According to a KPMG survey of Financial Times 350 companies, 68% of the Boards have not received any training to deal with a cyber incident.
This means that WHEN – and not if – a significant cyber event occurs, the board will have no plan in place to deal with it. This is distinct from whether or not IT has an incident response program. Since the Board will be required to make some very uncomfortable decisions (and not IT), such as whether they should pay a ransom and if they do, what are the implications, making those decisions without any training or planning does not seem like a great idea.
Remember, it will NOT be up to IT to decide what course of action to take; IT will execute to whatever course of action the Board tells them to take.
It is also important to understand that in the absence of the Board having already been trained and already having a plan of action, the Board will first have to be educated so that they can make a decision. That time will increase the amount of time that the company is down – possibly completely dark on the web – and possibly with all production, order taking and delivery shut down. All of this occurring at the same time that social media is going crazy beating the company up. And all that the customers hear is crickets chirping.
On the other hand, TWO PERCENT of the boards surveyed said that they had received comprehensive training. I am not sure what the other 98% are waiting for.
On the other hand only 10 percent said that they didn’t have a plan to respond to a cyber incident. I guess that means that IT has a plan rather than the Board has a plan.
This survey was done in England, but I suspect that the numbers in the U.S. wouldn’t be much different. I am pretty skeptical that 90% of companies have an EFFECTIVE plan in place and tested to deal with a cyber incident.
46 percent of the Boards are still not reviewing and challenging reports on the security of their customer’s data. This is especially important for European companies given that the new privacy law, GDPR, comes into effect in 9 months and the fine for screwing that up could be as high as 4 percent of your annual REVENUE.
In line with these number, 53 percent of the Boards receive SOME information on cyber risk and 31 percent saying that they receive COMPREHENSIVE and INFORMATIVE management information on cyber risk.
These numbers don’t surprise me. They do disappoint me, but they do not surprise me. When I hear reports that say that 75% or 85% of Boards say that they have cyber risk handled, I am confused when I hear those same companies get breached. Some of them, breached 3 or 4 times in a couple of year period.
Boards have to take a much more active role and not just count on management to handle it. A breach can cost tens of millions of dollars to deal with and cause huge brand damage. And dealing with one is incredibly complex.
Information for this post came from CBR Online.