New & Upcoming
Cybersecurity Costs are On the Rise
As cyberattacks become more sophisticated, efforts to combat them have become more costly. The federal government and other security agencies have taken notice.
Boards Should Play a Role in Cybersecurity
Boards should be active participants in cybersecurity oversight, and take part in preventive and reactive measures as much as they would for any other crisis.
Consider Creating an Oversight Committee
The board should consider including members with technology or cybersecurity experience, and cybersecurity should be a top priority for all board members.
Webinar Recap: Nick Merker and Mason Clark, Intellectual Property & Technology Practice lawyers at Baker & McKenzie LLP join Mick Cobb, OnBoard’s Chief Technology Officer, for a discussion on the growing importance of cybersecurity and the role boards of directors play in mitigating risk.
Let’s face it: board meeting agendas are typically jam-packed. From discussions of old and new business to committee report outs to voting – and everything in between – there’s a lot to cover in a short time.
But too often, there’s one critical topic that falls off the agenda: cybersecurity. That’s a big (and potentially costly) problem, as the risk of an attack has never been higher. According to IBM’s annual Cost of a Data Breach report, in 2021, the average total cost of a data breach in the U.S. was $9.01 million. The rise in remote work has the potential to make matters worse. The same report found the average cost of a breach was $1.07 million higher worldwide in situations where remote work was a factor in causing the breach.
Issues around cybersecurity are surging and require a new sense of urgency. But what exactly is the role of boards of directors dealing with cybersecurity issues?
Last week, Mick Cobb, OnBoard’s chief technology officer, joined Nick Merker and Mason Clark, both Intellectual Property & Technology Practice lawyers at Baker & McKenzie LLP, to discuss why cybersecurity must be a top focus of any business – and the role the board plays. The panel discussion addressed such topics as:
In this blog, we’ll recap our key takeaways from the session.
Emerging Cybersecurity Trends
Cyberattacks from nation-state actors have always been in the back of folks’ minds. But during the Russia-Ukraine conflict, this is something people are thinking about more frequently. According to our panelists, every insurance policy will have some sort of exclusion for such an attack.
Also, the total cost of a cybersecurity incident continues to increase, including the amount of the ransom, remediation costs, and insurance premiums, among other costs. Organizations must invest in protecting themselves. Otherwise, the penalties could be costly.
Because of all this, the federal government and law enforcement are paying closer attention to cybersecurity. President Joe Biden signed into law a bill that would require critical infrastructure companies a mandatory 72-hour reporting deadline. In addition, there are Office of Foreign Assets Control (OFAC) sanctions forbidding companies from making ransom payments to those with ties to terrorist or criminal organizations.
The Implications of a Breach Aren’t Only Financial
The cost of a cybersecurity incident continues to grow – especially at a time when remote and hybrid work is the norm. According to the SEC, some of the monetary consequences of a cybersecurity issue include:
And that’s just to name a few.
However, our panelists reminded viewers that the consequences of a cyberattack aren’t only monetary. A breach can also negatively impact the reputation of both an organization and its board.
Merker and Clark recounted an incident where children’s health data from an organization ended up in the wrong hands. While there was no financial information or ransom involved, the organization suffered irreparable damage to their reputation. As our panelists put it, “Especially for boards of nonprofits – your breach can very likely be more of a reputation issue than anything financial.”
Building lost trust is challenging. But it’s not impossible. As Merker and Clark put it, no company is 100% protected from cybersecurity. The way a company handles it can actually reflect well on them. “A company can put themselves in a positive light by how they respond. Some companies look better on the other side,” they said.
Boards Play an Important Role in Managing Cybersecurity Risk for the Organizations They Serve
As cybersecurity instances increase, the role of the board in preventing and managing such attacks is evolving. Recently, the SEC released their proposed rules for cybersecurity risk management, strategy, governance, and incident disclosure, which will further impact the role of boards in mitigating potential risks and establishing and maintaining effective risk management strategies.
According to our panelists, the role of the board is to provide oversight on cybersecurity. “Boards need to be thinking, ‘Have we thought about this?’ and ‘How are we going to disclosure this to the public?’”
Our panel advises boards to “be as involved with a cybersecurity instance as any other crisis. Treat it with just as much suspicion and curiosity as anything else that’s going well or bad at your company.”
Merker and Clark advise boards without a security expert on the board to be even more involved. “You might not know exactly what you should be doing. You have to rely on employees’ expertise.”
Cybersecurity Expertise on Boards Varies – But it’s Improving
Boards must be involved with cybersecurity. However, when asked if boards typically have the expertise to do so, our panelists said, “It varies. But it’s improving.”
“Five years ago, if a lawyer was speaking to a board about a ransomware event in which the attacker was demanding payment in bitcoin, the board would say, ‘What’s bitcoin? What’s ransomware?’”
But today, we’re seeing more sophisticated boards. For example, we’re seeing more boards that include chief technology officers. What’s more, many directors want to be more involved in every step of a ransomware negotiation, asking insightful questions they weren’t previously asking.
That said, there’s still a lot of room for improvement. One way to bolster expertise is to add more cybersecurity professionals to boards.
However, our panelists reminded viewers that cybersecurity must be important to the entire board – not just one director. “Don’t just add a cybersecurity professional to the board with no board experience – while the rest of the board checks out.”
Best Practices for Mitigating Long-Term Risk
No organization is immune to a cyberattack. However, our panel shared actions that boards can take now to mitigate the long-term risk of an attack.
First, boards should form a cybersecurity oversight committee that’s focused on these issues. This committee might include management or executives from the company who are cybersecurity experts. It’s the job of the committee to provide oversight and report to the larger board.
Boards also need to involve themselves in their organization’s program effectiveness and preparedness. One way to do this is through table top drills, which allow boards to run through what should happen in the instance of an attack.
Finally, start looking at your insurance policies (or consider getting one if you don’t already have one) to see if there are preferred vendors for forensic investigations. Our panelists’ advice is to “line up forensic investigators before you need them. Things happen fast.”
Looking for more insights for improving the effectiveness of your board? Save your spot for our next Atlas Leadership Webinar, Barriers to Board Diversity, featuring Lissa Broome, Head, Director Diversity Initiative at UNC School of Law, and Marilyn Nagel, Co-Founder & Chief Advocacy Officer at RISEQUITY.
Talk to a board intelligence expert.