BLUF

Boards need to know how to prepare organisations for dealing with cyber crime by asking questions in “peace-time” which may help during a cyber incident – aka “war-time”.

Background

As cyber criminals mature, it is all only a matter of time before an organisation is affected by some form of cyber incident whether phishing, a ransomware attack, a data breach, or an out and out heist — refereed to in this post as “war-time”. But boards do have the opportunity — in “peace time” — to ask about the organisation’s preparedness for cyber incidents.

If as a board director you don’t know where to start, well, start here, with this post. This is not an exhaustive list of questions because the specifics will depend on your organisation.

What to do in war-time: In war-time the circumstances are chaotic at best. Boards need to keep in mind the need for an executive delegate to channel communications to the board, whilst not impeding the crucial work of sorting out the incident and response details.

What can the organisation not live without? You aren’t assessing what are the ‘crown jewels’ of the organisation at this point, instead you are looking to help determine the next order of effect against the known areas impacted. Someone should look to the critical pieces not yet affected which could cause further or cascading failures. Asking this helps the organisation step back and look out a bit further, ideally pushing them to generate momentum in response efforts especially at a time they likely feel out of control.

What is the likely impact of the cyber incident? Leave this deliberately open, aiding the executive and response teams to think both tactically and strategically about the direct and collateral damages to follow. Anticipate initial responses to be very tactical, addressing incident details directly. It is front-and-centre attention for many; until it is considered under control or understood, few will pull back sufficiently to consider the indirect focal points. Consider these as follow-on questions:

Is the impact limited to a portion of the organisation? What seems a simple consideration may either limit the potential impact assessments, help the responders isolate other connected business units or force decisions regarding Continuity of Business (CoB) practices. If threat actors aren’t able to move laterally or escalate privileges to access other data/ programs/ business units, is the organisation confident it can continue operations – both (or either) direct/ ancillary – within the understood risks? If the cyber crime actors can still move, what else is in jeopardy?

What is the impact to the region/ sector/ clients/ suppliers if the organisation is taken offline? As a whole or in part. The extended impacts of taking the organisation offline will be subject to scrutiny shortly after the incident resolution. If it can be shown due consideration was taken during decision-making, the reputational damage (at a minimum) may be reduced. Impacts to external stakeholders and collateral organisations should also be calculated based on the length of time your organisation or any service component is down: a day’s impact may be minor, a week may be different. These impacts can be potentially positive or negative, as organisations might go to their plan-B backup for you, where they might have waited on you in a shorter timeline. Communications is crucial to you both.

What interdependencies (internal and external) will be affected? Support and supply-chain impacts have far reaching potential effects. A different twist on the earlier questions, hopefully your organisation has already traced out the internal and external interdependencies to identify all those stakeholders who need to know what is going on, so your organisation can retain some control of the narrative. If others are reaching out to your organisation including on social media to raise questions about the interruption, you have as an organisation lost the initiative in telling the story and garnering public support, which can result in reputational risk you have to accept. No one wants to be a cyber casualty marker for future conversations (just ask Target/ Experian/ Colonial Pipeline/ Solarwinds and all those working in their executive/ cyber divisions at the time of those incidents).

What is the direct loss? Of all the metrics asked for, this is the one your organisation should be able to calculate clearly, and assess over time. Getting a sense of the money and personnel investment/ downtime is crucial to understanding not only the incident impacts, but the longer term effects.

What are indirect and second- and third- order losses? These are harder to determine (unless you’ve continental CoB established). Getting a sense of who is paying you for what on what timeline in relation to the incident can aid the organisation in assessing how the incident will affect your up and downstream supply-chain as the incident progresses.

What to ask in peace-time: Many of these questions should be in your board’s left-of-launch repertoire, simply adding a cyber lens to what you ask regarding incident response and CoB. Don’t mistake similarities in the underlying questions as fostering similar responses, we have found cyber twists results in unique and unexpected ways. Just as we found refuge and uncovered opportunities in implementing digital spaces for our business (or vice versa), we can expect cyber incidents to bring challenges we’d not considered. The following are some questions to start the conversation prior.

What is the risk culture in the organisation? Especially cyber risk (a later post will look at why “cyber risk” is hard to pin down as a concept). What is the level of cyber awareness in the organisation? How does anyone report a cyber incident? What is the response time to such a report and indeed does the person who reported get an update? If all communication systems go down, how do the accountable business leaders communicate with the board? What is the business continuity plan in case it all goes down and operations have to be shut down to contain damage? How fast at least in theory can we be back up and running? Do we have operational resilience scenarios in place we have tested?

What does your board need for cyber competence? Your board needs a few building blocks: the right lens on risk, the right skills to prepare for cyber and operational resilience, and the right temperament to support executives through a stressful cyber incident. 

There is no perfect way to do this. Starting somewhere is important. Getting help is not hard either.

-scl