What Should Boards Know About Cyber-Threats?

05/11/2015 05:10 pm ET | Updated May 11, 2016

Embarrassing emails from Sony executives and Hollywood celebrities got the headlines and the jeering tweets, but the hack, reportedly coming from North Korea, was a devastating cyber-takedown of the $20 billion company. The files revealed included highly valuable corporate assets like not-yet-produced screenplays and proprietary details of business transactions. The company reports that it has spent more than $15 million so far investigating and recovering from the attack. This was not a prank. This was the equivalent of someone breaking into the corporate headquarters and stealing $15 million in cash. That loss will have little impact on the company's operations or executive bonuses. The loss is felt by the shareholders, many of them pension funds representing employees like firefighters, teachers, police, and staff at private companies.


Target is one of many companies to suffer a data breach of confidential credit card information. Bloomberg Business reported:

In the days prior to Thanksgiving 2013, someone installed malware in Target's (TGT) security and payments system designed to steal every credit card used at the company's 1,797 U.S. stores. At the critical moment--when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe--the malware would step in, capture the shopper's credit card number, and store it on a Target server commandeered by the hackers.

What is most troubling about this is that Target had already installed an expensive malware detection system before the breach, but when it sounded the alarm, the headquarters security team failed to respond.

Target's costs -- rather, Target shareholder's costs -- associated with this breach included a $19 million payment to the banks issuing the compromised cards. Sony, too, initially ignored the first indications of its hack, in this case actually sent to them by the hackers. Where were the boards of directors?

Executives are responsible for proposing and implementing corporate strategy, but it is the board of directors who are responsible for oversight and risk management. The risks of cyber-attacks are not "if" questions. They are "when" questions. And the answer to the "when" question is: now. Cyber-attacks are a real and constant danger.

It is the responsibility of the board of directors to make sure that companies have the best protection possible. It is even more important that they make sure corporate executives are ready to respond immediately when attacks occur. They cannot stop cyber-intrusions. They must stop this failure to respond promptly and effectively. According to BitSight, the leading firm monitoring cyber-attacks and corporate responsiveness, most successful attacks occur when bad guys exploit "known vulnerabilities," which are vulnerabilities for which a patch exists but it has not been downloaded. When corporate IT staff does not update their systems in a timely fashion, it is disastrous risk management.

A key indicator is the "detection deficit," The time that elapses between the breach and the time that it is discovered by the organization. BitSight issues ratings based on companies' performance relative to other organizations in responding quickly and effectively to attacks.

Boards must either establish committees or Risk Committee subcommittees to oversee cyber-security, not just of the corporation itself but of its supply chain and customers. This is an indispensable element of internal controls and risk management. Banks issuing credit cards can have excellent systems in place but if the retailers their customers shop at do not, they will face the Target problem all over again. Here's a tip: self-reporting is not adequate. Protection status must be independently verified.

SEC Chair Mary Jo White says that cyber-attacks represent the "biggest systemic risk" facing the U.S. And KPMG says investors increasingly insist on boards with demonstrated cyber-security expertise.

Whether the threats come from malicious individuals or rogue states, it does not take more than a few lines of computer code to have a devastating impact. While we are all taking off our shoes to go through TSA lines at the airport, the next major attack on our country is far more likely to come via computer networks than airplanes. Imagine if the next target is not credit card data but the files of the Federal Reserve or the New York Stock Exchange. Want to see what that might look like? Take a look at Rami Malek's new television series, Mr. Robot, coming in June on the USA Network. All corporate IT staff -- and all corporate directors -- should set their DVRs now.