In this webcast, our panel of cyber professionals along with KPMG’s BLC co-chairs, shared insights on what boards need to know when it comes to cyber risk and regulations.
Some of the key highlights from the discussion include: If there is an attack, should you pay the ransom? What is the board’s responsibility? Which key risk indicators should the board monitor? Has the cyber landscape changed with the rising popularity and accessibility of AI tools? Should organizations invest in cyber insurance and training for employees? All of these questions – and more – were answered by our panel.
In summary, the key considerations are:
- Cyber attacks are industry-agnostic, and hackers are continuing to change their tactics, so you have to be ready to employ a “move, countermove” approach.
- Boards don’t always need a member with cyber security skills, so long as they can access this skillset to understand the metrics and threats – a “cyber translator”.
- Consider lessons learned from previous incidents to inform future strategy decisions.
- An organization’s cyber response team should include the board, internal technology resources, a breach coach, a forensic firm to contain the incident and analyze the root cause, a communications firm that specializes in cyber crises, etc.
- A Managed Services model is an efficient and effective way to monitor cyber activity 24/7 and free up technical resources to focus on other priorities.
- When it comes to cyber, organizations will either pay now (for training, insurance, strategic advisory) or pay later (ransom, data loss/theft, crisis response team).
The board’s role is oversight and direction and to empower management to have the right resources in place to prevent, detect and respond to a cyber attack.