Memo to the CEO – Sir, we have a cybersecurity problem…
Mon 30 Jan 2017 | Michael Mudd
The above words are not what the Chairman – or the board – of any company wants to hear today; cybersecurity is now a centre- front C suite issue.
A data breach today may significantly affect both the company and their customers. A loss of corporate data, which could include contracts, supplier details, plans, designs or formula, may seriously damage the company’s business and reputation. If customer data is also stolen it also may violate local data privacy laws which could lead to fines, business suspension or worse.
What does this mean for the board of a listed company in Hong Kong? Most have an audit and/or compliance committee, which today should include data security and privacy, but do they have the knowledge to discharge this duty? One of the most damaging cyberattacks on a commercial enterprise recently was Target Stores in the US. The board thought the company was secure and in compliance with standards, such as PCI DSS for their customers credit card information. 40 million stolen records later, the CEO was out of a job and half the board faced dismissal. Investors claimed they failed to protect the company; the board members were able to convince shareholders to re-elect them, but clearly there will not be a ‘next time’.
This event (and many similar) led US Senators Reed and Collins to introduce the Cybersecurity Disclosure Act of 2015 (S. 2410) in December 2015, which addresses the cybersecurity expertise, or lack thereof, on corporate boards. It describes in detail what cybersecurity steps should be taken for nominees to the board, together with standards as to competence. This adds to the Cybersecurity Act of 2015 and will apply to every publicly listed company in the US. The US SEC will issue rules within one year of enactment, which may be as early as 2017.
What has this got to do with Hong Kong or indeed any company outside the US? It’s the global supply chain. The Target breach was via a supplier that was connected to their data centre that because of their inadequate controls, accidentally allowed malware to enter the Target data centre. Poor internal security controls and practices there compounded the problem and enabled the criminals to roam around various databases and extract credit card information for fraudulent use. US listed companies may soon be asking their suppliers to be in compliance with S.2410.
The reality is that in many organisations there are combinations of weak internal security controls and poor training of staff that handle data – which is just about everyone – that provide an entry point for criminals. A board must have an emergency response team ready.