Empowering Boards for Cybersecurity Incidents

Today, a cyber incident is not just an IT issue—it's a business crisis that can shake the foundation of an organization. Imagine the chaos when systems go offline, customer data is compromised, or operations grind to a halt. In these moments, the board's leadership is crucial to navigating through the storm.

The CrowdStrike incident in 2024 was a stark reminder how it could bring major day-to-day activities to a halt. A 2022 PwC study found that 59% of directors admitted their board is not very effective in understanding the drivers and impacts of cyber risks for their organization, emphasizing the critical role of board members in these moments.

This article explores how boards can effectively prepare, respond, and lead during cybersecurity incidents, turning a potential disaster into a managed crisis.

Understanding the board's role during a cyber incident 

Cyber incidents vary greatly in scope and severity, ranging from targeted attacks by sophisticated threat actors to inadvertent breaches caused by human error. Despite these differences, the core responsibilities of the board remain consistent. According to Cornell University and NapaLegal, board members are legally bound by three key duties:

•  Duty of Care: Making informed decisions in the best interest of the organization, particularly during crises.

• Duty of Obedience: Ensuring decisions respect the limits of the board’s authority while aligning with organizational missions and compliance obligations.

• Duty of Loyalty: Prioritizing the organization's interests over any personal gains.

These principles serve as the foundation for the board's actions before, during, and after a cybersecurity incident.

Preparing before the incident 

The board's effectiveness during an incident relies heavily on preparation. Tabletop exercises can particularly be useful in preparing board members for a range of scenarios. According to a 2024 study by Statsig, regularly communicating and practicing well-designed incident response plans can greatly minimize the impact of security incidents. The benefits include faster response times, improved communication, reduced financial losses, and enhanced compliance. These factors highlight the critical importance of preparation and proactive oversight for the board.

The board should ensure the following preparations are in place:

1. Incident Discovery and Triage: Develop clear processes for identifying, categorizing, and responding to incidents. Ensure incident response plans (IRPs) are in place, communicated effectively, and practiced. The board must understand when and how to escalate incidents for oversight.

2. Defined Escalation Paths: Not all incidents require board-level attention. Determine which types of incidents—e.g., breaches involving sensitive customer data—merit direct escalation to board members. It's important to note that only about 33% of breaches are detected internally. Most organizations are informed by third parties such as law enforcement, customers, business partners, or even the attackers themselves. Only a select group of properly trained individuals should escalate cyber incidents to the board.

3. Incident Leadership Designation: Decide in advance which board members or committees will take the lead. For example, consider whether the risk committee or an ad hoc task force is best suited to manage the incident.

4. Stakeholder Requirements: Understand and comply with expectations from stakeholders, including regulators, customers, and business partners. During the Okta breach of 2023, for example, organizations were reminded of the importance of proactive communication to mitigate reputational damage.

5. Tabletop Exercises and Role-Specific Guidance: Regularly conduct tabletop exercises that simulate different cyber incidents, focusing on the board's decision-making process. Incorporate lessons from exercises to refine incident response protocols.

During the incident: board responsibilities 

When an incident occurs, the board's primary responsibilities are oversight, strategic decision-making, and effective engagement with the organization's public relations team. The board ensures the incident response team has the necessary resources and provides guidance on critical matters such as external communication and resource allocation.
Key actions the board must consider include:

• Approval for Resource Engagement: For significant incidents, board approval may be required to engage third-party experts, such as a ransomware negotiator or forensic investigator. Additionally, the board must actively engage with the public relations team to manage the narrative during and after an incident, ensuring clear guidance to PR to shape the public narrative, manage stakeholder expectations, and restore trust.

• Ensuring Timely and Accurate Reporting: The board should demand frequent, fact-based updates from the incident response team. During the Colonial Pipeline ransomware attack in 2021, delays and miscommunications exacerbated the crisis, emphasizing the need for effective reporting.

• Supporting the Incident Response Team: The board must ask whether the incident response team has the necessary tools, expertise, and support to address the crisis effectively.

• Leadership During Executive Implications: Should the incident involve key executives or board members (as seen in corporate misconduct cases like the Uber data breach of 2016), the board's role may shift from oversight to active leadership, managing potential conflicts of interest.

After the incident: learning and improving 

Once the immediate threat is resolved, the board's role shifts to ensuring a thorough postmortem analysis and collaborating with the public relations team to restore trust and address any lingering reputational issues. Postmortems should be used to identify weaknesses in both technology and processes. Inviting a third-party expert to moderate can offer an objective perspective. 

To strengthen the organization's resilience for the future, the board must:

• Integrate Lessons Learned: Use insights from the incident to refine response strategies and improve communication workflows. After the Marriott data breach, post-incident reviews revealed gaps in supplier management, leading to updated security protocols for third-party vendors.

• Practice New Procedures: Incorporate changes into incident response plans and conduct new tabletop exercises to test these improvements.

• Monitor the Evolving Threat Landscape: The board should remain updated on evolving cybersecurity threats and ensure compliance with regulatory requirements, such as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which mandates reporting timelines for critical infrastructure organizations.

Key considerations for reporting and compliance

Materiality and reporting are crucial responsibilities that require timely action from the board. Inadequate or delayed reporting can lead to severe consequences, including fines, sanctions, and enforcement measures, which may involve both civil and criminal liabilities for board members and senior leadership. The SEC's enforcement action against Pearson plc in 2021, which resulted in a $1 million penalty for misleading disclosures about a cybersecurity breach, underscores the importance of ensuring accurate and prompt reporting.

U.S. Reporting Requirements:

• Ransomware Incidents: Must be reported within 24 hours of detection.

• Other Cyber Incidents: Must be reported within 72 hours of discovery.

• SEC Cyber Rules Compliance:

  • Form 8-K (Item 1.05): Must be filed within four days of determining that an incident has or is likely to have a material impact.

  • Annual Form 10-K (Regulation S-K Item 106): Requires companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, including the board's oversight of these risks and management’s role in mitigating them.

EU Reporting Requirements:

The NIS2 Directive in the EU mandates a three-phase reporting process, with a requirement for entities to produce an intermediary report or status update at the request of an authority:

• Organizations must issue an early warning notification to the relevant authorities within 24 hours of detecting a significant incident.
• A detailed notification, including an assessment of the impact, an update on the investigation, and any actions taken, must be provided within 72 hours.
• A comprehensive final report must be submitted within one month, covering a detailed description of the incident, root cause analysis, mitigation measures taken, and any cross-border impacts.

Australian Reporting requirements:

The Security of Critical Infrastructure Act 2018 (SOCI Act) and the Cyber Security Bill 2024 in Australia introduce critical reporting requirements for infrastructure and cybersecurity incidents that Boards may need to be made aware of:

• Critical Cybersecurity Incidents (SOCI Act): Must be reported within 12 hours if they significantly impact the availability of critical infrastructure assets.

• Other Cybersecurity Incidents (SOCI Act): Must be reported within 72 hours if they have a relevant impact.

• Mandatory Ransomware Payment Reporting (Cyber Security Bill 2024): Certain businesses must report ransom payments to the Department of Home Affairs and the Australian Signals Directorate within 72 hours. This requirement applies to entities operating in Australia above a certain revenue threshold and to responsible entities for critical infrastructure assets regardless of revenue.

• Voluntary Reporting of Significant Cybersecurity Incidents (Cyber Security Bill 2024): Entities can voluntarily provide information about major incidents. Shared information has limited use protections to ensure confidentiality.

The board must ensure that both domestic and international reporting obligations are met to avoid penalties and fines. The board must also have competent individuals representing legal and compliance aspects to ensure that commitments to such laws are understood and met. Partnering with regulatory bodies or law enforcement, such as the FBI cyber team, European Union Agency for Cybersecurity (ENISA), Australian Cyber Security Centre (ACSC), or your local government cybersecurity board, before an incident occurs so that they can facilitate smoother compliance, provide access to expert guidance, enable faster response times, and enhance organizational credibility. Such partnerships ensure that the organization is well-prepared to navigate regulatory complexities and demonstrate accountability to stakeholders.

The role of the board during a cybersecurity incident is pivotal in ensuring the organization successfully navigates the crisis. To do so effectively, boards must focus on key preparations before an incident, including conducting regular tabletop exercises, having robust incident response plans (IRPs) in place, and establishing clear escalation processes. These proactive measures are crucial for minimizing the damage during a crisis.

The board's preparedness, oversight, and engagement with internal and external stakeholders—including regulatory bodies, trained response teams, and public relations—can significantly influence the organization's ability to recover. By focusing on comprehensive preparation, effective communication, adherence to reporting requirements, and continuous improvement, boards can handle the complexities of cyber incidents with greater assurance and resilience.

As cyber threats continue to grow in sophistication, proactive board involvement is critical. Boards must not only ensure short-term crisis response but also foster long-term resilience by adapting to evolving threats, refining incident response plans, and strengthening organizational defenses. This proactive governance approach will position organizations to better withstand and recover from the challenges posed by cybersecurity incidents.