Governments and companies around the world are intensifying their focus on cybersecurity. In particular, they are anticipating and preparing for Russia-backed cyber retaliation for the unprecedented wave of corporate withdrawals from Russia and international sanctions against the country stemming from the war in Ukraine.

While there has been an uptick in hacking events, widespread cyber retaliation has not yet materialized. Although some view this as a sign that the Russian hacking machine isn’t what it used to be (and, indeed, Russia has been the target of hacking activity),[1] companies should not take comfort from this. According to a recent Microsoft report, Russia is employing cyberattacks in Ukraine to support its military ground campaign, and companies should expect Russia to redirect its resources in the future. Russia’s ability to invoke a cyber war is ever present—and its motive is only growing. And Russia, of course, is not alone in state-sponsored and -supported cyberattacks. Further, the landscape of cyberattacks is growing only more complex and unpredictable as companies face both criminal enterprises and hackers whose primary motive seems to be sowing anarchy. Cybersecurity therefore needs to remain at the top of board and C-suite agendas.

Companies’ focus on cyber, however, tends to come in waves. When a cyber crisis (especially a major breach) occurs, everyone pays attention. The SolarWinds hack—in which state-sponsored hackers gained access to government and corporate systems through a compromised update to SolarWinds’ Orion software that monitors network traffic—led many companies to beef up their cyber preparedness. But after a flurry of activity, companies still see themselves as underprepared. CEOs worldwide rank cybersecurity as a top 10 external risk, but only 37 percent say they are well prepared for a cyber crisis, and 64 percent of C-suite executives say their board has a fair or poor understanding of cybersecurity, data security, and data privacy.

It’s time for boards and senior management to recognize that cybersecurity is not only a matter of security and controls, but also a key ESG issue that should be integrated in discussions of business strategy. In addition, the war in Ukraine, proposed SEC disclosure regulations, a recently enacted US law, new cybersecurity regulations both in the EU and the UK, and the growing threat of litigation may serve as catalysts for companies to provide sustained—not just episodic—attention to cybersecurity.

This brief offers insights on what CEOs and boards can do now to improve cybersecurity as the threat level rises.

Insights for What’s Ahead

Prepare for cyberattacks

The SolarWinds attack, and Russia’s role in it, have proven that companies of any size can be targeted by state-sponsored hackers. This is especially true for midsized companies in the software supply chain. The war in Ukraine has only exacerbated this risk. But there are steps CEOs should make sure their companies take to prepare for future attacks:

• Conduct a fresh inventory of all software assets and reassess due diligence for the firm’s software supply chain, especially security software that in a normal state is broadly trusted in the network.
• Revise supplier due diligence to include focus on vendor supply chain integrity, quality assurance, and chain of custody.
• Enhance the firm’s threat hunting program, including beefing up efforts to detect lateral movement and anomalous behavior by privileged accounts.
• Simulate highly sophisticated state-sponsored attacks under controlled circumstances to see how the firm would deal with such an attack.
• Participate in networks that share information on cyber threats and attacks, including in jurisdictions that don’t mandate the sharing of such information with the government.

Prepare for ransomware

Corporate leaders must also be prepared for advanced ransomware attacks. These have become increasingly pernicious as hackers are not just blocking access to critical data but are threatening to make sensitive information public or manipulate records in ways that can cause immense damage.

• Obtain adequate cyber insurance, even though prices for cyber insurance are soaring and the (re)application process for cyber insurance has become increasingly stringent and complex. Regardless, the benefits of having insurance, which covers ransom payments made under duress, outweigh the costs associated with a ransomware attack.
• Develop a playbook for ransomware negotiations—which are seldom rational. And, in case of a ransomware attack, consider engaging a specialized negotiator who is familiar with hackers’ methods. The negotiator can ensure that any payments are made in compliance with US Treasury rules and guidance.

Prepare for increasing regulatory requirements and litigation

On March 9, the SEC proposed new rules on cybersecurity disclosure that go well beyond current practices. Among other things, the proposal would:

• Require disclosure about material cybersecurity incidents within four business days after a company determines that it has experienced such an incident.
• Require updates to previously disclosed cybersecurity incidents and require disclosure of previously undisclosed immaterial cybersecurity incidents that have become material.
• Require annual disclosure regarding a company’s policies and procedures for identifying and managing cybersecurity risks; a company’s cybersecurity governance, including board of director oversight of cybersecurity risks; and management’s role and relevant expertise in assessing and managing cybersecurity risks and implementing related policies, procedures, and strategies.
• Require disclosure about the cybersecurity expertise, if any, of members of the company’s board of directors.

It’s of little consolation that the four-day clock only starts ticking upon a materiality determination. Indeed, it could be instantly apparent that the breach was material, and it can be challenging to collect the information needed for the Form 8-K in just a few days. Moreover, stakeholders may press for information that goes beyond 8-K requirements.

• Establish a protocol and processes now to ensure you can meet the four-day deadline. Also, be sure you’ll be able to convey sufficient information to address stakeholders’ immediate concerns (even if it means saying you’re working on it).

CEOs should make sure their management teams are assessing whether the company is prepared to comply with the Cyber Incident Reporting for Critical Infrastructure Act, which was signed into law in March. It will require companies that are part of the nation’s “critical infrastructure” to report substantial cyber incidents to the federal government within 72 hours and ransomware payments in 24 hours. “Critical infrastructure” is still undefined, and the law, which layers on top of current state level legislation, could potentially cover a wide range of sectors and companies.

• Anticipate being subject to the Cyber Incident Reporting for Critical Infrastructure Act and prepare for compliance with it accordingly.

CEOs and boards need to be prepared for different types of litigation after a cyber breach, especially when personal data have been compromised. While shareholder derivative claims, in which shareholders allege that the board of directors has failed in its oversight duties to the company, are seldom successful, class action securities law claims are becoming a greater risk. This is especially true if companies have been overselling their cybersecurity practices. Companies are also increasingly sued for negligence or breach of contract, particularly in the ransomware context, where customers of attacked companies are victimized.

• Review current disclosures on cybersecurity toensure they do not describe a risk as hypothetical if it has materialized. Also, stay current on the status of the Federal Trade Commission’s enforcement actions relating to data privacy disclosures.

In December 2021, the European Council approved the Network and Information Security 2 (NIS2) Directive, a big step toward modernizing the current EU-wide framework for cybersecurity. The directive, to be finalized in 2022, strengthens cybersecurity requirements imposed on companies. It also addresses the security of supply chains and supplier relationships and introduces accountability of top management for noncompliance with the cybersecurity obligations.

Also in December, the UK government published the National Cyber Strategy 2022, which succeeds the previous 2016-2022 Cyber Security Strategy. It centers around building resilience and securing the digital ecosystem, and takes a “whole society approach.” 

In communication, think beyond regulation and litigation

In deciding how to communicate about cyber incidents, CEOs need to be mindful that they are competing with others who will try to control the narrative. Hackers are increasingly going public with their attacks, as it can help them leverage a payment. And many state attorneys general, who require companies to report breaches involving personal information, disclose these incidents on public websites almost immediately.

• Don’t view a cyber incident as a merely legal or technical issue, but a reputational one as well.
• Have a clear process and criteria for deciding when and how to report on cyberattacks. For example, companies can consider developing a matrix that sets forth the criteria and protocols for reporting on different types of attacks.

View cybersecurity as an ESG issue

Cybersecurity is, of course, a key security issue. But it’s more than that. It’s closely related to several core social, or “S,” issues in ESG, such as data privacy and the health and safety of workers, customers, and communities. It’s tied to environmental, or “E,” issues as well, such as when the disabling of critical equipment leads to massive pollution events. And it’s a governance, or “G,” issue, as companies need to have the appropriate structures and processes in place at both the board and management level to manage risk, respond to incidents, and mitigate harm to the business. For example, in deciding whether to cut ties with Russia following its invasion of Ukraine, companies had to factor in the threat of cyber retaliation. That all makes cybersecurity a key corporate governance concern for investors. Cybersecurity also affects companies’ relationships with stakeholders, whether undermining employees’ abilities to do their jobs or, more broadly, undercutting trust between the company and its customers, regulators, and communities.

Some examples to highlight the potential impact of cyber breaches on all facets of the organization include:

• T-Mobile cyberattack in which data of millions of customers, former customers, and prospective customers were compromised.
• Colonial Pipeline ransomware hack that took down the largest fuel pipeline in the US and led to energy shortages across the East Coast.
• Equifax breach in which sensitive personal information of about 148 million US citizens had been compromised and which caused 30 percent drop in share price.

Indeed, the potential societal and environmental effects of a cyber breach make it necessary to bring cyber into conversations about all ESG topics—and risks.

Some of the steps that CEOs can take to build cyber resilience include:

• Increase overall fluency in cyber across the C-suite. Given its wide-ranging implications, as well as its link to ESG, cybersecurity should be viewed as a joint responsibility among C-suite executives. All C-suite executives, not just the chief information security officer, should be able to speak “tech” and bring cyber into any and all strategic discussions. Additional education may be needed to strengthen senior management’s fluency in this area.
• Build a strong collaboration and comfort level between the company’s legal, IT, and communications teams, just the way it exists between legal and finance. Under—or over—communicating in the event of a breach can cause significant regulatory and reputational harm. It’s therefore important that a company’s legal, IT, and communications teams seek alignment and don’t operate in silos. This will significantly improve the way the firm can prevent, respond to, and deal with cyber threats.
• Make sure the firm has a cyber incident response plan that has clear accountability and also provides for a backup plan and training for frontline employees. Having a strong cyber incident response plan signals to stakeholders, especially investors, that the company has an informed and comprehensive approach to responding to cyber threats. But attacks often don’t happen at a convenient time for everyone. People might be unavailable when they happen, so it’s also pivotal to have backup responders lined up. Moreover, it’s vital for management to ensure that adequate training is provided to frontline IT or customer service staff, who might become aware of any breach first, so they know to whom they should report an incident.

Often the board’s best role is to stay closely informed, but to leave management of the crisis to the C-suite. Boards, however, should:

• Be sure that the firm’s overall business strategy comes with a related cybersecurity strategy. The board’s most effective lever to drive an appropriate focus on ESG, which includes cybersecurity, is through the strategic and business planning processes.Just as a company should have a workforce strategy to support its business plans, boards should also ensure that their firm has a cyber strategy that keeps pace with the evolution of their business strategy, competition, regulation, stakeholder expectations, and threats.
• Understand the framework in place to prevent, respond to, and deal with cyber threats. Boards should also understand the hallmarks of a successfully handled cyber incident, which includes 1) everybody working under the existing protocols with no one being caught by surprise; 2) minimized reputational harm, which is reflected in a steady share price (if the firm is publicly traded); and 3) the absence of litigation and regulatory proceedings.
• Assess board capabilities and structure to ensure there is appropriate board- and board committee-level oversight of cybersecurity. This will vary from company to company, depending on the industry and business a firm is in. However, be sure not to overload the audit committee with cyber oversight. While this committee generally has overall responsibility for risk management (see NYSE Listing Standard 303A.06), boards may choose to place responsibility for cybersecurity with other committees, including ones devoted to risk or ESG issues. And remember, even though boards may want to add directors with functional expertise, including on cybersecurity, collective board fluency in cyber is much more important than narrow expertise—even though it’s harder to express through disclosures. Companies may also want to consider additional external resources to assist them in getting up to speed in overseeing cybersecurity.
• Hold sessions with the chief information security officer (CISO). To increase fluency in cyber, the relevant committee should meet on a regular basis with the CISO and get deep dives on key cyber issues. This allows them to take a deliberate, organized approach on cybersecurity. Likewise, it’s critical for the CISO to feel comfortable coming to the board with any issues and concerns, including resource-related challenges. In some cases, companies are considering meeting in executive sessions with the CISO, as they do with the general counsel, chief financial officer, internal auditor, and external auditor. In any event, regular interaction between the CISO and the board will help create the necessary trust and transparency.

Conclusion

It’s not a question of whether your company will be attacked but when—and the damage may be immeasurable. With the war in Ukraine and the sustained threat of Russia-backed cyber retaliation (which could extend in time well beyond the military conflict) shining a spotlight on cybersecurity, and with new legislation and impending disclosure regulations, companies have an opportunity to adjust their approach to cybersecurity. They should not merely view cyber as a legal or technical matter—or an episodic issue—but as a strategic business risk that warrants sustained attention by the board and senior management.

This brief draws insights from various ESG Center programs, including 1) a Cybersecurity Working Group, held in collaboration with Deloitte between 2018-2020; 2) a webcast, held in collaboration with Cleary Gottlieb Steen & Hamilton in May 2022; 3) a Center Briefing, held in collaboration with Hughes Hubbard & Reed in March 2022; and 4) a Center Briefing, held in collaboration with Wachtell Lipton Rosen & Katz in October 2021.