Private Company Boards Dropping Cybersecurity Oversight Ball
One firm’s costly ransomeware attack provides lessons learned
By Maureen Milford
A targeted, carefully planned cyber attack on a company can have serious implications, both financially and reputationally.
That’s what Elliot Luchansky, the CEO and a director of privately held, cloud hosting provider iNSYNQ, found out about a highly-potent ransomware strike in mid-July on one of its primary data centers.
Once triggered, the so-called MegaCortex malware encrypted data belonging to a large segment of iNSYNQ’s customers, according to the company and a cybersecurity division of the New Jersey Office of Homeland Security and Preparedness. On top of this, the attack set loose “a hurricane of malware spreading like wildfire at the same time,” Luchansky said at an online town hall held in August.
It’s the type of scenario that board members dread. Still, director awareness and understanding of cyber risks has not led to significant strengthening of oversight in the boardroom, according to the 2018-2019 NACD Private Company Governance Survey. Less than half of directors surveyed said that they had a strong enough understanding of cyber risks to provide adequate oversight, the survey says.
“The topic of cyberattacks is front of mind with private company directors,” says Melissa Krasnow, a partner at VLP Law Group who provides private companies with guidance on cyber issues. But, she has found that directors are interested in having privacy, data security and steps for minimizing cyberattack risk on the agenda, the board discussions often don’t lead to action.
Considering is one thing, implementation is another thing,” Krasnow says. “The company will need to work with the directors on implementation and this does not always happen for a variety of reasons, for example, organizational priorities and culture, budget, etc.”
Not being fully prepared, however, can have its consequences as iNSYNQ, based in Gig Harbor, Washington, found out.
The ransomeware attackers demanded a payment in cryptocurrency to restore data, which iNSYNQ ultimately opted not to pay, according to the company and published reports. Instead, iNSYNQ took down its infrastructure for a period to prevent the attack from spreading, according to the NJ cybersecurity division. Initially, the company began manually disinfecting systems, as well as reconstructing desktops, the company says. Customers became frustrated about the lack of transparency, the company said.
Now, iNSYNQ has been doing damage control, working to earn back the trust of customers as competitors use the attack to try to lure away clients. Indeed, the loss of customer trust following a data breach results in one of the biggest impacts on the bottom line in the form of lost business, according to the 2019 Cost of a Data Breach Report by IBM Security and Ponemon Institute.
Little wonder cybersecurity is keeping directors up at night.
The stakes are high for directors charged with overseeing risk. The average cost of a data breach in the United States has risen 130% since 2006, increasing from $3.54 million to $8.19 million in 2019, the IBM-Ponemon study found.
“The loss of customer trust had serious financial consequences for the companies studied, and lost business was the largest of four major cost categories that contributed to the total cost of a data breach,” the report says.
What’s more, the probability of experiencing a breach within two years rose to 29.6% in 2019, according to the report. Malicious attacks like the one launched against iNSYNQ are the most expensive and most common, according to the IBM-Ponemon report.
Unfortunately, only 7% of private-company directors surveyed said they strongly agree that their company is properly secured against a cyberattack, the NACD survey found. Just 8.5% said they had participated in a simulation test or exercise of their company’s response plan to a cyberbreach, the survey found.
Experience can be hard teacher.
During the iNSYNQ town hall, covered by Accounting Today, Luchansky said, “It is one thing to prepare for these events — but it’s an entirely different experience to live through one firsthand.”
“The silver lining here is that we are way better positioned and have better tools and know so much better what this really looks like to take preventive measures to lower the risk of this happening again, and taking steps to be prepared,” Luchansky said.
The companies that handle cybersecurity best are those that are committed to dealing with it, VLP’s Krasnow maintains. “They say, ‘This is an issue we need to address,’ and they get together a cross functional team. They’re transparent so all are aware of the process, not just one person,” she says.
For boards wishing limit risk, experts offer these recommendations:
- Put cybersecurity on the agenda as a recurring item, the NACD suggests in its survey. Directors should regularly assess how management is responding to new weaknesses.
- Invest in programs to create a system that satisfies governance requirements, evaluates risk across the organization and monitors governance compliance, says the IBM-Ponemon report.
- Develop strong internal and external communication systems so directors are constantly in the loop and hearing from a variety of people in the organization.
- Make sure someone in the company knows what the organization’s contractual obligations around cybersecurity and data privacy are, Krasnow says.
- Encourage the company to join industry task forces to keep abreast of threats and incidents, the NACD survey says.