Topics:   Cybersecurity,Director Liability,Investor Relations,Risk Management,Technology

Topics:   Cybersecurity,Director Liability,Investor Relations,Risk Management,Technology

January 29, 2020

Directors Talk Post-Breach Processes

January 29, 2020

After a cyber breach, it’s too late for “should haves”—but there’s still a chance for your company to respond quickly and appropriately to mitigate reputational and regulatory fallout.

These post-breach considerations formed part of the conversation at a recent roundtable cohosted by NACD and Baker Tilly in Chicago. The discussion was attended by 12 directors and facilitated by David Ross, the national leader of the cybersecurity and privacy practice at Baker Tilly and a director of Propagenix, and Raina Rose Tagle, also a partner at Baker Tilly (pictured above). Rose Tagle serves on Baker Tilly’s board of partners and counsels organizations on governance, risk, compliance, and emerging issues surrounding cybersecurity and data privacy.

While much of the conversation focused on securing data before a breach occurs (see previous coverage), attendees also zeroed in on company and board communications with one another and the public in the aftermath of a cyber breach and how to plan for such communication and disclosure.

“Key from a board perspective is to start with the bigger picture, instead of getting way into the details,” Rose Tagle summarized. “What’s our process? What’s our plan? What are our roles and responsibilities? Drill down from there.”

Specific post-breach considerations that boards should plan for include:

Escalation. One director asked, “Do you know what your escalation process is? At what point in time do you inform whom—whether you inform the chief financial officer, the general counsel, the CEO, or the chair of the audit committee? When do you go public?” In other words, what is the board’s role after a breach occurs, and is there an escalation process in place to determine who is notified internally and when?

Rose Tagle highlighted the value of having a “clear delineation of what the board should know and when it should know it.” Boards should work with management to outline who should be notified of a breach first, considering who the most relevant leaders and spokespeople are, and defining when, ultimately, the board should be brought into the circle of those who “need to know.”

Public response. Rose Tagle pointed out that it is important to ask yourselves, as a board, “Who is responsible for coming up with a [public relations] plan? Is there an oversight role for the board in that plan? Do all of the key leaders in the company know who is supposed to speak to media and notify regulators, and what to say?”

One director attendee was adamant that the board should not have a public-facing speaking part. “I would tell my board to keep their mouth shut. They’re not authorized to speak on anything, because they’re not involved [in] day-to-day [operations]. It’s the CEO’s responsibility.… Directors should not be talking to the press or anybody else about something that happened. They should direct any questions to the CEO as spokesperson.”

The consensus was that, in most cases, the board shouldn’t speak to anyone publicly about the breach until, perhaps, the incident response plan is clear and in place and directors have been advised by legal counsel to do so. The board must work with legal or public relations advisors to set a disclosure plan before a breach occurs, defining who should speak publicly about what and determining what information must be made public first, adapting the plan as necessary given the scope of the incident. Being prepared to respond quickly is important for companies that want to be able to control the narrative surrounding their organization’s cybersecurity and privacy management and to address and reduce consumer and public concern.

Regulatory restraints. Rules and regulations surrounding data and cybersecurity are changing how companies must plan for their public response after an attack. The European Union’s General Data Protection Regulation, for example, requires that a company notify the public of data that was spilled within 72 hours of knowing about an incident, which means that a company may come out with information in a piecemeal fashion, according to Ross, rather than keeping tight-lipped on a cyber incident until all impacts are identified.

Furthermore, the US Securities and Exchange Commission “has made statements about the disclosure requirements for publicly traded companies if you have a breach,” one director chimed in. “You have to consider whether or not the incursion has been material, whether it’s going to be material to your financial reporting, and how it impacts your internal controls.”

“Many times, the privacy implications are driving how you are going to respond, and what you are going to respond,” Ross stated. “What we recommend is that each company sit down and figure out which jurisdictions really matter, what are the major risks, and build a map on a company-by-company [and country-by-country] basis, deciding, ‘This is the type of incident, this is what we’ll have to do.’”

D&O insurance. An attendee noted, “A regulator told my board, ‘You may not be thinking about your [directors and officers (D&O)] insurer and your cybersecurity insurer. You need to report the incident to them as quickly as you can under the time frames of your policy.’”

The same attendee added that the insurance firm her company bought from “requires me to go to one of their pre-approved law firms in the event of a breach. I cannot go to my regular corporate and securities counsel on breach advice and have it covered. A question for directors to take back is to ask if you have coverage, and is your chief legal officer, general counsel, or risk manager familiar with what that protocol is?”

Boards must ensure that they understand the parameters of their D&O and cybersecurity insurance policies, including what restrictions there may be around whom the board and management can talk to in the event of a breach and how quickly the company must report incidents to insurers. Boards should familiarize themselves with all pre-approved law and public relations firms identified by their insurance provider so that the company knows whom they can turn to in the event of a breach and have their actions covered by insurance.

Ask questions. Ultimately, in planning for breach-response preparedness, Rose Tagle believes that the board’s role lies in asking questions. Her other takeaways from the roundtable discussion: “Know your local FBI contact. Know what your insurance providers require in terms of notification. Then, put a framework in place for periodically assessing and reassessing what information needs to be shared and with whom about incidents or breaches.” Directors should contemplate these questions and action items as their companies work toward being resilient in the face of cyber incidents and in the aftermath of a breach.

Comments

Joe McHughFebruary 15, 2020

I believe that a least a majority of a firm's Board of Directors (and specifically members of the Audit Committee and Risk Committee) must have formal Cybersecurity Oversight Certification (followed by regular Continuing Education on Cybersecurity Oversight).
The "CERT Certificate of Cybersecurity Oversight" produced by the Carnegie Mellon Software Engineering Institute and co-sponsored with Ridge Global and NACD is a great NACD Certification program (with pages of Questions that Directors should be asking their CEO and Executive Team).
In addition, the NACD Directors Handbook on "Cyber-Risk Oversight" lists five basic "Principles" that all directors should either know from memory, or review before each Board Meeting, which also provides some useful Appendices (Questions for Management, Metrics, Dashboards, etc.).