Consider Data Use Before an Incident Occurs

Before any board director reflexively says “breach,” they should think “incident” instead. After all, “breach” is a legal term that carries implications that could harm a company if used before being advised that an incident is, in fact, a breach.

This was one important takeaway from a roundtable cohosted by NACD and Baker Tilly in Chicago to explore cybersecurity and privacy issues before a problem occurs. The conversation naturally stoked concerns, considering that according to Verizon’s 2019 Data Breach Investigations Report, 56 percent of cyber breaches analyzed were not detected until months after the initial incident occurred. What’s more, while 52 percent of breaches were caused by hackers, 21 percent of breaches were caused by human error and 15 percent were attributed in part to the improper use of online features by those with authorized access.

With this in mind, Baker Tilly partners David Ross and Raina Rose Tagle facilitated the roundtable with some 12 directors who were invited to participate. Ross is the principal in charge of Baker Tilly’s cybersecurity and privacy practice. He has also worked at other companies in the cyber and risk arena, including as general manager of General Dynamics Commercial Cyber Services. Rose Tagle has more than 25 years’ experience at the advisory, tax, and accounting firm, where she counsels companies and educational institutions on governance, risk, compliance, and emerging issues around cybersecurity and data privacy. Rose Tagle also serves on Baker Tilly’s board of partners.

In introductory remarks, Rose Tagle noted that organizations—and thus, their boards—need to define what is “private” information and how it should be protected. A balance needs to be struck between easy access to and the protection of data. Ross, who in addition to his role at Baker Tilly serves as an emeritus director of the early-stage biotechnology company Propagenix, emphasized how the nature of cyber-attacks has evolved depending on sector, but the regulatory sphere is only slowly ramping up.

When protecting data and combatting increasingly targeted cyber-attacks, resiliency is key. “Building resilient businesses, resilient systems, and resilient processes is going to be the key to managing this risk going forward—because you’re not going to be able to eliminate [cyber incidents], no matter how much you try,” Ross said. Drawing on his education as an engineer, Ross gave an example: “When you design bridge trusses, you think about failure—if something goes wrong, how does it fail in a way that’s safe? You can apply those same concepts to IT systems. If something failed, is it compartmentalized? Could something that got into one system traverse to another?”

Resiliency should be considered part of any solution. Other important takeaways cited by the directors during the roundtable include:

Examine operational risks on the same plane as cyber risks. Some of the greatest operational risks can be those that are unanticipated. For example, Ross cited one scenario involving a trucking company that he had recently advised. Day to day, the business relies on keeping the trucks rolling. “What happens if a cyberattack crippled the drivers’ ability to buy diesel fuel? If they couldn’t put diesel in those trucks, literally trucks would stop moving. That was one of their highest risks, [but] their CEO said, ‘I never thought of that as a risk.’”

Cyber-linked operational risks will certainly vary from industry to industry and organization to organization. A bank, for example, might want to ask themselves if customers will still be able to cash checks and take out money, or transfer money online, if a breach occurs. Such physical or commonplace services must not be forgotten when considering how cyber breaches can affect the bottom line—especially if they are essential to the products and services the company provides to its consumers or customers.

Understand that data subjects have rights. Public companies often foresee monetary losses accompanying cyber breaches in the form of ransom payments or loss of value due to reputational issues reflected in the price of their stock. They should also bear in mind, Ross said, that depending on the company’s locale, “financial losses are also going to come from fines and/or legal financial damages levied from regulatory violations” around consumer rights, such as those now enforced under the General Data Protection Regulation (GDPR) of the European Union and the California Consumer Privacy Act in the United States, and around the theft of trade secrets under the U.S. Defend Trade Secrets Act.

Depending on the jurisdiction, “data subjects now have rights [in certain circumstances] and you have to protect them,” according to Ross. For example, the GDPR gives data subjects the rights to access, rectification, erasure, restriction of processing, and other control over the use of their personal data, though some restrictions apply. In the United States, states are passing their own versions of privacy regulations. Boards should work with the general counsel to understand the regulatory atmosphere and legal requirements related to cybersecurity in their respective locales.

Bring in third-party experts for verification. Just as external auditors help to verify corporate financial statements, boards should also consider using third-party experts to verify cybersecurity measures, Ross advised: “It’s not to say that your internal resources aren’t good enough, or that they can’t be trusted. It’s that outside perspectives may provide directors with additional insights and expand on what is known.” Ross further emphasized why third-party assessments are important for directors to contemplate: “From a board standpoint, [deciding] how much governance or how many controls need to be in place so that you can protect shareholder value or your owners’ value—that’s really your role.”

While these considerations—operational, regulatory, third-party, and more—must inform how boards work with management to approach cybersecurity and data use and protection, Rose Tagle pointed out, “Cybersecurity and privacy risks go well beyond technology and well beyond even security, to really permeate an organization. Asking for the information that you need, in order to understand the sufficiency of how well roles have been defined, what plans are in place, if you are really ready—that’s the opportunity before an incident occurs.”

Furthermore, Rose Tagle added that the sheer proliferation of data means that a central function within an organization cannot be the only source of cybersecurity and privacy management and oversight. Indeed, one participating director attendee remarked, “One thing we talk about a lot is how to integrate the security conversation into all of our conversations. How do you, on your boards, talk about cyber-risks when you are discussing mergers and acquisitions, or the reverse, when you’re breaking off? How do you use cyber-risk in conversations about moving into a new market, or creating a new product?”

Making cybersecurity a facet of every element of board oversight, then, is vital to considering and preparing for all associated risks, including ones not traditionally anticipated. And, as a board, pushing management to explain how the company and its digital systems are made resilient is an effective measure for cybersecurity and beyond.

Visit the NACD BoardTalk blog in two weeks for additional coverage of this discussion.