The Board’s Role in a Cyber Incident

Our services

We advise businesses in all sectors, and have particular expertise in Hospitality, Technology, Property, Healthcare, Transport & Logistics and Food Delivery.

Running your business and keeping it on track is your key to success, but every now and again things can go wrong. Having the right insurance ensures you are back on track in the quickest possible time.

Employee Benefits

A considered, affordable and sustainable Employee Benefits offering can help you attract, reward and retain high calibre employees that are so vital to the success of your business.

When an organisation faces a cyber incident, such as a ransomware attack, the board plays a critical role in steering the company through the crisis. The board is responsible for providing leadership, oversight, and strategic direction, ensuring the organisation responds effectively, mitigates the attack’s impact, meets legal obligations, and learns valuable lessons to prevent future incidents. It is essential for the board to have a clear understanding of the organisation’s cyber resilience and strategy to manage such events effectively.

Here are the key responsibilities of the board during a cyber incident:

1. Oversight and Governance

a. Immediate Response:
The board’s first action in the event of a cyber attack is to activate the Incident Response Plan (IRP). Having a pre-established IRP is essential for maintaining cyber resilience. This plan allows for key decisions to be made in a less stressful environment, ensuring that the organisation can act quickly to restore operations, comply with legal requirements, and manage internal and external communications.

A critical early decision involves determining whether the business has cyber insurance. If so, the next step should be to contact the insurer’s 24/7 incident response hotline. Cyber insurance providers can support the board in managing many of the responsibilities outlined below, although the board retains oversight and decision-making authority. If the business lacks cyber insurance, the IRP should outline the steps for the initial response. Whether this is utilising internal resources, external cybersecurity services, the NCSC (National Cyber Security Centre) Incident management team or law enforcement, clear lines of support and delegation should be outlined.

Ultimately, the board or delegated authorities are responsible for initiating the response and overseeing the defence and recovery efforts.

b. Governance of Decision-Making:
The board will need to make or approve high-level decisions as the response unfolds. While cybersecurity experts and insurance providers will offer guidance, the board has the final say in approving the steps forward and committing resources.

2. Communication

a. Internal Communication:
Effective internal communication is crucial during a cyber incident. While cyber insurers may assist with advice on messaging and timing, the board must ensure clear, accurate, and timely communication within the organisation, especially with key stakeholders and employees. Leadership presence can be particularly reassuring during challenging times, especially in a ransomware attack where sensitive data may be at risk.

b. External Communication:
External communications must also be carefully managed. Cyber insurance providers may help with public relations support, but the board must oversee communication with customers, investors, regulators, and the media. Ensuring that the messaging is transparent, accurate, and timely will help maintain trust and ensure compliance with legal obligations.

3. Risk Management

a. Assessing Impact:
The board’s role includes assessing the potential impact of the cyber attack on the organisation’s operations, finances, reputation, and legal standing. While cyber insurance may cover some business interruption costs, managing relationships with customers and stakeholders is essential for preserving the organisation’s reputation.

b. Mitigation Strategies:
The first priority in mitigating the impact of a cyber attack is containment. Working with internal teams and external experts, the board must ensure that systems and networks are secured, and that business operations can be restored quickly through backups or alternative means. The board is responsible for implementing strategies to minimise the risks associated with the attack.

c. Additional Support:
If the attack compromises sensitive data, the board may need to consider additional support for affected stakeholders, such as offering credit monitoring, identity protection services, counselling, or helplines. Cyber insurers may advise on the necessity of such measures, but it is the board’s responsibility to ensure these services are provided if needed.

4. Legal Considerations

a. Regulatory Reporting:
The board must ensure the organisation complies with all legal and regulatory requirements related to the cyber incident, particularly with regard to data protection laws such as the GDPR. Failure to report breaches within required timelines can result in significant penalties. Cyber insurance providers typically assist with regulatory reporting, but it is the board’s responsibility to understand and fulfil these obligations.

b. Legal Implications:
The board must also consider the legal consequences of the attack, including potential liabilities to stakeholders. While legal support is likely to be provided by the cyber insurer, the board must coordinate with legal teams to manage the organisation's response and mitigate any litigation risks.

5. Post-Incident Review and Future Mitigation

a. Incident Review and Roadmap:
Once the immediate crisis is over, the board should lead a comprehensive review of the incident to understand its causes, evaluate the effectiveness of the response, and identify areas for improvement. The board should use internal resources along with feedback from cyber experts to assess the organisation's cybersecurity posture.

One valuable outcome of a cyber attack is a clearer understanding of the organisation’s cyber resilience. Based on lessons learned, the board should push for necessary improvements in cybersecurity, resource allocation, and overall risk management in order to effectively respond to a cyber attack. If the organisation intends to maintain cyber insurance, insurers will often require confirmation that the identified vulnerabilities have been addressed.

Final Thoughts

The involvement of the board is crucial at every stage of a cyber incident, from initial response and mitigation to post-incident reviews and long-term improvements. Effective governance, communication, risk management, and legal oversight will help the organisation recover and build a stronger cybersecurity posture moving forward. For additional guidance on the board’s role in cybersecurity governance, you may find the National Cyber Security Centre’s resources valuable, including this blog post on the role of the board.

If your business requires expert advice on managing cyber risk, please get in touch with our risk management expert, Andrew Cassell. He will be happy to discuss tailored solutions to safeguard your organisation.