Editor’s note: The following is a guest article from Frank Shultz, chairman and CEO of Infinite Blue.
The Securities and Exchange Commission (SEC) is planning to implement a new rule that requires corporate boards to disclose cybersecurity incidents to investors and regulators more quickly.
This is great news. It will increase transparency and accountability among public companies, who have generally done a poor job of disclosure up until now.
However, simply admitting that an incident took place isn’t enough. If organizations want to actually get serious about protecting themselves, they need to have a robust system for handling incidents when they happen.
And let there be no doubt: They will continue to occur.
When a breach happens, leaders must know immediately which actions to take to mitigate the damage and prevent further harm. This means having a disaster plan in place beforehand.
This plan can’t be static, with precise instructions to follow in a given scenario. No one ever uses those when a crisis arises, because they’re too bound to specific use cases.
Instead, organizations need flexible plans — following broad principles rather than ironclad rules.
One of these principles is to understand the interdependencies between various internal systems and dependencies on third-party vendors.
Executives need to know if their data and systems are hosted externally, what their service level agreements and uptime guarantees are, and whether they have the option of moving to a better and more resilient vendor if needed.
Leaders must also know exactly how they’re going to react when the crisis begins. Who has the authority to pull the "kill switch" to cut off access to the breach? Which employees are they going to call if they suspect something? Who needs to be in the loop? What are their obligations to disclose the attack externally, and at what time or impact thresholds?
Executives should picture doomsday scenarios and ask themselves honestly if they would know what to do in such an event.
If 10,000 laptops were nuked in an hour due to a malware attack, would they know how to quickly recover and reimage all of these devices? Or would their business collapse for a week?
Being prepared also means having the right technology and cybersecurity advisors operational ahead of an incident. Companies must identify critical systems that support their key processes and services, and put in place tripwires such as intrusion detection systems, firewalls, and active and passive scans.
Third-party monitoring systems can help companies identify potential vulnerabilities before an attack takes place. If the organization has contracted with a cybersecurity advisor, leaders must know who they are and be able to contact them immediately.
Businesses should conduct regular third-party audits such as penetration testing and social engineering testing, and provide training for their employees on how to recognize and respond to potential threats. This includes insider threat training, security training and phishing simulations.
In addition to taking rapid action, leaders must also be able to determine how a cyberattack is going to affect their business. If they hope to be able to do so quickly and accurately, they should conduct a business impact analysis (BIA) ahead of time.
This should not be treated as a perfunctory exercise, but a major priority for the organization. The leadership should make sure to communicate that to all involved with planning the BIA.
What to say
Crucially, CEOs must have a strategy for managing internal and external communications once a cyber incident occurs. Questions are inevitably going to be asked, and they need to be ready to answer them.
The wording and tone they use in their interactions with users, employees, shareholders, clients and the public must be handled with meticulous care. Even one false note can send interested parties into a frenzy from which the organization may never recover.
Finally, leaders should have a process for integrating the lessons from the cyber incident into their overall cybersecurity strategy going forward.
Too many companies move on from attacks assuming the worst is over, without realizing that another one may be on the horizon with even more devastating consequences. Or they can spend too much time focusing on the last event, with blinders on regarding other threats that may have a greater impact and likelihood.
Being prepared for a cyberattack is not just about protecting user data or the business — it's also about protecting your company's reputation. Executives must realize that mishandling a breach won’t just be an operational headache, but a public relations nightmare.