In May of 2021, Colonial Pipeline, the largest pipeline system for refined oil products in the United States, was targeted by a yet untraced hacker group. The firm’s billing system and internal business network were both compromised, causing a shortage of gas on the east coast. Eventually, Colonial Pipeline paid the hackers a ransom of $4.4 million in Bitcoin to cease the attack. Months later, the company is still paying— Colonial Pipeline is being sued for lax cybersecurity by a class-action lawsuit consisting of hundreds of gas stations hurt by the hack, reports the Washington Post. Ransoms (even ones paid in Bitcoin) can be recovered by law enforcement; much of Colonial Pipeline’s has been recuperated. But settlements in the tens of millions of dollars for cybersecurity lapses are irreversible, not to mention devastating to the company’s reputation.
Colonial Pipeline was only one of numerous companies that experienced an attack this year. Cybersecurity attacks have been on the rise, and the situation has only worsened after COVID-19 prompted a nationwide shift towards working from home. In addition, hackers have been deploying sophisticated new tactics, such as ransomware equipped with artificial intelligence that spreads without human intervention. Due to these factors, PwC reports that the global annual cost of cybercrime is expected to increase to $6 trillion in 2021. What can boards do to ensure their companies are fully prepared for a cyber-attack?
Harvard Law School’s forum on Corporate Governance advises that boards carefully consider with executive-level managers the avenues through which the company monitors cyber risk. In particular, the forum warns against delegating the entire burden to the Audit Committee given the magnitude of the responsibility. According to PwC, boards must direct their company to take a close inventory of valuable digital assets, screen third parties before the company releases sensitive data to them, patch system vulnerabilities, minimize the usage of IoT (due to its wide attack surface), and train employees to practice cyber hygiene and maintain security on the digital front. Boards should also leverage new technology in the space, such as blockchains or distributed ledger technologies, which provide security through decentralization and constant data validation. While implementing a blockchain solution, IBM states that management has to provide a secure, resilient infrastructure as well as the willingness to truly understand blockchain networks and how to manage them. That way, companies can truly minimize the risk of data vulnerabilities.
Beyond preventing cybersecurity incidents with appropriate measures, boards should also devise contingency plans consisting of detection, mitigation, and business continuity. The contingency plans should encapsulate a range of scenarios and provide extra detail on when the situation should be escalated or communicated to stakeholders and customers.
To summarize, Boards should prioritize with the tools of prevention and mitigation, creating a cybersecurity framework for their company that guarantees both safety and service to their employees and clients.