Cyberattacks threaten the corporate world. Here's what companies need to know about what comes next.
- The corporate world must prepare for what comes after a cyberattack.
- A ransomware attack might risk a company's valuation.
Cybersecurity in the corporate environment is an enigma. In some companies, it's seen as an obstacle to smooth sales operations, as security can cause delays and impose impediments to fast-moving sales opportunities.
In other companies, it's a business imperative and a top concern for the board of directors as well as a focus when it comes to acquiring and managing talent.
For the rest, cybersecurity is somewhere in the middle — companies need it to meet regulatory and legal requirements for governance, risk, and compliance, while others see it as a distraction.
In a recent CNBC and Momentive survey of 2,000 small businesses, 56% of respondents said they were not concerned about being hacked in the next 12 months, while 24% said they were "not concerned at all." That said, Verizon's 2021 Data Breach Investigation Report found that 28% of data breaches in 2020 involved small businesses.
Industry reports indicate that 60% of businesses go out of business within six months of a data breach or cyberattack, according to the National Cyber Security Alliance. This comes as cybercriminals improve their effectiveness and expand their capabilities.
In many organizations, the responsibility of cybersecurity lies with the technical staff, including the chief information officer and chief information-security officer (CISO).
What the board wants to knowWhen making a presentation to the board of directors about a cybersecurity incident or data breach, it's best to avoid technical jargon. Here are the top cybersecurity topics boards want to know:
- What is the cost — in staff hours — to recover from an incident?
- How long will it take to restore services to affected staff and/or users?
- How will a cybersecurity breach influence the company's reputation?
- What are the legal-compliance implications of disclosing or not disclosing a breach?
Cyber threats affect more than data infrastructure. Cyberattacks also threaten reputation, mergers and acquisitions, corporate valuation, the ability to raise or obtain funding, and other business-centric functions that are outside the purview of the technical teams.
"When a cyber incident hits, it affects the whole business, and critical decisions need to be made within hours — not days — of an incident," said Kevin Breen, the director of cyberthreat research at Immersive Labs, a cybersecurity-preparedness company.
As part of this response, there needs to be a rapid understanding of the broader risk, governance, and legal requirements. "It's critical that a CISO breaks down the technical jargon into clear, concise, and actionable decision points" for the board of directors, Breen said, adding: "Context is arguably the most important piece of information you need, and that must involve all stakeholders at the earliest stage."
For example, if a company is planning a merger or acquisition, a cyberattack might influence the value of the asset being acquired or the amount of money the company can raise. In 2017, after Yahoo disclosed two major data breaches, Verizon's acquisition offer for the company dropped from $4.75 billion to $4.48 billion, a whopping $350 million decrease.
The importance of cybersecurity due diligence
An often overlooked component of a merger or acquisition is how both corporate entities' cybersecurity tools, policies and procedures, and operations will come together. Incompatible systems, software, and the implementation of security protocols can lead to data leaks and holes in the different security systems.
"It's not just an attacker you have to worry about — you could have to deal with human error, too," Breen said. "Before joining two networks, a full inventory of infrastructure should be done to understand what assets are in place and who has ownership. It would be easy, for example, to lose track of a development or testing network, leaving it unpatched and exposed as a hidden weak spot."
Cyber-insurance requirements
While it's important to have a comprehensive cybersecurity strategy, cyber-insurance vendors require a list of components for policy eligibility. While these checklists can vary from vendor to vendor, many of the must-have items are similar. They often include:
- A written incident-response plan
- Master services agreements and service-level agreements
- Multifactor authentication
- Third-party risk management
- Patch management
- Vulnerability management
- Endpoint detection and response
Often, attorneys who specialize in cybersecurity check whether companies have cyber insurance to partly protect against financial losses.
It's common for companies in the current cyber-insurance environment to be at risk of losing their protection. Carriers and brokers are more closely reviewing policies up for renewal because of significant financial losses over the past year. In Canada, for example, cyber insurers are seeing a loss ratio of 113%, according to Canadian Underwriter.