The ability of a business to respond with speed and agility after the discovery of a significant cyberattack is critical to its overall recovery and resilience.
While the seriousness of cyber threats is becoming better understood, including at the Board of Directors and C-Suite levels, there is still a perception across industries that cybersecurity is a technology-based challenge that requires investments in more sophisticated technical solutions to detect, deter and deny cyberattacks.
Yet, regardless of the industry, it is often the post-incident corporate response – in terms of the management of the cascading business impacts of a cyberattack - that affects a company’s bottom-line, valuation and brand reputation.
Business Impact-Based Approach to Cybersecurity
Businesses need to stay ahead of the threat by investing in company-wide crisis preparedness and business resiliency strategies that integrate the entire enterprise - from the Board, C-Suite, Human Resources, General Counsel, Cyber, Information Technology (IT), Corporate Security, Government and Regulatory Affairs, Corporate Communications, Investor Relations, et al. – into planning and executing a coordinated corporate response in the face of a cyberattack.
A costly misconception is that the technical cyber solutions being implemented are enough to meet potential responsibilities to internal and external stakeholders, including employees, clients, partners, relevant regulators, shareholders, and even the general public.
Unfortunately, undertaking measures to prevent a cyberattack may not be the only responsibility that is highlighted in the aftermath of a discovered cyberattack. For example, the loss of personally identifiable information (PII) of employees and/or customers, the theft of proprietary data and intellectual property, the physical disruption of business administration or critical operations, and/or the actual or threatened leak of sensitive internal emails and other communications, all give rise to multiple effects across the business. A range of key business units and leaders, not just the cyber and IT teams, need to coordinate and address those impacts.
Critical Issues to Consider
With that in mind, in addition to continued investments in technical solutions, businesses need to undertake an approach that seeks to address the following types of questions:
Why – not just how - is the business at risk for a cyberattack? Who could be targeting it and what are they interested in achieving? What kind of damage can they cause? Which business units may be affected by the damage or involved in the corporate response to address it?
What are the expectations, roles and responsibilities of various stakeholders within the company when a major cyberattack with significant business consequences is discovered?
How is information about the cyberattack and the resulting business risks and impacts being shared – vertically and horizontally – across the company? Who are the internal and external stakeholders that need to be notified? How should information sharing and outreach be prioritized? What are the policies and procedures – including tripwires and decision-making “triggers” – that should be in place to address the above?
How is the corporate-wide response being coordinated across key business units to meet the challenges and responsibilities posed by the crisis, while at the same time protecting the company from exposure to additional liabilities? How and when should corporate protections, including the attorney-client privilege, be invoked regarding internal assessments and decision-making? Are key business unit leaders aware of how their actions and decisions in the face of a cyberattack may have reverberations on perceptions and liabilities for the company?
Businesses should invest time and resources to the above types of issues prior to the discovery of a cyberattack. While cyber risks continue to grow, enterprise-wide preparedness is the key to corporate resilience.
