Aside from regular, quarterly presentations to your board, you may be involved in special meetings in response to an incident or business change. Following is some guidance on how to handle these ad hoc board meetings.
The dreaded breach meeting
As part of your procedures for breach and incident response, you should create a plan – both at the technical and board levels – to address lessons learned. The best time to do this is before an incident occurs.
Tabletop exercises conducted with the board are a great way to test the output of your lessons learned plan. This tactic shows your proactive stance and helps clarify how the members want to receive this information.
If a data breach occurs on your watch, you can expect aggressive questions from the board about what happened, the tactical and strategic implications for the business, how you are addressing the issue, and how you plan to avoid a recurrence.
To prepare for this detailed and possibly fraught interchange, thoroughly research and document the root cause of the breach. If the attack circumvented controls you previously implemented and reported on to the board, the directors will undoubtedly question why they were not effective in stopping the attack. If your prior reporting did not flag any issues with these measures, the questions may turn into accusations.
To understand the board’s attitude, remember that directors may be liable if they fail to exercise care and diligence in relation to cybersecurity, including safeguarding the organization against financial costs, reputational damage, and legal repercussions from an attack.
On the other hand, if the attack was not related to existing controls, you may be able to make a case for more resources to implement new technologies or processes.
The meeting about upcoming business changes
A well-run board will involve the CISO or CIO in advance when a merger, acquisition, new facility, new partnership, or other major business change is in the works. The board will want you to research the project and report back on any associated cyber risks. For instance, in considering a potential acquisition or merger, they will seek reassurance that the entity did not experience and fail to properly report a previous data breach. In other words, they don’t want surprises.
Marriott and Verizon both discovered the serious ramifications of such a surprise. When it acquired hotel properties from Starwood in 2016, Marriott was unaware of a “compromised database breached by bad actors who were duplicating, encrypting and working to erase personal data of guests,” according to CIODive. The breach impacted 500 million hotel guests.
In Verizon’s case, its 2017 acquisition of Yahoo! was put in jeopardy after breaches affecting 3 billion Yahoo! users were revealed. To compensate, Verizon cut $350 million from the original deal price.
To help the board avoid a similar situation, always assume there has been a breach. Then, conduct thorough research into the new entity, location, or partner and report on specific impacts, probabilities of occurrence, and recommendations on how cyber risks can be addressed.