Cyber incident response: the board’s essential role

Boards and General Management, Board risk oversight, Cybersecurity

Cyber Risk Director Network, February 2020

“When you’re in the middle of a cyber crisis, the facts never look like you thought they would. You can end up with inconsistent narratives.” – Director

On December 11, 2019, CRDN members met in New York to discuss how companies plan for major cyber incidents and actually respond to them. In particular, they examined the role of the board and its independent directors. Professor Steve Weber of the University of California, Berkeley, joined the discussion, as did three partners at King & Spalding: Phyllis Sumner, leader of the firm’s Data Privacy and Security practice; Scott Ferber, recently associate deputy attorney general at the US Department of Justice; and Zack Harmon, recently chief of staff to the director of the Federal Bureau of Investigation (FBI), Christopher Wray. From Booz Allen Hamilton, CRDN members were joined by Bill Phelps, executive vice president, and Jerry Bessette, leader of the Cyber Incident Response Program. All of these experts agreed to speak on the record. 

Executive Summary

The conversation on responding to cyber threats focused on what motivates cyberattacks, how corporations should respond, and the role of the board:

  • Mixed motivations underlie recent major attacks. Although cyber criminals continue to steal data and deploy ransomware for financial gain, many recent high-profile incidents have had different motivations—for example, disabling a company’s operations as an act of revenge. Varying motives for attack make incident response planning complex and challenging.

  • The corporate response to an attack needs to go beyond technical or legal matters. At some firms, the focus after a breach is on containment and satisfying legal and regulatory requirements. CRDN members discussed a customer-focused approach that may seem risky and expensive, but many companies are learning that starting with customers and their perceptions and fears can in the long run reduce legal risk, reputational harm, and total cost.

  • The board’s involvement in both planning and response is critical. The speed and ambiguity of a cyber incident and the company’s response make it difficult for non-executives to engage, but members agreed that boards must actively participate, especially in assuring themselves about the company’s overall incident response planning.