Cyber-lightning should bolt directors to action

January 23, 2020

These days technology is as essential to company operations as electricity. And just like a lightning strike can take out the entire power supply and shut down operations. A cyber-strike can take out all computing systems and have huge reputation, trust and legal consequences for its customers, suppliers, government and staff.

What does that white bolt searing from the sky look like in computer language?

It’s often an explosive data breach. They are rampant in today’s digital ecosystem with more than 800 major data breaches reported to the Australian privacy watchdog in 2018 and many more never reported.

Data breaches have cost CEOs and board directors their jobs. One example was in 2019, when LandMark White, Australia’s leading property valuation service, was breached with over 100,000 sets of client information leaked, including addresses, emails and driver’s licenses. Estimates of financial loss for the company exceeded $7 million, however, and more importantly loss of customer trust, contracts and reputation will have long term impacts. In this case, the data breach resulted in the company being suspended from a number of its clients, including three major banks’ valuation panels.

This shows that directors have a key responsibility for safeguarding their companies against data breaches. While hiring IT experts and spending money on data protection is good practice, directors have a much broader duty. This includes a legal duty of care to take steps to personally understand and manage risk – including cyber risk.

Australian company directors could be liable for negligence or worse breaching their duty of care if they haven’t reasonable steps to understand and manage the risk of data breaches.

With this in mind, there are some essential steps that a board of directors need to take to prevent and respond to data breaches within their organisations.

Prevention

  1. Just as directors can’t flick finance responsibilities to a director with an accounting background, cyber responsibilities should not be handed-off to a fellow director with a technology background.

    A director who hasn’t understood or gathered enough information could be found negligent. It is imperative that directors get connected to the core of their organisation to understand what data would be valuable to hackers, what processes are in place to secure this data, what testing is being done and what are the potential impacts of a breach in terms of finance, reputation and culture.

  2. Directors must play an active role in promoting cybersecurity training and safety within the organisation to support a culture of reporting and whistleblowing. Staff and suppliers are the front line of defence when it comes to flagging data breaches, so it is crucial that they have proper training and support from the highest level.

Response

  1. Take immediate steps to determine what information has been breached as accurately and quickly as possible. Was it names and addresses or bank card information? Are customers impacted or are suppliers? The type of information breached will inform the legal obligations, the company and the next steps.

  2. Data security used to be an IT issue, but it is now a legal issue. There are specific legal requirements, namely specific reporting steps, which must be taken within a short timeframe after being alerted to a breach.

  3. A communications plan must be put in place to clearly communicate to affected parties:

    • the extent of the breach
    • when it occurred 
    • what happened
    • what action is needed by the customer 
    • what action is being taken to secure their information

    If this is not done well, kick-back on directors can come from authorities and clients. For instance, Canva was widely criticised for burying a data breach notice under a swathe of marketing messages.

    Depending on the extent of the breach, the following communication steps should be put into motion.

    • Nominate a senior media spokesperson
    • Identify appropriate avenues of communication to get your message out to affected parties, i.e. email, social media, press announcements, and across different platforms including call centres and bulletin notices
    • Facilitate a two-way flow of communication and enable trained staff to respond to customers queries, whether it be online or call centres
    • Brief relevant stakeholders, industry and experts 
    • Monitor media for feedback and tailor messages and actions accordingly 
  4. Internal communication should be rolled out quickly. Staff will be the ones that customers will look to for answers as soon as the alarm is sounded. While this is most often ignored as companies scramble to report the breach externally, this is the most important, as staff are your lynch pin for action and for credibility.

  5. Demonstrate that the company is taking preventative actions to secure its data in future and highlight any learnings that have resulted from the breach.

The right response is complex and sometimes hard for directors to navigate. It will involve IT, operations, legal and communication experts.

The best prevention is making sure that directors are prepared and are able to respond to the risk of a cyber-lightning strike on their business.