A company secretary’s guide to dealing with a data breach
Cyberthreats have become so commonplace that small businesses and corporations alike must now adopt a “when-not-if” mindset when it comes to data breaches. In fact, the Allianz Risk Barometer 2023 lists cyber risks as the most important business risk globally, as voted by 34% of risk management experts. Businesses of every size are an attractive target for criminals thanks to the wealth of information, like customer data and business secrets, that they can use against such organisations.
Fines, class actions, share price decline, reputational damage, customer loss and data compromise are only some of the consequences your company may face due to a breach. By now, every IT team should have a doomsday plan in place. But how should company secretaries (CoSec) and board members respond when it finally happens?
The answers will vary across organisations, but here is a general guide to help you create a plan and ensure higher resilience in the aftermath of a data breach.
Activate your cyber incident response plan
It’s crucial for companies to have a cyber incident response plan (CIRP) in place.
When a data breach occurs, an ill-prepared organisation is in danger of making rash decisions in an attempt to mitigate the damage. Kroll reports that 59% of organisations in the Asia Pacific have been victims of cyber attacks, of which 39% have experienced multiple breaches. Despite these alarming numbers, however, 36% of organisations do not have a CIRP. Having an established CIRP gives your staff clear steps to follow when your organisation becomes a target.
Though not at the helm of executing a CIRP, the CoSec oversees its development and implementation. The board ensures that every individual joining the cross-functional cyber incident response team (CIRT) has the proven character and expertise to contain the breach and record evidence and findings. The CoSec collects this information to ensure that the appropriate documents are ready for legal and regulatory compliance and board reporting.
In the event of a breach, the CIRP is activated immediately. Members of your CIRT can then take the necessary action steps detailed in the plan.
Address data breach impact
While the CIRT works on containing and eliminating the threat, your board should be briefed on information about the breach: its size and scale, what caused it, potential harm, actions taken against it and, if applicable, any demands being made by malicious parties. Again, actions will vary depending on your situation, but these details will tell you if it is necessary to engage outside counsel to manage the threats and help you meet legal, regulatory and insurance obligations on what to do and how to report the incident.
Manage internal and external communications
The CoSec takes care of internal and external communication efforts, especially during a crisis. They coordinate with relevant departments to ensure that appropriate parties are informed about the breach, including executive leadership, legal counsel, IT and potentially affected individuals. They also have the responsibility of maintaining detailed records of the incident to present complete documentation for potential investigations and legal commitments.
In the immediate aftermath of a breach, CoSecs require frequent correspondence with the board to relay breach information, its potential impact and CIRT mobilisation progress. Ideally, your organisation should already be using a secure board communication platform that prevents access to highly sensitive board materials and ensures a steady and uncompromised line of communication in the event of a breach. The Diligent Board and Leadership Collaboration suite of products safeguards information by letting your board hold meetings, exchange data and collaborate safely through a closed-loop platform, rather than through existing on-network tools that give malicious parties easy entry points once compromised.
Statement for investors, partners and other stakeholders
CoSecs participate in investor calls and meetings to communicate accurate and appropriate information to shareholders. Then there is also the challenge of informing staff, customers, partners and stakeholders. The anticipation of bad press and possibility of tarnishing your carefully built reputation may deter you from being fully transparent, but a lack of transparency is likely to deal greater damage to your company’s standing in the long run. Work with your public relations and legal teams to craft a clear and concise statement that addresses public concerns and expresses decisive action against the breach.
Risk management and reporting to regulators and law enforcement
CoSecs take part in discussions with risk management teams to evaluate the impact of the breach on the company’s reputation, finances and legal exposure. Also, depending on the severity and nature of the breach, regulatory authorities may need to be notified.
From CIRP activation, a CoSec must have already begun collaborating with legal teams to fulfil the organisation’s local and extraterritorial obligations. Stay on top of these, as failure to comply may result in fines and penalties. Take careful note of duties to federal and cyber crime authorities as well, since they may become involved depending type of organisation and breach severity.
Review policies and recover
Once the breach has been contained, it’s time to evaluate what went wrong and how you can learn from the event, bolster cyber resilience and prevent mishaps in the future. The CoSec leads the charge in the endeavour by facilitating discussions, policy analyses and compliance procedures.
Policy review and forensic analysis
The CoSec coordinates with legal, compliance, risk and IT teams to review existing policies and controls to identify gaps that made the breach possible. Information gained from your post-incident review and engagement with investigating authorities can then be used to strengthen your IT risk and compliance program.
Insurance, legal and compliance procedures
If the organisation has existing cybersecurity insurance, the CoSec manages insurance claims and liaises with legal teams as required. Routinely follow up with regulatory bodies and check in with your shareholders and investors.
Prevention is better than cure
While CISOs are responsible for ensuring the organisation has an overall robust IT risk and compliance program in place, CoSecs need to take ownership of the preventative controls that protect the board. By implementing a secure board portal like Diligent’s, your board and executive leadership can keep board-level data safe from prying eyes and maintain open communication even in the event of an organisational data breach.
Diligent’s Board and Leadership solution not only protects the board in the event of a data breach but also enables more proactive and data-driven cyber risk decisions with the release of the latest Board Reporting feature. The first-of-its-kind Board Reporting for IT Risk dashboard enables chief information security officers to communicate a meaningful and holistic view of their organisation’s risk posture to the board by streamlining how they track, measure, and report on IT risk. The latest feature includes a data-driven view of cybersecurity performance as well as insights from Bitsight, and benchmarking data with cybersecurity scoring from SecurityScorecard.
Diligent is a leading GRC SaaS company that gives organisations the tools and solutions they need to bring clarity to complex risk, elevate impactful insights and get ahead of a world that is constantly changing. With solutions across governance, risk, compliance, audit and ESG, Diligent empowers more than 1 million users and 700,000 board members and leaders to make better decisions, faster.
Take action before an incident occurs. Contact Diligent to elevate organisational insights, protect your sensitive board data and ensure leadership continuity in the face of looming cyber risks.