Recent media reports indicate that numerous organizations have suffered cyber breaches from increasingly sophisticated attacks. Victim organizations range from sensitive governmental and Fortune 500 companies to local school districts and small businesses. Recognizing these threats, boards of directors and their audit committees continue to expand their governance focus on protecting the data entrusted to their organization and their system’s resiliency in case of an attack and breach. Many organizations have already adopted an incident response plan, and some have tested it. Unfortunately, despite these efforts, some boards do not identify the weaknesses in incident response programs until after a breach occurs. This article reviews several critical considerations that boards or audit committees should review with management at least annually.

Place Incident Response on the Agenda

Not surprisingly, forcing a conversation usually causes action. Management should prepare presentations that include accomplishments, challenges, and potential issues. Forward-thinking organizations integrate these discussions with resiliency and business continuity-related topics. These efforts enable the board to help ensure that the enterprise focuses on needed resources to mitigate the risks of catastrophic events more effectively. For example, a breach will probably impact an organization’s ability to deliver immediate services, including suspending its e-commerce activities until the breach is resolved. As the benefits of planning for resiliency and incident response may not be immediately apparent, board interest and oversight are critical to helping protect the longer-term interests of stakeholders.

Define Expectations and Related Responsibilities

Organizations and their personnel may not consistently define the term “incident.” The challenge faced by front-line personnel, whether employees or service providers, is which type of incidents should be elevated to the appropriate decision-makers. When an incident is elevated, the question becomes the effectiveness of monitoring and reporting protocols. Numerous organizations have implemented a triage process (similar to hospital emergency rooms) to assess incidents and assign actions based upon the identified risk. Designated owners and participants in the incident recovery process should be carefully chosen and trained. In some industries and states, expectations for specific incidents are defined by regulations or accompanying authoritative guidance. When insurance is used to transfer risk, the policy’s definition of a covered incident must be considered. Defining expectations also includes defining responsibilities related to incident response, including monitoring the achievement of expectations. Depending upon the industry and the type of data, the organization should review its planned incident responses with appropriate counsel.

Know Your Data and What Can Be Lost

Organizations maintain different types of data, and what constitutes their “crown jewels” can differ, though usually organizations within an industry will have similar needs. To protect their most valuable data, organizations must understand where the data resides. For many enterprises, the default response is the core system. From the board’s perspective, this response makes sense. Yet the board may understandably not appreciate how data can be distributed—both inside and outside of the organization. For example, for an incident response team, uncontrolled end-user computing can create numerous challenges in tracing an intruder’s activities to understand the extent of the breach. It is also worth noting that cloud service providers may maintain these “crown jewels.” Unless prior contractual arrangements have been made with the provider, the organization may not be able to thoroughly understand the damage done.

Understand the Impact of Vendors

From ongoing technology service providers to niche service firms that facilitate breach recovery, a healthy understanding of the critical external parties that work with the organization is vital. At a minimum, a list of vendors with crucial contact information should be maintained, and authorization lists of who may interact with the vendor on behalf of the organization should be kept up to date. Even if a vendor does not store data, they may have a role to play during an incident response. Internet service providers (ISP) and network management companies are examples of companies that may not store protected data, but can provide information on how an attacker accessed that data. Professional service firms, sometimes engaged on a contingency or retainer fee basis, such as related legal or computer forensic firms, should be familiar with the organization and their expertise available when needed. In addition, consideration should be given to how the organization’s security posture might be impacted by weaknesses in a vendor’s environment, as demonstrated by the Target security breach and the role of its HVAC (heating, ventilation, air conditioning) vendor in facilitating the intrusion.

Consider Guidance, Requirements, and Expectations from Insurance Carriers

Many organizations appreciate cybersecurity insurance and have purchased some form of coverage. As a result, they often believe that any monetary damage resulting from a breach would be minimized. Unfortunately, they might discover that the policy may not cover the specific circumstances surrounding the breach, or that they failed to maintain expected risk migration practices agreed to during the underwriting of the policy. This situation can occur when appropriate technology and risk management personnel are not involved in reviewing underwriting questionnaires and representations. Eventually, the policy can be voided by the insurance carrier if false information is provided.

To help their customers, many insurance carriers offer guidance to help prepare for an incident response and the development of an associated program. In some situations, the carrier’s investigative and computer forensic team may need to be involved. The organization should understand the guidance or requirements issued by their carrier and include them in related incident response plans or programs. Mock preparation of insurance claims and associated processing walkthroughs should also be considered as part of testing.

Learn from Other Organizations

Many organizations believe that studying other companies’ incidents of security breaches can help them enhance their preparedness in case they become victims. Noted security consulting firms and industry groups publish year-in-review studies that analyze evolving breaches and lessons learned. Some organizations will use these lessons and simulate how they would have responded if they were the victim. In addition, governmental agencies worldwide publish frameworks that help organizations identify best-practice incident response controls to reduce the probability and impact of cybersecurity threats. In reviewing incident response activities, the board should ascertain whether management consulted these resources in developing response strategies.

Be Prepared for Media Questions

If the organization interfaces with the public, it should expect media inquiries in the wake of a security breach. Similar to preparing for technical response capabilities, the organization should consider how it will address media inquiries and other public relations challenges. Although all key employees should have some media training, board members should be prepared consistent with their responsibilities and public, including regulatory expectations. A public relations campaign to help restore the organization’s reputation amongst its stakeholders should be incorporated into response planning and practiced in advance.

Proper Planning to Reduce Risk

Organizations generally accept that intrusions are a question of when, not if. The organization may be unable to completely eliminate the risk of an incident—but with proper planning, it can prepare to respond efficiently and effectively. By implementing appropriate governance practices over incident responses, boards and audit committees can facilitate the reduction and the impact of risk to within tolerable limits and stakeholder expectations.

Joel Lanz, CPA, CISA, CISM, CISSP, CFE, is a visiting assistant professor at SUNY Old Westbury and provides infosec management and IT audit services through Joel Lanz, CPA, P.C., Jericho, N.Y. He is a member of The CPA Journal Editorial Advisory Board.