Faced with cyber risks, some corporate leaders are taking on a new defensive role.
In today’s tech-reliant business world, cyber risks lurk around every corner.
A growing number of business leaders are confronting that reality with a hands-on approach to managing online security issues, from creating a list of potential threats to drawing response plans before disaster strikes.
Cyber security is becoming “a very important risk exposure” for many companies, so corporate boards must be more focused and engaged in understanding the often complex issue, says attorney Dan Bailey of Bailey Cavalieri. Bailey chairs the law firm’s directors and officers liability practice group.
“The main duty of directors is oversight—to perform an oversight function on all the important operations of the company,” Bailey says. “That means the topic of cyber security has to be elevated.”
One of the biggest risks is unauthorized intrusion, or hacking, which is at an unprecedented level. Cyber threats are so widespread nationally they rank as the FBI’s No. 3 priority, after counterterrorism and counterintelligence, says John Barrios, assistant special agent in charge of the FBI’s Cincinnati Division, which covers Central and Southern Ohio.
“A company that is sitting in Ohio can be attacked from another country at any time,” Barrios says. “Because these cyber intrusions are virtual, you can have someone outside of the United States (targeting) our financial sector.”
Barrios cautions business leaders to be aware of vulnerabilities and to recognize that no one is immune from cyber risks. “Cyber security should be at the top of any company’s list,” Barrios says.
Bailey and other legal experts say that corporate boards should arm themselves with enough information to ask the right questions, as well as ensure they comply with applicable laws in the event of a data disaster.
“The goal is not to educate the directors on all the details of cyber security,” Bailey says. “It’s very complicated and changes almost daily, but that doesn’t mean that the directors don’t have that role. Some directors don’t give enough attention to the topic because it’s so technical. There’s obviously a middle ground.”
In the past, corporate boards had a tendency to delegate such oversight to information-technology professionals, but in recent years more companies have adopted a chief information security officer position that reports to the CIO, CEO or directly to the board, says attorney Alex Brown of Bricker & Eckler. Brownfocuses on advising technology and software companies.
“Obviously, the bigger the company, the more likely you are to have a separate CISO,” Brown says, adding that having a designated information security officer and a clearly outlined reporting structure helps keep corporate leaders in the know during a crisis.
“While the board doesn’t have any direct control over cyber attacks, they are the ones who will bear the brunt of bad publicity,” Brown says. “They’re the ones who are going to be held responsible.”
A data breach, for example, could prompt litigation alleging negligence. But the total damage a company or organization will suffer from a breach often has as much to do with how its leaders publicly react to the news as the breach itself, says Matt Curtin, founder of Interhack Corp., a Columbus-based forensic computing firm. The firm has handled its share of high-profile investigations, including a 2007 State of Ohio data-theft case involving a computer back-up tape stolen from a state intern’s unlocked car.
“It’s no longer just a matter of the CEO getting in front of the employees and saying everything is going to be all right,” Curtin says. “The CEO has to explain to customers and shareholders that they have not fundamentally breached the trust that they have.”
After a potential breach has been identified, the next step should be to notify the leadership, Curtin says. From there, they “must be sure that they have the right resources analyzing the situation, and that needs to happen very quickly.”
Companies are changing not only how they react to a breach, but also how they prepare for one, says attorney Craig Hoffman of BakerHostetler in Cincinnati. “I think people are more understanding of the risk now.”
Hoffman’s practice includes serving as part of an incident-response team, helping clients to identify, evaluate and manage risks associated with privacy and information security practices. The team aids in investigating more than 150 potential incidents each year and serves a wide range of clients, from credit unions and small banks to restaurants and hotels.
“Most of the time when you find out when something went wrong, it’s from a third party,” Hoffman says. “For example, if you’re a company that uses credit cards and someone has gained access to your payment card system, the usual way you’ll find out is called a common point of purchase report.”
News of a potential breach often causes panic, which is why it’s important for companies to train for disaster before it happens, Hoffman says. At the security workshops his firm holds across the country, companies draw incident-response plans and then talk through scenarios and notification steps.
“If you go to industry conferences about security, half the time people start their speeches (with), ‘It’s not a matter of if you’ll breached, but when,’” Hoffman says. “I think there’s some truth to that.”
Curtin of Interhack advocates this method: assess, plan and test. He and his employees also conduct security exercises with clients to simulate disaster scenarios and test whether the strategies they’ve developed actually work in practice.
“This is not a product that you can buy,” Curtin says. “It’s not an annual process where the audit is going to make sure you’re OK. It is an ongoing process.”
Cyber Risk Evaluation
10 Questions Directors Should Ask
Cyber risks are unique to each company, which means how a company reacts also should be unique, according to attorney Dan Bailey of Bailey Cavalieri. He outlines 10 questions directors can ask to better understand the risks.
Is the responsibility and accountability for the creation, implementation, enforcement and updating of an integrated and companywide cyber risk management program clearly defined at the executive level?
Does the management team which addresses cyber risks include senior representatives from executive management, IT, legal, risk management, public relations and compliance/audit?
Is the overall cyber risk management program periodically reviewed by the board?
Does a board committee have designated oversight responsibility for the cyber risk management program?
What are the company’s greatest cyber risks and how are those risks being anticipated, managed and mitigated?
Is each component of the cyber risk management program documented, frequently tested and periodically audited by independent experts, and what are the results of that testing and audit?
Are protocols for reacting to a cyber-risk crisis when it occurs well defined and broadly understood?
Are all employees required to participate in regular education and training programs relating to cyber risks?
What is the company’s budget and staffing for cyber risk management and how does that compare with peer companies?
What, if any, insurance coverage does the company maintain for cyber risks and is that coverage adequate in scope and amount?
Dana Wilson is a freelance writer.