“What’s the board’s role in a data breach?”

This was a question posed by one of the director attendees
at a recent roundtable event hosted by NACD in partnership with Accenture on
how boards can go about building greater cyber resiliency within the
organizations they serve. And as a litany of companies have fallen victim to
cyberattack and endured considerable financial and reputational fallout—it’s a
simple question that demands a nuanced answer.

Robert Kress, managing director at Accenture, encouraged
attendees not only to have a well-coordinated response plan mapped out so that
it can readily be put into action if and when the worst occurs, but also to
“Ask yourselves: How does the board get engaged in a breach?”

“Is there a subcommittee? How are decisions made? Which
decisions should involve the board?,” Kress asked. “Breaches oftentimes happen
at inopportune times such as weekends and holidays because threat actors know less-experienced
people are manning the ship—if they’re working at all. A good crisis response
plan should have clearly defined the role of the board, outside counsel for
support to ensure you have the regulatory requirements for reporting, and
arrangements with a marketing firm to handle public relations.”

One attendee shared that, after the US Government Affairs
Office (GAO) released its assessment of the Equifax breach, his board asked the
chief information officer to review the GAO’s recommendations and do a gap
analysis. “I was surprised by how cogent those reports really were,” he said.
But for him, paying close attention to how one federal entity picked apart all
that went wrong in the Equifax case raised questions around how boards should
think about disclosures and communicating what the company’s risk capacity is.

“Cybersecurity needs to go hand-in-hand with the broader
enterprise risk management program,” Kress said. “Cybersecurity is one type of
business risk that needs to be addressed broadly—in the 10-K or via a cogent
response from management on how they want to mitigate that risk. And companies
are improving their capabilities in detection and response processes, with the
time to detect and respond to an incident getting shorter. However, the
financial impact of cyber breaches continues to go up, with current research
showing that the average cost of a cyber incident is between 16 and 17 million

When it comes to improving the company’s response, a board
can be a huge asset. Another director shared that, in her experience,
management might offer pushback against boards that want to do tabletop
exercises, seeing the process of simulating an emergency as “overdoing it.” And
yet, when her boards were allowed to engage on this level, management found
that the director perspective was invaluable because they were asking the right
kinds of questions that challenged basic assumptions.

“It’s important you put pressure on things,” Vikram Desai,
global managing director at Accenture, said in affirmation. “In my
observations, the CEO will ask the CISO [chief information security officer] and
the CIO [chief information officer] if everything’s good on the security front.
They say it is—and nothing gets back to the board. These are dynamics that
create a false sense of security.”

But despite best efforts, odds are that companies with a
digital footprint will be breached at some point in time—which will in turn
mean having to work with the federal powers that be. On this front, it was
noted that most companies are not 100 percent compliant with federal
regulations from the get go. At the very least, it’s important to have a formal
plan and timeline in place for becoming compliant as a token sign of good faith
for the regulators who may do a thorough investigation of the company’s
cybersecurity practices. Ignoring these issues, however, is not an option.

As the conversation accentuated the integral role that the
CIO has to play in the board’s oversight of cybersecurity issues, one director
asked about what small-cap companies should do, as they frequently lack the
financial means to attract and retain the requisite talent to help see boards
through these issues. And even if there is money set aside to bring on a CIO or
a CISO, the phrase “you get what you pay for” painfully springs to mind.

Here, outsourcing can be a viable option. “The smartest
thing a company can do is go to a managed security services provider,” Desai
said. “They can provide the ability to monitor operations, and if something
happens, they can activate the incident response plan. And within the universe
of security services, there is a ranking checklist that rates these companies
from OK to very proficient.” 

As the afternoon progressed, the conversation began to
explore a more fundamental element of cybersecurity: What part of the board
should assume the primary responsibility for overseeing cyber risk?
Historically, the audit committee has taken on this task largely because it was
concerned with enterprise risk management in general. But as the cyberthreat
landscape continues to quickly grow in scope, both Kress and Desai agreed that
this might not be the best arrangement and that—at least for the larger
companies with the capabilities to do so—creating a standalone technology and
risk committee might be key to capably overseeing these issues into the future.

Failsafe means of prevention may be impossible and having a
well-orchestrated crisis response plan is the best any company can hope for to
save face in a crisis. A company that makes the best of efforts remains at high
risk of losing stakeholder trust. It’s a problem too large for any one company
to solve, making it imperative to identify ways in which to foster

“We are nearing a point where boards need to ask management
how they are working with other companies within the industry,” Kress said in
closing. “Digital trust underpins every organization today. If we lose digital
trust, there will be significant financial impacts. I think that participating
in industry forums and being more willing to share knowledge with government
entities about breaches can help.”

Click here to read additional coverage from this roundtable event.