Skip to contentSkip to navigation

How an effective board of directors manages cyber risk and promotes cyber resilience

How an effective board of directors manages cyber risk and promotes cyber resilience

In its Global Risks Report 2022, the World Economic Forum identifies cybersecurity failure as a risk that has worsened significantly in recent times.

Indeed, as we have written previously, when it comes to cyber attacks, it’s not a question of if; it’s a matter of when.

Directors have a fiduciary duty to act in the best interests of their organization. They must keep on top of economic trends and emerging threats to business continuity. They are charged with managing risk. Whereas topics such as climate change and cybersecurity may once have been afterthoughts, these are now primary considerations and have become standing items on the boardroom agendas of well-run corporations.

In this digital era, data is often the most important asset on the balance sheet. An integrated strategy and a cyber preparedness plan are the keys to cyber resilience, mitigating risk by limiting financial exposure and reputational damage. Effective board oversight ensures that digital strategies keep up with evolving cybersecurity threats, while maintaining business continuity. High-performing boards prioritize cyber resilience and ensure the right plans and processes are in place before a cyber attack strikes.

Modern standards of corporate governance dictate that a company’s directors must think one step ahead, instilling an enterprise culture in which cybersecurity resilience and preparedness are the lead criteria for Board decisions.

Cyber crisis response plan

Today’s boards expect company officers to put in place a cyber crisis response plan. Who will be around the table when the crisis cell meets? Who needs to be notified? Will the company pay a ransom to hackers? What outside expertise will be called upon? Roles must be clarified, and protocols must be established for rapid escalation and activation of your cyber plan by the C-Suite.

Communication is key. The cyber communications plan must identify who will speak for the company. What will they say to concerned stakeholders? Are there holding statements and communications templates in place? How will the board be kept informed in the wake of a cyber attack? With growing consumer expectations for open, timely, and transparent communication, silence is not an option; rumours and speculation will fill any communications void.

Testing your plan

Boards expect a crisis response plan to be tested, at least annually, through simulations and other tabletop exercises. Best practices also include a quarterly review of that plan. A crisis response plan that remains on the shelf, and is not stress tested, is not worth the paper it is printed on (or the floppy disk it is saved on!).

Limiting liability

When an organization is the victim of a cyber attack, litigious parties will hover, waiting to file lawsuits on behalf of customers, shareholders, or other stakeholders who can allege they have been adversely affected. The best defence against a claim of director liability is a paper trail demonstrating that the board took all reasonable precautions to protect against a potential attack, and made adequate preparations to react rapidly and transparently to an incident.

Improvisation has no place when cyber criminals strike. A well-executed plan that has been choreographed in advance will inspire confidence, discourage lawsuits, and even enhance the company’s reputation.

To discuss how best to fulfill your fiduciary duty to adequately prepare for a cyber attack, we invite you to reach out to our cyber incident response experts. NATIONAL Public Relations has access to an integrated team of crisis experts, legal counsel, IT, and security experts to ensure effective communications with stakeholders in both official languages, in the event of a cyber attack.

We would welcome the opportunity to help you devise and implement a robust state-of-the-art incident response plan. After all, an ounce of prevention is worth a pound of cure!