Today’s boardrooms continue to sharpen their cybersecurity oversight in preparation for an inevitable cyber incident. Patricia Q. Connolly, Executive Director of the Raj & Kamla Gupta Governance Institute, sat down with cyber expert Jack Thomas Tomarchio, Principal at Agoge Group, for a conversation around growing cybersecurity concerns and the ways boards can ensure they are equipped to handle cyber-attacks.
The following is an edited transcript of the conversation.
Patricia Q. Connolly: In my work at the Raj & Kamla Gupta Governance Institute, I have had many boards raise questions around cyber preparedness. In your experience, do boards fully understand the scope and severity of cyber threats?
Jack Tomarchio: Some boards understand the scope of cyber threats, but many or most boards do not. Cybersecurity has become an agenda item, but directors and management don’t fully understand the severity of possible threats. And it’s hard to be prepared for a threat when you are unsure of what you are facing.
Security is always the last line item on a corporate budget, because it represents money out and no money in. There’s no profit in security; it’s not “sexy.” It’s like insurance—you don’t know you need it until you experience a disaster and are unprepared, but at that point it is too late to do anything about it.
Q. What should boards be doing differently now regarding cybersecurity?
It is incumbent upon boards to educate themselves on the risks of cyber-attacks and strategies to mitigate those risks. On April 24, 2018, Altaba (formerly known as Yahoo) settled with the SEC and agreed to pay $35 million for failing to adequately disclose a cyber breach—the first time a public company has been fined by the SEC for this. Headlines like that should get the board’s attention—this should be the impetus for everyone to act on cyber issues. When cyber-attacks occur, it’s a big headline. CEO’s are fired, along with other members of the C-Suite, and ultimately board members end up running the risk of personal liability outside of the insurance limitations.
But, for some reason, it’s often not enough to force companies to act on these risks. And that is an issue because most companies are currently unable to sufficiently handle a cyber-attack. Boards must develop useful responses to cyber-attacks. It’s not about “checking a box,” or simply having discussed cyber; there needs to be a real conversation around mitigating the risks. They tend to be reactive, but these are real assaults on companies for data, intellectual property, and money, and you cannot win a battle by being passive.
I’ve personally witnessed cyber warfare attacks through my work in the US Intelligence Community, and it is intense. You never want to end up saying, “now what do we do?” You always want to be prepared. There is help and partnership available, which many boards are unaware of or actively choose not to seek. The FBI offers outreach partnerships, but they don’t often get called. You only need to ask for help, and there’s an opportunity to have it.
“Boards have to be cognizant of the fact that cyber risks are now part of the business landscape and culture.”
Q. How have you seen governance practices evolve in response to major cyber-attacks?
We are seeing some boards attempting to recruit directors with cyber experience or skills. However, it’s not as common as it should be. All boards of directors need at least one individual with cyber expertise. The full board needs to be informed and responsible for cyber-oversight, but there needs to be one person with that background who can then educate others and measure the company’s preparedness regarding cyber planning.
I often hear from directors, “my Chief Technology Officer (CTO) or Chief Information Security Officer (CISO) is handling that.” This is a mistake. Boards cannot be relying solely upon the CTO or CISO for guidance on these issues, but should instead be reviewing their work and asking them to enforce board-directed strategies. It should be the role of the board to ask them the tough questions, and to do that, you need a board member who knows what questions to ask.
“Cyber warfare is an attack, and boards must treat it as such. If you don’t understand the threat or the ramifications, you won’t be able to withstand an attack.”
Q. In February 2018, the SEC issued an interpretive release to guide public companies when preparing disclosures about cybersecurity risks and incidents. How should a board be prepared to speak about their plans to confront cybersecurity risks and threats?
Boards shouldn’t show their entire hand—you don’t want to put the details of the company’s response plan out there for all the world to see. However, they should lay out two to three pages on the corporation’s cybersecurity plan in the annual report. There doesn’t need to be a great level of detail, as investors will gloss over that anyways, but the board should demonstrate the resiliency of the company in the cyber realm. Outlining what the company has done, steps that have been taken, tests that have been performed, can be helpful to show that they are taking cyber threats seriously and trying to be proactive.
Public company boards do need to disclose their cyber preparedness, and they should insist on a written information security policy and an incident response plan that gets to the point. You don’t want an 800-page plan—no one looks at that and it isn’t useful. And boards not only need to prepare these types of items, but they need to regularly and continuously evaluate their usefulness and update the materials based on the evolving threats in the cyber realm. Your plans are only useful if they are designed for the current landscape.
Q. How can a board take the extra step to assure itself that the company has the proper protocols in place to evaluate, and respond to an incident quickly and effectively?
Yes, some boards are taking some smart steps regarding their cybersecurity plans. Small things, like not using the same IT guy when you perform penetration tests, can make a big difference. And those are actions that the board can easily take. You want to think about cybersecurity like baseball. A pitcher on the mound faces many different batters. If that pitcher only has one pitch, every batter knows exactly what to expect, and they can prepare for it. So the pitcher must mix it up and surprise batters; in other words, don’t always throw a fastball. Boards can think about cyber-attacks in the same way. They want to catch their attackers off-guard and not make it easy for them to gain access.
Q. What other steps might a board take to protect itself from a cyber-attack, and how can they manage the results if such an attack should occur?
One of my favorite tools to train boards on the risks, management, and mitigation of a cyber-attack is the use of the tabletop exercise. Originally developed by the military as war games to plan strategy and tactics, the tabletop exercise is a perfect pedagogical tool to teach boards how to respond to a cyber event.
When I run a tabletop exercise, I put the entire C-Suite and board through a cascading cyber crisis that challenges company leaders to make hard decisions under extreme pressure. The results are often eye-opening. Executives uncover gaps in their incident response plan, realize that they have serious systemic failures in inter-company communications, or learn that their crisis response is confused and disorganized. The exercise is designed to shed light on these types of deficiencies. I conduct a post-mortum afterward to discuss what the weakness were and methods to address them. Often the C-Suite will leave a tabletop exercise with a laundry list of fixes to be undertaken.
Furthermore, tabletop exercises allow the board to understand their role in the cybersecurity process versus the role management should play. The exercise provides the board with a hands-on experience to better understand what a cyber-attack entails, and what it means to be properly prepared to combat one. Board members can utilize these interactive sessions to further their own knowledge and ensure management has the proper crisis management and disclosure protocols in place.