While cybersecurity is an important topic for boards of directors, it has not always been a priority. Because a major corporation like Equifax had a breach in its IT system, many companies are rethinking how to protect cybersecurity.
Boards of directors around the world are examining the Equifax case to determine how to best protect their organizations’ valuable information stored in their IT systems. So who is responsible? Since the CEO resigned, it is clear that he was held accountable. However, where was the board of directors?
In today’s world of cyberspace, corporate boards have to think about more than governance, CEO compensation, and strategy.
In its current form, the best thing for the board is to make sure the company is not exposed to debilitating risk. Companies have workplace safety regulations and sexual harassment policies to mitigate lawsuits. They even have disaster recovery plans in the event of natural disasters or events like the World Trade Center plane crash. These plans and policies are in place to keep the business running smoothly and permanently. Protect customers and employees.
However, with sophisticated hackers around the world, it is nothing new that computer systems and valuable information can be breached and stolen. There are hackers who breach computer systems as a business. They ask for a ransom of tens of millions of dollars. If not paid, they threaten to disclose secure information to companies, which could sometimes contain private email communications from top executives.
While many companies as large as Equifax may have disaster recovery plans for their physical operation, they may not have the same plan for cyber breaches. Disaster recovery policies would include immediate action steps based on the size of the breach, who committed the breach, what information was collected, whether company smartphones were breached, what to communicate to employees, the public, and shareholders as well as other important factors.
In some cases, it may make sense to report to the FBI. In other cases, it may be better to pay the ransom. The challenge with calling the FBI is that the hackers could be in countries like Russia. In Russia, the FBI cannot go after them. Why? Because the Russian government is always looking for good hackers. If the FBI exposes hackers in Russia, the government can hire them, which can present long-term problems for the United States. When it comes to paying a ransom, it is complicated. If you pay, you may be hacked again as if you were an ATM. If you don’t pay, they can expose confidential information. These are also the types of challenges that directly involve the board.
Most importantly, the board is talking about cybersecurity before a problem arises. There should be constant audits of the cybersecurity system to mitigate any risks. Also, as a board, you must hold the CEO accountable for that security. In addition, there must be clear policies to guide the board and executive team on how to handle the various moving parts in a sensitive situation. Boards of directors with disaster recovery plans and high CEO accountability are more likely to think about cyber vulnerabilities and be proactive in updating the security system.