Cyber-Risk Oversight Amid Russia-Ukraine Tensions

Will they or won’t they? This question has been top of mind for the United States and North Atlantic Treaty Organization (NATO) allies for several weeks as sophisticated intelligence operations have monitored Russian forces inching closer to invading Ukraine outright.

The history leading to this moment is complex and nuanced, but one matter is clear: the consequences of a kinetic war in Ukraine would be devastating for its people, economy, and young democracy, and have dire ripple effects around the world.

And that’s just considering potential traditional acts of war.

Could Russian cyberattacks used to “soften the Ukrainian battlefield” spill into business networks around the world?

According to the Cybersecurity and Infrastructure Security Agency (CISA), the agency at the forefront of US cyber defense, it’s time to put “shields up” at organizations of all kinds. “CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets,” reads a notice recently posted to the CISA website in light of current events in Russia and Ukraine.

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger emphasized this point at a press conference on Feb. 18, during which she detailed how Russian actors have already deployed distributed denial-of-service attacks within the Ukrainian Ministry of Defense and the country’s state-owned banks. “I cannot stress this enough: we urge our private sector partners to exercise incident response plans and put in place the cybersecurity defenses, like encryption and multifactor authentication, that make cyberattacks harder for even sophisticated cyber actors,” she said.

Businesses and other institutions are called on to defend American infrastructure against the influence of Russian state actors’ cyberattacks, and board members can do their part. Key action steps for you and your board to take in the coming weeks—and as the crisis in Ukraine unfolds—follow.

Understand the 2017 NotPetya Attack

Ukraine is well known among cybersecurity professionals and researchers as the unfortunate testing ground for Russian cyberattacks. In 2017, many nations got a taste of what can happen when such tests stretch beyond their intended borders.

Do you recall when global shipping giant Maersk was moored due to a cyberattack that year? That was part of a cyber event now known broadly as NotPetya, and it impacted an astonishing number of companies and countries. The igniting incident was the injection of malware into commonly used Ukrainian tax software. While the code appeared to operate like ransomware, there were no decryption keys to regain access to data. Once infected, data was simply lost and computer hardware rendered useless.

The United States and United Kingdom attributed the attack to Russian state actors. NotPetya’s power to quickly spread outside Ukraine through connected networks led to multimillion-dollar losses by the likes of FedEx Corp. and DLA Piper.

In today’s environment, a cyberattack in advance of a traditional act of war could leak into networks worldwide accidentally or intentionally, and companies and organizations worldwide need to be prepared to act rapidly to mitigate any related issues. Directors might consider learning about the evolving role cyberattacks play in war and how their organizations’ networks can get caught in the crossfire.

Review NACD Cyber-Risk Oversight Guides

The NACD Director’s Handbook on Cyber-Risk Oversight, updated most recently in 2020 by NACD and coauthors at the Internet Security Alliance (ISA), is a staple for understanding board-level cyber-risk preparedness. The following principles from the handbook are worth reviewing in times of potential crisis:

1. Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an information technology risk.

2. Directors should understand the legal implications of cyber risks as they relate to their companies’ specific circumstances.

3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.

4. Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.

5. Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.

If followed, these principles should leave your board in a sound place to oversee the needs of the cybersecurity organization through a crisis without the board interfering in operational responses. Appendices of the handbook include questions to ask about the company’s cybersecurity posture, a tool that outlines the board’s role in incident response, resources provided by the US Department of Homeland Security, and a guide to involving the US Department of Justice and Federal Bureau of Investigation in the event of a breach.

NACD and ISA in 2021 joined the World Economic Forum to expand upon these core principles in Principles for Board Governance of Cyber Risk. While most of the principles align with the ones above, one critical addition was made: encourage systemic resilience and collaboration.

This new principle acknowledges one of the critical vulnerabilities present in US cyberinfrastructure: that we’re all operating within interconnected systems that are private from one another. What could harm one company could harm many others, and the line of sight into those vulnerabilities is only as clear as the information shared by their owners. It’s critical that board members and their executives understand that their organizations could be affected by a malicious attack at the hands of a state actor, and that information about such attacks should be shared with appropriate industry information sharing groups, law enforcement agencies, and other parties. Information security experts in recent days have applauded the speed at which critical vulnerabilities have been identified, investigated, and declassified for sharing, all in the name of securing companies like yours. Directors can encourage their security leaders to communicate anomalies to law enforcement and information sharing networks as part of their contribution to securing the ecosystem.

Review What Your Company’s Cyber Insurance Covers

Merck & Co. was one of the unfortunate victims of the NotPetya attack in 2017, and its cyber insurance declined to cover the cost of more than 40,000 computers lost to the virus, as the insurer stated that the loss fell under its “War or Hostile Acts” exclusion. There is some good news: the $1.4 billion claim was awarded to Merck early in 2022 by the New Jersey Superior Court. Still, Threatpost reports that Lloyd’s of London and other insurers are taking steps to exclude from coverage and create more explicit terms for what counts as an act of war.

Is your board aware of the types of risk transfer the company practices that would shield the organization in the event of harm done in a borderless cyber war? Consider checking in with your management team to understand what material harm could come to the company if its insurance-based risk transfer solutions will not cover this type of loss.

Follow CISA’s Alerts

CISA is a young and quickly growing agency within the Department of Homeland Security. The agency has had its eyes on the situation in Ukraine for months and has issued several briefings urging private-sector organizations to secure themselves against any known threats and to have crisis response plans in hand and rehearsed, especially at the C-suite and board leadership level.

While CISA publishes a lot of technical, operational-level information, its warnings and briefings are meant to inform leadership and the public about what risks to attend to. If you’re interested in registering for direct emails from the agency about general warnings and news, or would like information more specific to your industry, visit their email subscription page and follow the directions to select what you want to receive.