The number of cyber incidents is on the rise and most cyber experts would say the question is not if but when your company will face a serious breach. The average cost of a cyber breach climbed to nearly $5 million in 2024, a record-setting level. It’s critical that boards have a playbook for responding.
Cybersecurity incidents can range from a minor inconvenience to an existential crisis for an organization. When assessing the board’s role, it’s important to first understand the nature of the incident. A breach occurs when an unauthorized entity gains access to a network, but not all breaches have immediate consequences.
“It’s often a little chaotic in the first moment of determining whether a breach is a real issue or not,” says Shannon Yavorsky, global chair of the cyber privacy and data innovation practice of Orrick, Herrington & Sutcliffe LLP. “Is it a ping to the firewall or a simple human error? Are ransomware attackers in your system right now? Was it a failed attempt or a benign attempt, like a false positive alert?”
It is also important for leadership and the board to understand when a breach creates a material risk for the company. With no common definition or standard, it’s up to each senior leadership team (with board oversight) to determine what “material” means. Determining materiality involves input from the chief information security officer, general counsel, the CFO and executive leadership based on data loss, adversary type and business impact. This will vary based on industry, but it usually translates to impacts on confidentiality, integrity, and availability of systems and processes, says Shawn Henry, the chief security officer at CrowdStrike, who also serves on the boards of CLEAR and ShoulderUp Technology Acquisition Corp.
“You want to know, who are the threat actors that targeted us? What were the vulnerabilities that were exploited and what was the actual impact on the company, our customers or our vendors? It might be a significant number of customer records that are lost. It might be they have impaired your ability to operate.”
When there is a breach that creates a material risk to the company, the board has a fiduciary responsibility to oversee the response, ensuring the company is addressing potential financial, reputational, operational and legal risks. However, the board must remain in an oversight capacity, allowing management to execute the response while providing strategic guidance and accountability. Here are several key questions the board should ask to ensure management is responding effectively.
Is our crisis management plan current? As with all crisis management, effective response to a cyber incident starts before a breach actually happens, when things are calm. Ideally, the company has a crisis management plan in place specifically to respond to a cyber breach and is pressure-testing it periodically. The plan should outline the response team, key actions and external contacts such as law enforcement, cyber insurance providers, forensic teams, outside counsel and crisis communications specialists. It should also include periodic tabletop exercises.
When the plan is designed and reviewed annually to ensure it’s up to date, it can mitigate some of the worst of the damage, says Admiral Pat Walsh, the former commander of the U.S. Pacific Fleet, who now serves as a senior fellow at the John Goodwin Tower Center for Public Policy and International Affairs at Southern Methodist University and on the board of Austin Industries.
“I worked with a company where we tested the response plan using the current malware that was in the wild. They got hit with it two weeks later and instead of frantically shutting down the system, they’re high-fiving each other because they know exactly what they’re going to do since the malware is behaving exactly the way they expected it to.”
Who is on the response team and who is in charge? The crisis-response plan should also clarify, in advance, the specific roles and responsibilities company leaders will play during crisis response. The plan should identify the lead internal point person and the spokesperson for the firm (often, the general counsel). Crisis communications are critical. Public relations and legal considerations are just as important as technical response — knowing when and how to communicate is key. The board should ensure the organization has a clear strategy to communicate with both internal and external stakeholders, balancing transparency with reputational risk. Tabletop exercises should role-play not just how the security and technology teams respond, but also how leadership, including teams that focus on finance, brand, and people and culture, would act as well.
“All of that comes very clearly into focus when you’re under the glare of the media, for example,” says Walsh. “So, if you get hit, it helps that you’ve already played it out and people have thought through what that is going to mean for them.”
The team should designate a communications lead and consider key questions like, does the public know and under what circumstance do they need to know?
“Stakeholder management is key,” says Yavorksy. “The board and CEO should be thinking about how the company is going to communicate with employees, customers and any partners.” She points out that it can be tricky to identify the right time to notify those different stakeholders, especially if the breach is ongoing, so prior planning and practice are critical.
Is the breach still ongoing or has the attack ended? The board should understand that the security team may need time to contain the breach and stop the bleeding before reporting to the board.
“Sometimes, the people who are responsible for actually stopping the bleeding are also the people that the board’s going to want to talk to. And if you pull these people off the task so that the board gets information more expeditiously, you might be delaying the stabilization of the network. So, there’s always going to be a balance,” says Henry.
Once the board is informed, they should verify if the threat has been eradicated or simply contained. Has the team been able to eliminate the intruder’s access? What has been done to reset credentials, close exploited vulnerabilities, and verify containment measures? These should be tested routinely, so that mitigation measures are identified and pressure-tested before an incident occurs.
What is our exposure? In essence, determining exposure means ascertaining impact to the business.
“You should determine whether hackers gained unauthorized access to any kind of systems or data and whether any safeguards were bypassed. You’re also checking for exfiltration, so you should confirm whether any data was stolen or altered,” says Yavorsky.
The board should ask what data or systems have been compromised? Is there a ransom demand? Have intruders interfered with internal systems in a way that impacts operations? Has critical customer or employee data been compromised? Understanding the answers to these questions will help the leadership team focus the response plan and help the board provide effective oversight. In the case of a ransomware attack, during which a hacker demands payments to obtain the keys to decrypt files or to prevent stolen data from being leaked or sold, the board should also be actively involved in these discussions and ultimately make the call on whether the company will pay up. Among the risks of paying is whether the company is unwittingly funding a terrorist group, risking fines or other sanctions. In 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions guidance and warned against “facilitating ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response,” saying they “not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” which can include fines and jail time.
The company should also consider the benefits and potential drawbacks of calling in law enforcement.The decision to engage law enforcement depends on the nature of the breach and should be done with guidance from the general counsel. If the breach involves a fraudulent transfer or transaction, law enforcement, when notified quickly, may be able to leverage relationships with financial institutions to interdict the transfer. Law enforcement may also be able to seize and recover lost data or provide tools to decrypt data infected with ransomware. In cases where a ransom has been paid, regulators often consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.
Are normal operations impacted? Some breaches may involve hackers whose actions directly disrupt operations or create a scenario that requires systems to be taken offline.
“From the CEO’s perspective, they’re thinking about what are the existential issues for the company as a result of this breach? Do we need to shut down for some period of time? Are we even able to operate? You’ve probably heard of terrible situations where, for example, a hospital system’s data is subject to an attack, and that’s really critical for the continued operation of the organization. So, those questions around the implications for business continuity are critical for the CEO and board to be asking,” says Yavorsky.
In an ideal situation, the company can find a way to contain and then eradicate the breach so that it doesn’t interrupt business operations. This may run counter to the IT team’s first instincts to simply stop the bleeding.
“It’s easy get into reactionary mode and want to shut down a particular part of the company without any sort of consideration for larger impact to business,” says Walsh. “We did a tabletop exercise with an oil and gas company and in the simulation their reaction was to shut down the ability to monitor temperature and pressure in an oil pipeline, which is a huge EPA red flag event.”
There are many cases where limiting operation is necessary either because intruders have compromised the function of systems or because the team needs to temporarily disable infected systems to restore them to pre-breach operations. The board should ask if it’s necessary to limit operations and, if so, the timeline for restoring operations, all with an eye toward mitigating impact to the business.
What are our regulatory and reporting requirements? It is also critical to understand the types of data or systems accessed because that can determine the organization’s legal and regulatory obligations. Breach disclosure requirements vary by jurisdiction and industry. Personal data breaches may trigger compliance with laws across multiple jurisdictions. Some regulations require notification within 24 to 72 hours. Critical infrastructure and highly regulated industries, such as defense, energy or health care, may have additional cybersecurity requirements. It can also be tricky to know exactly when the clock starts, says Yavorsky.
“It can be difficult in the first moments after an incident to determine exactly what’s happening. So, that’s a really important question for the legal team to start identifying: ‘Okay, now we know it’s a breach. What are our legal and regulatory notification obligations, and how long do we have to do that?’”
The board should verify that management understands the relevant laws and regulations that apply and that the company has a clear reporting strategy.
What is the path to recovery? The path to recovery should start with identifying the key players involved in that recovery, including the internal team and external advisors. These individuals include forensics experts, outside counsel, crisis-communications professionals and insurance providers. The board must confirm the organization understands coverage for incident response, legal costs, regulatory fines and business-interruption losses, as well as any critical provisions around how to respond, including specific providers with which the company should work.
The CEO and the board should also determine the overall financial impact of the breach.
According to Yavorsky, “There is the cost of the immediate time and resources of the people in the company who are allocating their time and resources to response and recovery, but there is also the time and resources of the different outside vendors, legal, the forensic experts and PR folks, plus the costs associated with compliance and legal issues like sending out notices to affected stakeholders, resulting class-action litigation or complying with regulatory investigations.” The costs can balloon into the millions, placing a significant burden on smaller companies.
From a financial recovery standpoint, another benefit of bringing in law enforcement is the potential to recoup funds in cases where money has been exfiltrated or a ransom has been paid. In recent years, the Department of Justice (DOJ) has had considerable success recovering payments from ransomware attacks. For example, nearly a month after the 2021 Colonial Pipeline ransomware attack, the DOJ and FBI recovered $2.33 million from the ransom demand in 2021. And, in 2023, the DOJ and FBI infiltrated the Hive ransomware group and used that access to provide decryption keys to victim organizations, averting more than $130 million in ransom payments.
What Have We Learned?
Breach recovery should also include lessons learned. The board should ensure management is conducting a root-cause analysis and implementing improvements in security protocols, employee training and response procedures.
“Once you’ve stabilized systems, you want to do a root-cause analysis,” says Henry. “What happened, how did it happen and why did it happen? What protocols do we need to put in place? What processes or new technologies do we need to bring in? Do we need to change our operating structure? Do we need to make material alterations to our environment so this doesn’t happen again? It’s critical to collect as much information as possible so you can make thorough and informed decisions.”
It is also a good opportunity for the board to review its own governance processes. Some items the board should consider include the process for cyber reporting to the board, how key committees are involved and board composition relating to its cyber and technology expertise.