On July 19, a malfunction during a CrowdStrike software update caused widespread computer outages that affected thousands of businesses worldwide and alerted CEOs and boards of yet another danger associated with cybersecurity. In the following Q&A, edited for length, Chris Hetner, former senior cybersecurity adviser to the Securities Exchange Commission and cyber risk advisor to the National Association of Corporate Directors shares insight into how CEOs and boards should react to ever-evolving cyber risks.
There was a lot of confusion concerning the worldwide IT outage involving a CrowdStrike software update and Microsoft operating systems that disrupted millions of businesses in July. How high should this type of outage rank as an element of risk for most boards?
This was a software update that was pushed out from CrowdStrike that impacted millions of devices and thousands of companies globally. It specifically impacted the Microsoft operating system. It did not impact CrowdStrike updates on platforms such as Linux and Macintosh… It involved the Blue Screen of Death (BSOD), which means that Microsoft is continuously going through a reboot cycle and can’t reboot because the software updates are not arming.
In terms of risk priority, it’s definitely a disruption that has no historical precedent. The total damages have yet to be determined, but this is clearly a high-risk exposure to any corporation that’s reliant on software updates. This also highlights the importance of how these types of incidents can impact organizations differently. For example, Delta Airlines was struggling to serve thousands of clients and customers, but if you were a primary retailer and you’ve got maybe two cash registers that rely on CrowdStrike system updates, you could revert back to the manual process using credit cards or Apple Pay to continue doing business.
Organizations should understand that there are several types of IT risks they could be exposed to. It could be CrowdStrike software, it could be Microsoft—there’s risk from all types of vendors and suppliers that they rely on, so understanding these risks is definitely a high priority and represents a wakeup call for the board of directors.
Are there any companies or industries that are at greater risk for this type of IT disruption dealing with software?
In this instance, there are two key factors. One, you’ve got the Microsoft operating system running whatever machine that handles whatever business process; and then two, you’ve got the CrowdStrike update that’s layered on top of that. So this definitely has an impact on all industries.
This incident highlights the fact that you’ve got to bring business, operational, legal, regulatory and financial context to these types of events. And it also highlights the fact that in this instance, this was not a malicious act. This was just somebody doing their job, pushing out a software update to make sure we have a secure environment. But clearly, it caused a massive disruption across the globe.
So, what are some key things that boards can do to guard against this type of IT disruption in the future?
At the end of the day, the boardroom needs to understand the relationship between their suppliers, technology estate and core business processes. Once that’s understood, the boardroom can start delving into how the cyber events introduce material business operational, legal regulatory and financial harm. This will lead to targeted controls processes and investments to mitigate these exposures going forward.
So, board members should be thinking about the state of their current technology, their cybersecurity threat landscape, the threats that are most likely to impact their business and what types of related mitigation options could be introduced that could lead to safety improvements. If they can’t mitigate the risks totally, maybe plan for withstanding a three-day or three-hour outage before restoring operations. Defining those risk parameters is super critical. If the board decides that it cannot tolerate anything more than a three-hour outage, then they must determine the investments that need to be made in order to manage that risk exposure.
Boards can also use analytics and outside consultants to help determine where cyber threats are most likely to introduce business operational financial harm to the company, including where those financial losses are likely to be realized. They can then use that information, combined with other risk-reducing measures, to guide management on the right level of investments that should be made and where those investments need to be deployed in order to mitigate any risk exposure.
How does insurance coverage factor into what boards need to consider if they are planning for this type of crisis?
One area where boards could be proactive is stress-testing the insurance policies of the company to determine whether those policies will hold up against potential damage from cyberattacks. Boards should ask, “Do we have the right level of insurance aligned to the potential business impact? And then do we have the right limits in terms of coverage?” So, insurance plays an important role in driving risk decisions that the board should consider.
Is there anything else about this important subject that corporate board members should be aware of?
Boards need to start thinking about the materiality around disclosure to the SEC and how that can introduce potential liability to the directors and officers through either enforcement action by the SEC, or by the investor community through a class action lawsuit for not paying attention to cybersecurity. Failing to have the right level of oversight and engagement regarding cybersecurity can be very problematic for boards of directors.
With the new SEC disclosure rules in place, I anticipate an increase in class action lawsuits targeting corporations for making misleading statements, or stating that they’ve got best-in-class cybersecurity, but then experiencing a serious cybersecurity event. I would advise boards to bring in outside expertise to address any gaps in digital and cyber expertise in the boardroom. That way they get an independent determination of how they’re performing, and an independent report on where their industry peers are realizing financial losses and investing in cybersecurity.
After doing that, directors should ask the following questions: “What’s the frequency of cybersecurity reporting to the board? What’s the right committee that should be monitoring and overseeing cybersecurity?” Audit committees have become overwhelmed with many new responsibilities in recent years, so some type of risk committee might be more appropriate to deal with cybersecurity.
And finally, boards should ask, “How substantive is your cybersecurity report?” Are we just checking boxes, or are we actually having a fulsome conversation about how these cyber exposures could potentially take down our business, and where are we deploying capital to reduce that exposure?
I would advise boards to have this type of approach going forward.