Boards should be involved in evaluating cyber-crisis management plan

Most organizations understand that cyber-breaches are not uncommon. ‘In today’s environment, the mantra has changed from if an entity can be breached to when an entity is breached,’ says Glenn Siriano, KPMG cyber principal. Security teams need to be prepared for the breach with a cyber-crisis management plan, a ‘well-thought-out set of activities and process steps that are enacted during a cyber-breach,’ Siriano adds.

A cyber-crisis management plan should do the following:

• Integrate into a firm’s overall business continuity and crisis management plans and approaches 
• Contain table-top scenarios developed and tested for the various types of data breaches that could have a material impact on the organization 
• Detail the steps needed for the response, containment and forensic analysis necessary to understand the depth of the incident, notification and escalation, and remediation and post-mortem steps.

Board members are an important part of the cyber-crisis management process; they should ask management whether a cyber-crisis management plan exists and review details of testing the plan. The board can be included in table-top testing exercises as well. ‘The board does not necessarily need to be involved in the creation of the plan, as much as the need to understand the plan and the critical success factors involved in invoking it,’ Siriano says. 

Those developing a cyber-crisis management plan should decide ‘when it is appropriate to escalate a cyber-incident up to the board level, and should detail the board’s role in understanding the success of the actual invoking of the plan and subsequent post-mortem,’ Siriano adds.

‘Typically, the board should be notified in the event of a material breach or loss, when the organization’s reputation can be at risk, when there is a major regulatory or legal implication, or when there is the risk of extended outage due to the nature of the breach.’ 

He suggests the following individuals involve themselves in creating a cyber-crisis management plan: 

• The information security organization
• Information technology
• Representatives from the lines of business
• Human resources
• Legal
• As applicable, linkages to law enforcement, outside counsel, outside forensic specialists and outside public relations specialists. 

Any discussion of cyber-security must include the role of third-party service providers. The board can take an active role by asking executives about the risk management program in place for managing service provider relationships. Siriano suggests boards consider the following:

• What are the initial due diligence procedures when taking on a new service provider from a cyber-risk perspective? 
• What processes are in place to evaluate the cyber-risk of a service provider during the tenure of the provider’s service to the entity?
• What are the processes in place for evaluating how a service provider is retired?
• What procedures are in place to ensure, once a service provider’s contract is terminated, the way in which information is returned, retained or destroyed?