Why Boards Need Training on How to Respond to Cybersecurity Incidents

Nicholas J Price
5 min read
A few years ago, cyber breaches like the 2013 Myspace hack shocked the nation when the company finally made it public in 2016. The Myspace breach affected 360 million accounts. Yahoo was the next high-profile, cyber breach victim with the 2016 announcement of two separate cyberattacks. The first breach affected 500 million accounts and the second one affected 1 billion users. While board directors are strategizing about how to protect their companies, hackers continue to form strategies to steal money and information. The most recent cyber breach, at Equifax, affected a staggering 143 million consumers. The scale of the Equifax breach should motivate board directors to take a more aggressive approach to improving cybersecurity.

While cyberattacks are getting larger and more noteworthy, by and large, board directors don't have the necessary training to deal appropriately with them. In addition, board directors tend to place a lower priority on cybersecurity than on revenue-building ventures.

How Hackers Narrow Down Their Victims to Corporate Executives

Most hackers are not looking for the low-hanging fruit. Among the millions of accounts that they retrieve, they are cherry-picking the accounts of corporate executives. Once they secure an executive's personal information and other data, it becomes somewhat easier to access their work data and other valuable corporate information.

People-searching sites on the Internet are giving hackers a leg up on their dirty work. Internet searches tell them who is important. More importantly, it tells them whether these individuals manage a business that will be worth their time in attacking it. Often, executives will use personal information to make their passwords, as well as their answers to security questions, easy to remember. Having access to executives' personal information makes it easier for hackers to guess passwords and security answers to gain access to their business accounts.

Equifax: The Largest Cyberattack to Date

Equifax is one of three major credit-reporting agencies. On July 29, 2017, the company apparently learned that they'd been victimized by a cybersecurity breach that actually occurred a few months prior, in May. Equifax delayed notifying the general public about the breach until September 7, 2017. The breach gave hackers access to the private information of more than 143 million Americans and an unknown number of people in the United Kingdom and Canada.

Through the Equifax breach, hackers gained access to Social Security numbers, the credit card numbers of more than 209,000 consumers and the personal identifying information of 182,000 people. Unfortunately, many consumers were not even aware that Equifax had their personal and financial information.

The delay in getting word out to the public may have impacted trading after the breach and before the public announcement. The delay of the announcement is also a red flag that Equifax's board was not well-prepared for a cyber breach, let alone one of this magnitude.

Watchdogs Reviewing Trading Practices After a Breach

Knowing that stock prices will certainly drop after the announcement of a data breach, regulators and others will quickly look at the timing of the breach and the effects on trading to make sure that insiders weren't purposely dumping stock at the higher prices prior to the breach announcement. Suspicious trading may have made Equifax millions of dollars in profit.

Preliminary investigations into trading practices at Equifax show some unusual trading after the attack and before the announcement. Equifax stock options have a history of infrequent trades. As of August 21, 2017, 10 times as many stocks were purchased than in the entire month of July. Further investigations of unusual trading are ongoing.

Are Boards Prioritizing Training on Cybersecurity?

The United Kingdom is taking a proactive approach to board governance on cybersecurity matters. The European Union's new General Data Protection Regulation (GDPR) goes into effect in May 2018. The U.K. government's 2017 'Cyber Governance Health Check Report' proves how ill-prepared boards really are. For instance:

  • Two-thirds of FTSE 350 boards, which are the largest companies, reported not having the cybersecurity training to respond to breaches
  • 10% of companies have no incident response plan
  • 54% of companies acknowledge cybersecurity breaches as being top risks
  • 57% of companies said that they understood the potential impact of a breach
  • Only 6% of companies reported being completely prepared for the GDPR

Only one-third of the companies responded to the survey, so the number of companies that are vastly unprepared for a cyber breach could be substantially higher than noted. Fines of up to 'Ǩ20 million (''1.8 million), or 4% of global turnover, may motivate U.K. boards to take steps to implement cybersecurity training.

Statistics on board knowledge of cybersecurity in the United States are also unimpressive. According to the National Association of Corporate Directors (NACD), a recent survey of more than 600 corporate directors and professionals showed that only 19% have a high level of knowledge of cybersecurity risks. The percentage is 8% higher than the prior year's statistics, but it is still woefully inadequate to protect their companies.

States are taking a stronger interest in laws to protect companies from cyber breaches. Most states have passed laws that require companies to notify their customers of a cyber breach incident. While Congress continues to have robust discussions around cybersecurity matters, legislation has been slow to move.

Stronger state and federal laws that tighten up cybersecurity and disclose attacks may reduce the impact of cyberattacks. Boards that give cybersecurity its due diligence will help prevent liability and public embarrassment.

While the pressure is high to make cybersecurity a top priority, many boards are still focusing more heavily on matters such as retaining top talent, meeting governance compliance and competing in the global markets, and giving cybersecurity a lower priority.

A Few Final Words on Board Training for Cybersecurity

A cyber breach is a frightening incident for companies and their customers. While board directors don't have the magic software that could eradicate cyber breaches entirely, having a plan for what to do in the event of a security breach gives board directors the confidence to disclose an attack in a timely manner and to respond appropriately to the breach. Taking a proactive approach to the aftermath of a cybersecurity breach reduces potential litigation, and saves time, money and brand reputation.