Cyber-Security: The Directors’ Cut
You made it, Cohort 5! You’re on a corporate board, or maybe even more than one. You’ve taken all of Paula Cholmondeley’s March 9 sage advice on what to do, how to do it, and what to look out for, and you’ve digested Gena Ashe’s April 7 guidance on how it all works in private equity company world. You’re ready! You got this! But do you?
Full disclosure, I am extraordinarily passionate about the importance of truly getting what you should understand about cyber security and cyber security risk. Managing a partially classified, nation-state-actor cyber event for a Washington D.C. based critical infrastructure company likely created this monster, but the significance of this duty is distinct.
The basics are simple, and any number of director-focused cyber security education guides, blogs, or podcasts are now competently outlining them. NACD’s Cyber Risk Oversight 2020, Key Principles and Practical Guidance for Corporate Boards is a terrific one.
As corporate fiduciaries, amongst your responsibility to oversee management strategy is your oversight duty of management’s identification and practiced response to enterprise risks, particularly bet-the-company risks. And make no mistake—a cyber security breach like that of Yahoo (three billion records), Equifax (148 million records), Marriott International (500 million records), Facebook (550 million records) and, most recently, Solar Winds, where it is still unknown how many records from 18,000 organizations and governments, including 50 U.S. government agencies, have been compromised—is a bet-the-company enterprise risk.
From the outside looking in, it may seem like the recovery from some of these attacks has been relatively successful. Pre-pandemic at least, Marriott did not lose significant customers, and Equifax still manages your credit score. But the financial and reputational pain from those remediations has been significant and have included, by the way, entire boards being turned over. All these companies, and many of their directors, have paid the price.
Additionally, over the past seven or eight years, the SEC has moved from a light-handed approach to cyber security oversight to full-on disclosure and other requirements of public company boards. Proxy advisors count effective board oversight of cyber security as crucial, and the bad guys have gone from selling stolen credit cards on the black market to cyber ransom demands against companies of all sizes and kinds, including those in the middle of merger proceedings, whole cities, hospital systems, and school districts. The threat is real and the biggest mistake I believe directors make is not believing it will happen to their company.
So, the basics are simple (NACD’s detailed, step-by-step toolkit for how to execute on them is one of the best that I’ve seen):
- Understand and view cyber security as a strategic enterprise risk.
- Know the legal and regulatory implications of cyber risks as they relate to your company’s specific circumstances.
- Require management have adequate access to cyber-security expertise and insist that board discussions about cyber-risk management be given regular and adequate time on board meeting agendas. (I would argue that if this isn’t already happening, you already have a problem.)
- Expect management to establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget, and check in with dedicated management regularly, and in executive session, on whether adequate financial and personnel resources are being provided.
- Ensure that your discussions with management about your company’s cyber security risk include identifying and quantifying the financial exposure to cyber risks—which risks you can accept, which can be mitigated or transferred, and the specific plans for each approach.
The reality and the execution of all of this may not be so simple, however. In May 2017 malicious actors accessed the Equifax network. At the end of July, Equifax detected the activity, blocked the suspicious traffic, and took the impacted application offline. In August, Equifax notified the FBI field office in Atlanta, publicly disclosed the cyber incident involving consumer information in September, and the Department of Justice (DOJ) and FBI confirmed that a criminal investigation had been opened. In February 2020, DOJ announced the indictment of four members of the People’s Liberation Army 54th Research Institute, a unit of the Chinese military. That was a success.
Or was it? In January of 2017, Equifax agreed to a global settlement with the Federal Trade Commission including $425 million to help people affected by the breach. Prior to that, Equifax’s CEO, chief security officer, and chief information officer all retired, and three other executives including the CFO drew scrutiny for selling large amounts of company stock just days after the breach was discovered internally but six weeks before it was announced to the public. Many of the directors turned over.
On April 7, 2021, the FBI, Fordham University, and the International Conference on Cyber Security (ICCS) hosted a virtual special event called FBI Case Study of Equifax. At the event, current Equifax CISO Jamil Farshchi offered some particularly honest and useful real-life understandings to take with you:
- Broad based attacks are scaled up where a company has a big digital supply chain.
- A breach should be taken as a “gut punch” that drives real change in the organization. Run to the fire rather than just getting on the other side of it and just assuming it won’t happen again.
- Staff up the right way. Equifax hired more than 600 experts and spent over $1 billion to beef up its security. But be careful of all the products “experts” try to sell you. Rather, get the basics right.
- Know the challenge ahead of you. Describing working with the FBI (or other investigative agency), Farshchi said, “there are seven billion people on this planet. The FBI was able to narrow the breach down to four pictures of the people who did it. It’s not like the movies, they’re not coming in with guns blazing to take your servers.” I can attest to this, by the way.
The best we can do as directors is get the basics right. And buckle up.
P.S. – Events move fast and furiously. Do NOT text your fellow directors and/or management thinking your communications will be protected—they won’t be.
Leslie T. Thornton is a director on the boards of Southwest Gas Holdings & Southwest Gas, and Perdoceo Education Corporation.