Responding to a cyber-attack

What's the issue  |  Regulation & frameworks  |  Boardroom questions  |  Board actions

Cyber security continues to be a priority topic on board agendas^[i], and remains even more critical in light of recent events in Ukraine. As the world becomes more connected, the cyber threat landscape is expanding, and so is the critical need to ensure cyber security. With a shift to digital channels and the accelerated deployment of collaboration platforms – in part driven by COVID-19 – organizations are storing more information online and connecting more internally, as well as with both customers and third parties. This gives hackers a greater opportunity to get into your organization, navigate more broadly through it and put it into lockdown.

Cyber security is a key component of ensuring stability and trust in your organization. It’s the Golden Thread that should run throughout the organization’s decisions.

So, as organizations move towards the cloud, launch digital transformation programs and look at use cases for machine learning and AI, cyber security should be front and center. For example, in considering a move to the cloud: who’s connecting to your environment? How are you ensuring the protection of your data and monitoring for cyber threats? Similarly, how do you ensure your AI is trusted and that the algorithms are secured, so that they aren’t hacked and remain stable?

However, cyber security is not only important for conversations about technology. It should be a key consideration in other business drivers and outcomes as well. For example, consider an acquisition: how is the potential acquiree dealing with cyber security? Is any of their information already available on the dark web? If so, what impact does that have on the valuation?

At the same time, the attacks themselves have changed. Looking at ransomware attacks in particular, in pre-COVID times, an organization subject to such an attack would receive a message with a sum of money to pay or their data would be locked/destroyed. During the COVID-period, however, attackers became more creative to further incentivize companies to pay. Playing into GDPR and the importance of the protection of data, attackers started to steal the data before encrypting it, so that in their negotiations they could threaten to publish the data if the organization did not pay the ransom.

In addition, the speed at which vulnerabilities are exploited has also increased. In the past an organization may have had a couple of months to patch a vulnerability once it was communicated in the press. Now it must be patched immediately, or an attacker will attempt to exploit it.

Regulatory guidelines are starting to push organizations into protecting their data and becoming more resilient to cyber-attacks. Some of the most important regulatory frameworks around cyber security include:

• EU Cyber Security Act^[ii]: The Cybersecurity Act strengthens the EU Agency for Cybersecurity (ENISA), grants it a permanent mandate, and gives it more resources and new tasks. It also introduces an EU-wide cybersecurity certification framework for ICT products, services and processes.
• Act on the protection of natural persons with regard to the processing of personal data^[iii]: This law implements the EU General Data Protection Regulation (GDPR)^[iv] in Belgium.
• NIS2.0^[v]: This proposal by the European Commission would replace the NIS Directive and expand its scope, “effectively obliging more entities and sectors to take measures, [thereby] … increasing the level of cybersecurity in Europe in the longer term.” It would “strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU.”
• Digital Operational Resilience Act (DORA)^[vi]: Through DORA, the EU aims to establish a comprehensive and unified digital framework for financial institutions, by aligning today’s (limited) rules on information and communication technologies (ICT) governance, better managing ICT risk and incident reporting, and eliminating gaps in information sharing, risk management and digital testing.

• As an organization, do we have an incident management plan for cyber incidents?
• How do we ensure it is effective? Has the plan been tested?
• Does everyone understand his/her role in the event of an incident?
• Does our plan meet the particular challenges of ransomware attacks?
• Have we considered at which point we would need to pay a ransom, and what the legal implications of that are?
• What and when do we communicate, through which channels and to whom?
• What’s included in our cyber insurance? When can we call upon it, and have we met the requirements to do so? 

• As an organization, what measures do we take to minimize the damage an attacker could do inside our network? How do we segment our network?
• How is data backed up, and are we confident that backups would remain unaffected by a ransomware infection? 

• As an organization and as board members, how would we know when an incident occurred?
• Do we need to wait for the federal Computer Emergency Response Team (CERT) to call or do we have our own mechanisms – either internally or with a third party – to monitor for an incident?

Understand the key cybersecurity issues and risks. Understand the risk landscape and the response plans that exist today, the critical systems (what and where they are), the regulatory obligations that need to be met and any relevant audit results. In their reconnaissance, attackers will be doing the same, so you need to be just as prepared (if not more). 

Support management by guiding, overseeing and agreeing to a security strategy, cyber risk management, the risk appetite, accountability and partnerships. Specifically, with regard to partnerships, remember that the way you work with third parties will have a direct impact on your cyber resilience and your reputation as a trusted organization.

Take board-level actions to raise cyber awareness, challenge management, enable management (to act themselves), ensure sufficient time at board level, prepare for when an incident occurs and enable continuous enhancement.

KPMG’s Board Leadership Center (BLC) offers non-executive and executive board members – and those working closely with them – a place within a community of board-level peers. Through an array of insights, perspectives and events – including topical seminars and more technical Board Academy sessions – the BLC promotes continuous education around the critical issues driving board agendas.