Cybersecurity: Board oversight of operational resilience planning

Why is this an important issue now?

• Debilitating cyber attacks on businesses are now more likely than ever, with a diverse and unpredictable set of criminal gangs emerging into the void left by the dismantling of LockBit.
• Businesses are more vulnerable to operational disruption as threat actors harness AI to launch attacks and use sophisticated tactics to move laterally within networks and hinder forensic investigations.
• Operational disruption—whether caused by the deployment of ransomware that encrypts systems or the need to take compromised technology offline—can have massive business impacts. Companies facing such attacks may be unable to manufacture and ship goods, offer services or utilize employees, leading to material loss of business and revenue.
• The global cyber regulatory landscape—which comprises a web of sector-specific rules, cyber regimes, data protection regulations, and more—is more complex than ever.
• Regulators are demanding measures to build operational resilience and improve disaster recovery with individual accountability for senior executives and boards.
• The SEC, for example, mandates that U.S. public companies set out in their annual reports how they identify, assess, and manage cybersecurity risks, management’s role in assessing and managing those risks, and how the board exercises oversight.
• This increases the possibility of litigation over cybersecurity misstatements.

What are the main legal and regulatory considerations involved in robust cyber operational resilience?

To give a business the best chance of recovering from a cyber incident, boards should ensure management have robust preparations in place and war-gamed processes to follow. That advance planning should cover the following areas.

How should boards exercise oversight of cybersecurity?

• Boards should assign a named individual or committee to oversee cybersecurity risk. Board and committee discussions that relate to cybersecurity should be documented, and should include regular briefings from management—including in relation to business continuity and disaster recovery (BCDR) planning. 

How would decision-making and leadership function in a cyber incident?

• Robust business continuity planning should consider how to support decision-making amid a systems outage, including ensuring staff are aware of who has the authority to make decisions and that this information is available offline. How would leadership teams coordinate (i.e., WhatsApp, Signal etc)? Is there potential for a single point of failure or bottleneck with respect to decision-making (i.e., do preparations cover how to manage the impact of fatigue on senior leaders)?
• Processes should be put in place to ensure key contacts from functions such as HR and IT are aware of relevant decisions being made by different business units, such as orders of restoration or decisions to notify employees, and can input into those decisions.
• Likewise it’s important that processes are implemented to maintain logs in the event of a cyber incident detailing key decisions around restoration efforts and dates at which business continuity is achieved. Notes should also be taken of calls and meetings where restoration and business continuity efforts are discussed. 

How would internal communications function?

• Management should understand the key individuals across the business that will be required to respond to a cyber incident from an operational and data perspective, how they will be reached if systems are down, and how internal comms will be drafted and shared across the organization. 

And external communications?

• It is important to know in advance which customers/suppliers need to be contacted in the event of an incident, and whether any should be prioritized.
• Leaders should understand the company’s contractual obligations around notifying customers/suppliers and what key contacts would expect in terms of communications (e.g., frequency, channel etc.).
• Preparations should ensure all activities are possible in the absence of systems, electronic communications channels, and internet access, including the tracking of those who have been contacted. 

What cyber crisis response protocols should be put in place?

• Preparations should cover how questions from different stakeholders (e.g., customers, regulators, journalists etc.) will be received during an incident.
• Predefined response protocols, pre-approved comms templates, and holding statements should be available, and reviewed/updated regularly by a named individual.
• Processes for triaging and escalating inbound queries to senior management, legal, PR etc. should be documented.
• Management should know how external comms and incident response teams will coordinate during an incident, and whether the business has a designated liaison in place. This helps to ensure information is shared and messaging/actions are aligned.
• It is important to establish a mechanism to monitor and collect feedback from external parties during an incident, and to use this to adapt external comms. Again, planning should ensure all activities can be carried out during a systems outage. 

What about third-party service providers?

• Management must identify any critical third-party service providers (e.g., IT vendors, logistics partners) whose operations may be impacted by a cyber incident, and have in place a process for communicating with them during an outage.
• Contact information must be accessible offline and protocols implemented to coordinate incident response activities and communications to ensure continuity of service and alignment of messaging. 

How would continuity of internal operations be maintained?

• It is important to assess which internal teams/divisions need to communicate to maintain business operations, and how they would communicate during an outage (i.e., using personal devices or via alternative means?).
• Steps must be taken to ensure records are kept and important electronic materials can be accessed if systems are down.
• Would staff be asked to stay at home? How would they carry out their duties and reporting? Can outstanding invoices be tracked offline? Would payroll functions be impacted? Managers should have answers to all these questions.

What do we need to think about around orders and payments?

• Likewise, steps must be taken to ensure the business can place, take and fulfil orders, issue invoices, and pay suppliers even if systems are offline.

What do we need to do (and document) in relation to recovering our IT systems?

• Management should ensure named individual(s) are assigned to keep an inventory of applications, data, infrastructure, and systems, with the inventory updated regularly and available offline. Any areas of high risk–for example highly configured systems that would take time to bring back online when restored–should be logged.
• Core applications, data, infrastructure, and systems should be identified and either isolated or otherwise protected (e.g., via dedicated access controls).
• IT and business unit leads should know the order of priority for systems recovery, and systems should be backed up regularly and securely in a way that ensures there is no single point of failure.
• Planning should assess how much data could be lost in a worst-case scenario, which can be used to calculate Recovery Point Objectives (RPOs) for key systems.
• Importantly, businesses should test their ability to restore systems from backups, including whether any additional hardware or software modifications/updates would be needed to bring items back online. As part of this process, it is vital that written records are kept of how systems have been configured.
• Measures should be introduced to preserve evidence during containment and restoration efforts. Could forensic collectors and other security tools be deployed during restoration? How would the business ensure evidence such as a ransomware payload is not inadvertently lost during this process?
• The assessment should cover any jurisdiction-specific concerns associated with restoration, for example a requirement to consult works councils.

What should a cyber continuity and disaster recovery plan contain?

• A business continuity and disaster recovery plan should anticipate a total systems outage. The plan should, among other things:
  • be accessible in the event of a cyber incident that takes systems offline;
  • list immediate first steps;
  • list key contacts;
  • define Recovery Time Objectives (RTOs) and RPOs for key products, services and systems; and
  • be regularly reviewed.

Should we conduct tabletop exercises?

• The BCDR plan should be regularly stress-tested via tabletop exercises.
• These should include scenario-based simulations and technical recovery drills.
• Third parties should be involved.
• Lessons learned should be recorded and used to update the plan. 

What about contractual protections and legal/regulatory risk management?

• RTOs and RPOs should be included in contractual terms with customers.
• Force majeure clauses should expressly reference cyber incidents alongside other disruptive events such as fire and flood to mitigate risk in the event of a cyber incident inhibiting the provision of goods/services.
• Formal relationships should be established with specialist providers, such as forensic investigators, legal counsel, and recovery service providers.
• Laws and regulations across the world are increasingly encouraging or mandating businesses to run cyber resilience tabletop exercises, including frameworks in the EU, UK, Australia, and Malaysia.
• In the wake of a cyber incident, regulators will often ask whether training and exercises have been conducted to mitigate cyber risk. Legal counsel can offer a post-tabletop Letter of Record to show regulators and other third parties that proactive steps have been taken.