GET ANSWERS NOW
(202) 248-5050
AxonInfo@AxonCyber.com

Axon Global has trained over 150 F500 Board Directors and Generals Counsel in Cyber Enterprise Risk Management (ERM). Colleagues trained include, CxOs, inside Counsel, outside Counsel, and National Bar Association executive leadership.

Here are the current Frequently Asked Questions by Board Members in "Cyber ERM Training for Directors":

  1. What are the implications of SEC Chairman Jay Clayton’s recent statement, “Public companies have a clear obligation to disclose material information about cyber risks and cyber events." ?
  2. How will the European Union General Data Protection Regulation (EU GDPR) create cybersecurity liability for my organization?
  3. How do I mitigate risk with EU GDPR?
  4. What are the implications of Yahoo! and Equifax having a criminal investigation component for cyber breach response?  Will DNO or cybersecurity insurance cover that?
  5. What happens during an Equifax type breach and what is my role in that?
  6. How do I get a more meaningful risk report from my C-suite?
  7. What questions should I be asking as a board member?
  8. To whom should risk report?
  9. What is a good governance model to implement cyber risk management?
  10. How can we know which suppliers or partners are infecting us with malware or which are a back-door cyber risk?
  11. Does anyone outside of the company know about our cyber (vulnerabilities/compromises/breaches)?
  12. What organizations might hold us accountable with respect to cyber compromises and breaches?
  13. How do we increase visibility into what's really happening internally [with respect to cybersecurity]?
  14. How do I compare to others in my industry, and when are we required to meet a reasonable verses a responsible standard?
  15. In M&A, how can I know if the target company’s intellectual property has already been compromised or stolen?
  16. Is cyber espionage something we should report? If so, how?  Can we do it with safe harbor?
  17. Cybersecurity insurance is not covering much in recent breaches, why? How do we mitigate that risk?
  18. Since the administration changed, what are the expectations of regulators vs. stakeholders?
  19. I can't see it [the cyber compromise/breach] and the company operations are not "feeling the effects,” so why not keep doing what we're doing, until something happens (e.g., a disclosable event) and deal with it then?
  20. How do we determine what is a material cyber incident or vulnerability?  Is that sufficient?

Top Lessons Learned by Directors who've survived a cyber breach scenario.  Their experience advises Directors to assume the following:

  1. Presume that cybersecurity risk and liability are better mitigated with Enterprise Risk Management and Governance than with technology: "what will you wish you had done yesterday, if a breach is discovered tomorrow?"
  2. Presume that cybersecurity compromises invoke survival instincts, as in “Maslow's hierarchy of needs.”  Expect unusual and sometimes desperate behavior as a breach or disclosable event develops.
  3. Expect organizational behaviors that, when audited, violate D&O insurance coverage requirements, disqualifying insurance protection.  Therefore, ask questions and create accountability mechanisms that prevent those behaviors.
  4. Expect that your organization is not fully informed about cyber compromises and that they are not going to tell you all you need to know.  This is true even in F500 companies.  Again, accountability processes are key and the "Tone at the Top" defines the culture.  For example, have an "anonymous hot-line or drop-box" where insiders or outsiders can report known compromises, breaches or tips that reveal exposures, without attribution.
  5. Statistics prove that the majority of the time, IT does not know when they are compromised or breached, until a third party reports it to them.
  6. Presume that IT is looking for "proof" of a compromise or a breach; however, most breaches happened with hijacked, but legitimate credentials, which is almost impossible to detect.  Therefore, do not become desensitized by "indicators of compromise;" these are meaningful and important.
  7. When indicators of compromise prevail, assume you are compromised and begin "cleansing,” segmenting networks, and reinforcing protection of crown jewels, before there is a breach.  Waiting for evidence of a compromise to re-allocate resources is a sure path to cyber compromise mis-management.
  8. Cybersecurity insurance rarely covers the majority of costs in a cyber breach.
  9. Knowing what questions to ask creates alignment of people, policies, and processes in the right direction.
  10. Presume the general counsel is there to protect the company, not the individual board member.
  11. Neither technology nor government will solve the cybersecurity problem, cyber enterprise risk management tools are the key to protecting reputation and valuation.
  12. The company will eventually be compromised and breached, so practice what to do before it happens.
  13. Presume that cyber risk, risk transfer, risk mitigation, risk reporting, and escalation are not defined for the company. Lead and get these defined.
  14. Presume that the evidence of what your organization did/did not do, and what the organization should/should not have done, with respect to cyber security/compromises/breaches, already exists beyond company walls and are openly discoverable by other stakeholders.
  15. Meeting compliance standards is no longer an acceptable standard for reasonable cybersecurity.  Directors will be held accountable for what they knew, and what they should have known.
  16. Do not let IT "black-box" or mystify the cybersecurity risk for your company.  Keep asking the questions until you get satisfactory answers.   Are we at risk?  How do you know? How do you measure that?  Is that enough?  Has that been audited? By whom?  Can I trust it?  How do we know that?  Would it stand up to [fill in the blank]?
  17. It's not the compromise or breach that causes most of the liability; it's the lack of governance and the potential unethical behavior surrounding the event that costs the most.

These quotes are anonymized and fictionalized to protect the innocent.  Any resemblance to actual events is purely coincidental.  These are posted for awareness and education purposes only, as they demonstrate some of the behaviors that can be modified by sound governance.

  1. "Are they really going to hold me accountable [for this cyber compromise]?" A public company, 1 year before a class action law suit was filed and this board member was asked to resign for failure to exercise fiduciary responsibilities, as audit chair.
  2. "What’s the consequence if we do nothing?" After executives discovered the company was infecting customers and the U.S. Government, with Chinese espionage malware.
  3. "Why would anyone want to cyberattack my small company?"  A small business supplier to key U.S. Government infrastructure.
  4. "Why would we need anyone monitoring social media sentiment for us?" Six months later, the public company valuation dropped and the brand name deteriorated, due to social media activists triggering front-page negative, national media coverage.
  5. "The board won’t know if there is a problem, because I say there is no problem!" The CTO's response when a supplier-risk-report demonstrated they were the source polluting others up-stream.  Twelve months later, that supplier was negotiating a significant settlement for an alleged cyber-breach cover up.
  6. "No, we don’t want to receive that report, I don’t care who asked for it!" A critical infrastructure company executive infected with Black Energy advanced persistent malware, when auditors asked for an "active-exploits" report.
  7. "You saved us $100 million!" Investors in the last round of negotiation acquiring an IT company.  It was discovered the IT company knew, but did not disclose, that its i.p. had been exfiltrated, and that it was knowingly polluting its clients with malware.  Investors walked from the deal and the company subsequently floundered when their breach was discovered.
  8. "Is that what you meant about our officer’s email being compromised? They [bad actors] know both the log-in AND the passwords? They can read everything?" Question was asked by a C-level executive, three months into an active cyber breach investigation, who did not understand the implications of compromised email accounts.
  9. "We’re just a small manufacturing company; we don’t have time for that cyber [poop]!"  CEO to a company supplying parts to key military bases.
  10. "No, the SEC does not set expectations in cybersecurity for the [public] company," Chief general counsel of an F500 company.