Boardspan Library

What Boards of Directors Need to Know About Cyber Incident Response

by Matt White, Alex Koskey

From Colonial Pipeline, to Acer, to JBS USA, cyberattacks have dominated the headlines throughout 2021. These attacks have become more sophisticated, more costly, and more harmful than ever due to the very real threat of cybercriminals stealing an organization's (and customers') sensitive information. The potential damage to the organization can be catastrophic.

The reality today is that cybersecurity is a critical business issue that must be a priority for every organization. As business operations become increasingly digitized, data has become one of the most valuable assets of any organization. This has resulted in increased expectations from customers, employees, regulators, and other stakeholders that an organization has developed appropriate resilience measures to protect against the evolving cyber threat landscape. The failure to do so presents substantial risks including loss of consumer confidence, reputational damage, litigation, and regulatory consequences.

An organization's cyber risk management and response program must now be an enterprise-wide effort with participation at all levels. Critically, this includes the board of directors, which needs to set the tone-at-the-top that cyber risk is a critical issue and must encourage and promote cyber awareness throughout all levels of the organization. Boards must recognize that cybersecurity is a strategic business enabler and has a direct impact on how the organization operates, innovates, and creates value on a daily basis.

An organization's board of directors typically has two responsibilities: (1) strategy and (2) risk management. It is nearly impossible to address those responsibilities today without discussing cybersecurity. Boards should be hyper-focused on oversight to quantify the risk of a cyberattack and the potential impact to the organization, and to identify the best methods to minimize risk and strengthen cyber resilience. This is no longer just an isolated issue for an organization's IT or security departments, and boards can no longer exclusively rely on management to provide a full and complete picture of the enterprise. Rather, boards must take an active role in aligning cyber risk management with business needs.

The following are some best practices that an organization can use to work with its board in addressing cyber risk and responding to an incident:

Educate board members on cyber risks: The board needs to be educated on the types of cyberattacks that are potential threats to the organization, the assets that are particularly vulnerable to those cyberattacks, and what investments can be made to combat those potential threats. Although board members have traditionally been reluctant to engage in cybersecurity discussions due to lack of familiarity with the subject matter, a high-level explanation will help promote engagement and focus in assessing these risks.

The board does not have to have expertise in information technology but must be educated on these risks in order to understand what questions to ask of management and other executives. Companies can utilize their existing relationships and expertise such as its cybersecurity and incident response counsel and forensic providers to prepare specific board training sessions to assist in this process.

Provide basic knowledge of information assets: The board should have general knowledge of the type of information that is generally collected by the organization, where that information is located, and how the organization identifies and manages risk with third-party vendors. Although the board doesn't need to be quizzed on the specifics of the organization's data mapping exercise, this will enable the board to better understand the controls and processes that should be enabled to protect business operations.

Devote adequate time to discuss cyber issues: As part of promoting a culture of cybersecurity throughout the organization, adequate time should be devoted during board meetings to discuss cyber issues. Key executives should present on critical topics to underscore that it is a priority, and management should periodically present on risk assessments and audits of the organization's security protocols.

Board members should also have access to cybersecurity expertise when needed, including legal counsel, forensic providers, and managed service providers (MSPs). These discussions help the board develop the organization's risk profile for cyber threats, establish expectations for the organization's cybersecurity program, and help ensure that resources are appropriately allocated to achieve desired goals.

The board can also understand how the organization's cyber risk protocols can impact significant business decisions, including potential mergers and acquisitions. As the cyber insurance market continues to rapidly develop, these sessions can also assist the board in understanding the organization's coverages in the event of an incident.

Maintain overview of regulatory schemes and legal obligations: Boards must be aware of the potential legal obligations regarding privacy and cybersecurity issues. This is complicated by the fluid state of privacy legislation at the state and federal levels, the cyber threat landscaping evolving by the day, and changes to the organization's work environment due to COVID-19. Organizations should also educate boards on potential regulatory reporting obligations in the event of a data incident. Understanding these legal and regulatory obligations will help the board identify the best methods to mitigate the potential risk and strengthen the organization's resilience.

Brief the board on incident response planning: Even though board members aren't going to be part of the actual incident response team, they should have a high-level overview of the organization's incident response plan. This would also include a discussion of how the board may be notified during an incident, the potential operational impacts that a cyberattack may have on the organization, and the role of board members in responding to external demands for information during an incident. Organizations should also consider involving boards in tabletop exercises, or conducting board-specific exercises, so they can see what a simulated response to a data incident may look like and the potential issues that may arise depending upon the facts.

Boards are being forced to change their mindsets regarding cybersecurity issues. What was previously considered an isolated technical issue has transformed into something that must be a factor in all strategic business decisions of an organization. Failing to do so can have dire consequences for the organization and its board. However, proper board preparedness and planning can be critical to insulating officers and directors from liability. Accordingly, organizations must work to educate their boards on cyber risks and the potential legal ramifications of those risks so that the board can align the organization's cyber risk profile with its business needs.

The idea of total protection from cyber threats is unrealistic. However, organizations are best served when their boards promote a culture of cyber awareness and integrate investments into cyber resilience with the overall strategic vision of the organization.


Matt White, a shareholder in the Memphis office of Baker Donelson, advises clients on cybersecurity and data privacy issues. He is a Certified Information Privacy Professional (CIPP / US, CIPP / E) and a Certified Information Privacy Manager (CIPM).

Alex Koskey, an attorney in Baker Donelson's Atlanta office, is a Certified Information Privacy Professional and represents financial institutions and organizations on data privacy, regulatory and compliance, and litigation matters.

This article was originally published by Reuters/Westlaw on August 18, 2021. Its use here is with the permission of Thomson Reuters.

More on Risk