could contain private email communication from top executives.
While many enterprises as large as Equifax may have disaster recovery plans for their physical operation, they may not have the same plan for cyber breach. The disaster recovery policies would include immediate action steps based on size of the breach, who made the breach, what information was taken, were company smart phones breached, what to communicate to employees, the public and shareholders as well as other important factors.
In some cases, it may make sense to inform the FBI. In other cases, it may be better to pay the ransom. The challenge with calling the FBI is that the hackers could be in countries like Russia. In Russia, the FBI may not pursue them. Why? Because the Russian government is always looking for good hackers. If the FBI exposes the hackers in Russia, the government may hire them, which can present long-term problems for the US. When it comes to paying ransom, it’s tricky. If you pay, they may hack you again as though you are an ATM machine. If you don’t pay, they may expose confidential information. These are also the kinds of challenges that directly involve the board.
What’s most important is that the board is talking about cyber security before there is a problem. There should be constant audits of the cyber security system to mitigate any risks. In addition, as a board, they should hold the CEO accountable for that security. Furthermore, there should be clear policies to guide the board and the executive team on how to handle the various moving parts in a delicate situation. Boards with disaster recovery plans and high accountability with the CEO are more likely to be forward thinking about cyber vulnerabilities and proactive about updating the security system.