A Complicated Relationship – Boards, ELT’s & Cyber

Boards ELT's Cyber Relationship CTRL Group

The last few years have been very interesting in terms of blame allocation with regard to cybersecurity for employees. There have been so many of them that people are suffering notification fatigue and becoming desensitized. A common phrase in the US is “another day, another breach.”

Before we get into the responsibilities and ramifications of cyber incidents to an organisation’s Executive Leadership Team (ELT) and the Board, let’s break down what cyber incidents can be. I put cyber incidents into three categories:

1) Malicious intent – hacker in a basement with a hoodie trying to murder your data

Often considered to be the most likely. Viruses; ransomware; stolen passwords; phishing emails; social engineering; fund transfer fraud, etc. All rife. The evil people.

2) Dave – an overworked and undervalued IT superhero who keeps your organisation operating by the skin of their teeth, or any employee, user error.

Having spent many years in IT support and operations I can absolutely state that IT staff are expected to know everything. Sorry, sometimes we don’t and sometimes we make mistakes. Sometimes people flip out and hit send on an email they really shouldn’t. People leave phones on trains. You would be amazed, in 2019, at how many people will plug in a USB they find in the car park. People click the wrong link. All the time.

3) System failure! – Happens all the time and causes business interruption

I seem to remember recently a supermarket chain kicking people out of their stores after they’d filled their trolleys because they couldn’t process electronic transactions. And not many Aussies transact any other way. Apparently, some quality store managers let people work out with full trolleys. They all should have. That would have been a good action outlined in their Cyber Incident Response Plan, hmm – the what? Sorry I digress.

So these issues lead to the following:

  • Brand and reputation damage
  • Regulatory fines and penalties
  • Business interruption costs
  • Third-party legal action including class-actions

And many other nasties.

If you are a member of the ELT and/or a board member you may be thinking that a cyber incident is an IT problem. If so, you are wrong.

A cyber incident is an organisational crisis and needs to be dealt with accordingly. You remember that drill you did regarding a “shooter onsite” or as fire, you need to do one, and keep doing them, for “someone has stolen our customer data” or “we can’t pump gas” as well.

The only way to reduce the brand, reputation and financial damage from as cyber incident is to handle it well.

In 2016 global law firm Norton Rose Fulbright provided this insight:

“A failure to implement appropriate cybersecurity or cyber risk management measures could constitute a breach of directors’ fiduciary duties. … Directors could therefore conceivably face personal liability to the company and to third parties for a breach of these duties that relates to cyber risk.”

Enough of the scary stuff unless you would like to hear about recent liability class actions and the alarming increase in premiums for directors and officers insurance. Maybe the fact that new privacy amendment fines are looking at $10 million or 10% of revenue. How about the new APRA regulation that states a 72-hour breach notification time (as against 30 days.) I could go on.

What steps can the ELT and Board take to reduce the risk here?

  • Ensure the CIO and the Chief Security Officer are an active and respected part of the ELT
  • Have the Board risk committee consistently report on cyber incidents and potential threats
  • Be aware – there is no excuse for Board members to say “I didn’t know”, Google “Centro” or “Hayne” for reference
  • Consider a board member or an advisory board member that is a cyber risk expert, especially if you deal in highly confidential information
  • At least witness, if not be a participant in, regular threat simulations. Incident response plans are only as good as their last test
  • Take an active role, it frustrates me incredibly to see IT experts marginalised, if they are clever and professional enough to keep your business running then they deserve a seat at the table
  • Be proactive at all senior management levels. The regulators have new clothes apparently – we will see

Organisations depend on IT and the rapid uptake of technology has created a whole new world of risk. The role of the ELT and the Board here is to understand what is taking place, the risks it creates for the organisation and provide support to those who are on point in terms of risk mitigation.

And, as always, ask for help. This is what we do.

Fergus Brooks, Chief Risk, CTRL Group