In the wake of the recent Equifax debacle, boards of directors are rethinking their cyber security readiness. Equifax was warned about the weaknesses in their cyber security and did nothing. When they did discover it was breached, they waited months to inform the public. As time went on, it appeared they were focused on covering their butts. The result is 143 million people have hadtheir social security numbers and birthdates exposed to hackers. Now CEO, Richard Smith, has stepped down and been replaced.
As this case is investigated, it appears Equifax could have avoided this disaster. So who is responsible? Since the CEO has stepped down, it is apparent he was being held accountable. However, where was the board of directors?
In today’s world of cyberspace, corporate boards have to think about more than governance, CEO compensation and strategy.
As it stands, it is in the board’s best interest to ensure the company is not exposed to debilitating risks. Companies have workplace safety standards and sexual harassment policies to mitigate lawsuits. They even have disaster recovery plans in the event of natural disasters or occurrences like the World Trade Center plane crash. These plans and policies are in place to keep business running smoothly and perpetually. It protects customers and employees.
However, with sophisticated computer hackers around the world, it is no news that computer systems and valuable information can be breached and stolen. There are hackers who breach computer systems as a business. They ask for ransom in the amount of tens of millions of dollars. If it is not paid, they threaten to release the companies secure information, which sometimes could contain private email communication from top executives.
While many enterprises as large as Equifax may have disaster recovery plans for their physical operation, they may not have the same plan for cyber breach. The disaster recovery policies would include immediate action steps based on size of the breach, who made the breach, what information was taken, were company smart phones breached, what to communicate to employees, the public and shareholders as well as other important factors.
In some cases, it may make sense to inform the FBI. In other cases, it may be better to pay the ransom. The challenge with calling the FBI is that the hackers could be in countries like Russia. In Russia, the FBI may not pursue them. Why? Because the Russian government is always looking for good hackers. If the FBI exposes the hackers in Russia, the government may hire them, which can present long-term problems for the US. When it comes to paying ransom, it’s tricky. If you pay, they may hack you again as though you are an ATM machine. If you don’t pay, they may expose confidential information. These are also the kinds of challenges that directly involve the board.
What’s most important is that the board is talking about cyber security before there is a problem. There should be constant audits of the cyber security system to mitigate any risks. In addition, as a board, they should hold the CEO accountable for that security. Furthermore, there should be clear policies to guide the board and the executive team on how to handle the various moving parts in a delicate situation. Boards with disaster recovery plans and high accountability with the CEO are more likely to be forward thinking about cyber vulnerabilities and proactive about updating the security system.
What do you think? I would love to hear your feedback. And I’m open to ideas. Or if you want to write me about a specific topic, let me know.