While cybersecurity is an important topic for boards, it hasn’t always been a priority. Because a major corporation like Equifax had a breach in its IT system, many companies are rethinking how to protect cyber security.
Boards around the world are examining the Equifax case to determine the best way to protect the valuable information stored in their organizations’ IT systems. So who is responsible? Since the CEO resigned, it is clear that he was being responsible. However, where was the board of directors?
In today’s world of cyberspace, corporate boards have to think about more than just governance, CEO compensation and strategy.
As it stands, it’s in the board’s best interest to make sure the company isn’t exposed to debilitating risks. Companies have workplace safety standards and sexual harassment policies to mitigate the laws. They even have disaster recovery plans in case of natural disasters or events like the World Trade Center plane crash. These plans and policies are in place to keep the business running smoothly and in perpetuity. Protect customers and employees.
However, with sophisticated hackers all over the world, it is not news that computer systems and valuable information can be breached and stolen. There are hackers who breach computer systems as a business. They demand ransom in the amount of tens of millions of dollars. If not paid, they threaten to release the companies’ secure information, which could sometimes contain private email communications from top executives.
While many companies as large as Equifax may have disaster recovery plans for their physical operation, they may not have the same plan for the cyber breach. Disaster recovery policies would include immediate action steps based on the size of the breach, who committed it, what information was taken, whether company smartphones were breached, what to communicate to employees, the public and shareholders, as well as other important factors.
In some cases, it may make sense to report to the FBI. In other cases, it may be better to pay the ransom. The challenge with calling the FBI is that the hackers could be in countries like Russia. In Russia, the FBI may not be after them. Why? Because the Russian government is always looking for good hackers. If the FBI exposes hackers in Russia, the government can hire them, which can present long-term problems for the US. When it comes to paying ransom, it’s tricky. If you pay, they can hack you again like an ATM. If you don’t pay, they can expose sensitive information. These are also the types of challenges that directly involve the board.
The most important thing is that the board talk about cybersecurity before there is a problem. There should be constant audits of the cyber security system to mitigate any risks. Also, as a board, they need to hold the CEO accountable for that security. Additionally, there must be clear policies to guide the board and executive team on how to handle the various moving parts in a sensitive situation. Boards with disaster recovery plans and high accountability to the CEO are more likely to think ahead about cyber vulnerabilities and be proactive about updating the security system.
