No one is safe from cyber attacks nowadays. The frequency and the leveling up in terms of sophistication are rising. In fact, it’s no longer a question if your system will be hacked but more on when it will be hacked. The important thing is, how soon do you know that your company system has been hacked? Is your company prepared?
A timely and relevant topic on Cyber Security Risk was taken up at the Institute of Corporate Directors (ICD) Distinguished Corporate Governance Speaker Series on June 5. In fact, more than mere lectures, we played a war game. BREACHED! is a war-game by Booz Allen Hamilton based on real world breaches and focuses on areas that have caught senior executives unprepared.
The first scenario: You’re the Risk Management or the Operations Head. Upon reaching the office, the system has been breached and you find out “that highly sensitive company information is for sale in the dark web.” What to do?
Different groups of ICD participants were given different roles, such as Head of Security, of Legal, of Communications, HR Head, etc. as the Senior Management Crises Team. We deliberated and agreed on best decisions we can come up with given limited information. There were different scenarios introduced in the game with varied time constraints — from the initial notification of a security breach, the breach going public, to possible financial losses and liabilities. It highlighted the challenges faced by the senior management team in making decisions on the impacts of a cyber security breach and its consequences.
There were a number of learnings. For example, we needed to decide who among the senior managers will lead the Enterprise Crises Team. The unanimous response of our group was the President. Of course! But someone among the senior team should take a lead role. Does your institution already have a Crises Management Team in place? Or will you still form it when it happens? Are Legal, Security and Communications part of the team? Do you have a designated Chief Crises Management Officer? Do you need one? Or can the position be in a concurrent capacity?
It is important for organizations to put in place a board-approved cyber security incident management and response plan. This should include the designation of select members of the senior management team who know their duties and responsibilities thoroughly, before any actual cyber incidents happen. We should fill in the gaps in our own institutions while there is time.
Another learning is there should be some decision points well in advance. For example, in investing in stocks, there is a “stop loss” order. When the market is down or the stock price goes down, there is an order to sell the stock at a predetermined price to minimize losses or cap it at a certain level. Same in a cyber security attack, what are the trigger points? When do you shut down internal communications e-mail or even the core business systems to contain the situation? When do you report the status of the cyber attack to the board? And how often? Now, when do you communicate to your customers? And what do you say? It is also worth noting that every decision has its consequences so everyone has to really think hard of the next steps.
When should one report to the authorities? In the case of the banking industry, under the Enhanced Reporting and Notification Standards to be issued by BSP soon, banks will be required to report within 24 hours any cyber related incidents, an enhancement to BSP Circular Nos. 982 and 808.
There were about 10 of us in our group which included ICD Director Baby Nuesa, LTG Audit Executive Rico Lim, SM Investments Corp. Treasurer Arcus Fernando, PNB Securities President Manny Lisbona. It was exciting, challenging, good interaction with other directors on what to do in case of a cyber attack and even fun, especially because it was just a game.
Flor G. Tarriela is Chairman of Philippine National Bank. She was the first Filipina Vice President of Citibank N.A. and was formerly Undersecretary of Finance when Jose T. Pardo was DOF Secretary. She is a natural farmer and an environmentalist
