On July 19, a glitch during a CrowdStrike software update caused widespread computer outages that affected thousands of businesses around the world and woke up corporate executives to a new cybersecurity danger. Director Columnist Matthew Scott recently spoke with Chris Hetner, former senior cybersecurity counsel at the Securities and Exchange Commission and cyber risk counsel to the National Association of Corporate Directors, to get insight into how corporate boards should respond to ever-evolving cyber risks. Below are edited excerpts from their conversation.
How should the global IT outage linked to CrowdStrike software updates and Microsoft operating systems in July, which caused disruption to millions of businesses, rank as a risk factor for most boards?
This was a software update pushed out by CrowdStrike that affected millions of devices and thousands of businesses worldwide. It specifically affected Microsoft operating systems. It did not affect CrowdStrike updates on platforms such as Linux or Macintosh… This was accompanied by a Blue Screen of Death (BSOD), meaning Microsoft is running a continuous reboot cycle and cannot reboot because the software update has not taken effect.
In terms of risk prioritization, this is undoubtedly an unprecedented disruption. While the total damages have yet to be determined, this is clearly a high-risk exposure for businesses that rely on software updates. It also highlights the importance of how this type of incident can impact organizations in different ways. For example, Delta Airlines struggled to serve thousands of clients and customers, while a major retailer with just a couple of cash registers relying on CrowdStrike system updates could revert to manual processes using credit cards and Apple Pay to continue doing business.
Organisations need to understand the different types of IT risks they may be exposed to. There are risks from all sorts of vendors and suppliers that organisations rely on, such as CrowdStrike software and Microsoft, so understanding these risks should definitely be a top priority and a wake-up call for the board.
Are there any software companies or industries that are more at risk for this type of IT disruption?
There are two key elements in this case: one, the machines that handle the business processes are running Microsoft operating systems, and two, you have the CrowdStrike updates layered on top of that. So this definitely impacts all industries.
This incident highlights the fact that these types of events need to be wrapped up in business, operational, legal, regulatory and financial context. It also highlights the fact that in this case, it wasn't malicious — this was someone doing their job and releasing a software update to ensure a secure environment. But clearly, this incident caused massive disruption around the world.
So what are some key steps boards can take to prevent such IT disruptions in the future?
Ultimately, boards need to understand the relationships between suppliers, technology assets, and core business processes. With that understanding, boards can begin to look more closely at how a cyber event could cause significant operational, regulatory, and financial harm. This will enable targeted management processes and investments to mitigate these risks going forward.
Therefore, board members should consider the current state of technology, the cybersecurity threat landscape, which threats could most impact the business, and what types of relevant mitigation options could lead to improved safety. If you can't fully mitigate the risk, plan to endure a three-day or three-hour outage before restoring operations. Defining these risk parameters is critical. If the board determines that an outage of three hours or more is unacceptable, it must determine the investments required to manage that risk exposure.
The board can also use analytics and outside consultants to identify where cyber threats are most likely to cause financial harm to the company's operations and where such financial harm may actually occur. That information can then be used in conjunction with other risk mitigation measures to guide management on the appropriate level of investment and where that investment needs to be deployed to reduce risk exposure.
When a board prepares for this type of crisis, how does insurance coverage affect what a board should consider?
One area where boards should be proactive is to stress test the company's insurance policies to determine whether they can withstand the potential losses from a cyber attack. Boards should ask themselves, “Do we have the appropriate level of insurance for the potential business impact? And are the coverage limits appropriate?” In short, insurance will play a key role in driving the risk decisions that boards should consider.
Is there anything else company directors should know on this important subject?
Boards need to start thinking about the importance of disclosures to the SEC and the potential liability that may be incurred by directors and officers through enforcement actions by the SEC or class action lawsuits by the investor community for failing to pay attention to cybersecurity. Failing to exercise the appropriate level of oversight and engagement regarding cybersecurity could be very problematic for boards.
With the implementation of the SEC's new disclosure rules, we expect to see an increase in class action lawsuits targeting companies that make misleading statements or claim to have best-in-class cybersecurity but have experienced serious cybersecurity incidents. We encourage boards to bring in outside experts to fill gaps in digital and cyber expertise within the boardroom so the board can get an independent judgement of performance and an independent report on where peers are investing in cybersecurity with perceived financial losses.
Directors should then ask questions such as: “What is the frequency of cybersecurity reporting to the board? Which committees are appropriate to monitor and oversee cybersecurity?” Audit committees have become overwhelmed with many new responsibilities in recent years, so a risk committee of some kind may be better suited to address cybersecurity.
And finally, boards need to ask themselves, “How substantive is your cybersecurity reporting?” Are you simply checking a box, or are you actually having in-depth discussions about how these cyber risks may impact the business and where you are deploying capital to mitigate that risk?
I would encourage boards to adopt this approach going forward.