In the wake of the recent Equifax debacle, boards of
directors are rethinking their cyber security readiness. Equifax was warned about the weaknesses
in their cyber security and did nothing.
When they did discover it was breached, they waited months to inform the
public. As time went on, it
appeared they were focused on covering their butts. The result is 143 million people have had
their social
security numbers and birthdates exposed to hackers. Now CEO, Richard Smith, has stepped down and been
replaced.
As this case is investigated, it appears Equifax could have
avoided this disaster. So who is
responsible? Since the CEO has
stepped down, it is apparent he was being held accountable. However, where was the board of
directors?
In today’s world of cyberspace, corporate boards have to
think about more than governance, CEO compensation and strategy.
As it stands, it is in the board’s best interest to ensure
the company is not exposed to debilitating risks. Companies have workplace safety standards and sexual
harassment policies to mitigate lawsuits.
They even have disaster recovery plans in the event of natural disasters
or occurrences like the World Trade Center plane crash. These plans and policies are in place
to keep business running smoothly and perpetually. It protects customers and employees.
However, with sophisticated computer hackers around the
world, it is no news that computer systems and valuable information can be
breached and stolen. There are
hackers who breach computer systems as a business. They ask for ransom in the amount of tens of millions of
dollars. If it is not paid, they
threaten to release the companies secure information, which sometimes could
contain private email communication from top executives.
While many enterprises as large as Equifax may have disaster
recovery plans for their physical operation, they may not have the same plan
for cyber breach. The disaster
recovery policies would include immediate action steps based on size of the
breach, who made the breach, what information was taken, were company smart
phones breached, what to communicate to employees, the public and shareholders
as well as other important factors.
In some cases, it may make sense to inform the FBI. In other cases, it may be better to pay
the ransom. The challenge with calling the FBI is that the hackers could be in
countries like Russia. In Russia,
the FBI may not pursue them.
Why? Because the Russian
government is always looking for good hackers. If the FBI exposes the hackers in Russia, the government may
hire them, which can present long-term problems for the US. When it comes to paying ransom, it’s
tricky. If you pay, they may hack
you again as though you are an ATM machine. If you don’t pay, they may expose confidential
information. These are also the
kinds of challenges that directly involve the board.
What’s most important is that the board is talking about
cyber security before there is a problem.
There should be constant audits of the cyber security system to mitigate
any risks. In addition, as a
board, they should hold the CEO accountable for that security. Furthermore, there should be clear
policies to guide the board and the executive team on how to handle the various
moving parts in a delicate situation.
Boards with disaster recovery plans and high accountability with the CEO
are more likely to be forward thinking about cyber vulnerabilities and
proactive about updating the security system.
What do you think?
I would love to hear your feedback. And I’m open to ideas. Or if you want to
write me about a specific topic, let me know.
No comments:
Post a Comment