Public, private, and not-for-profit boards and their directors are equally vulnerable to reputational risk. I have seen situations in which directors have taken their eye off key risks and reputational damage ensues.
This article in the series will focus on privacy breaches.
The use of technology has accelerated in recent years. As we all know, cybersecurity breaches have also skyrocketed. Some boards and management teams have become somewhat complacent about these incidents, considering them to be commonplace and therefore, a forgivable offense. While they may be commonplace, depending on the breach, they may have a material impact.
A Canadian healthcare firm was recently targeted with ransomware. Patient information including names, birthdates and more was breached. The Chairman communicated to all affected clients by email. He was the right person to deliver the message. However, the organization delayed weeks before communicating. This was a mistake.
Your clients may understand that you have not yet identified the root cause, but they want to know immediately when their data, information and privacy has been breached. I expect this organization will lose a number of clients following this misstep.
A best practice for all boards is to have regular communication with the CIO or whomever has responsibility for information services. I have seen boards invite the CIO or the Chief Technology Officer to a board meeting. They ask specific questions about trends:
- Have there been more attacks on our systems?
- Have there been more attacks in our industry?
- Where may our vulnerabilities lie?
The other important question is, “What investments in technology have you suggested or recommended before, that we have not approved, or have not been supported? And, what implications or risks have resulted from that?” Sometimes, particularly if an organization is under expense constraints, it will default or postpone technology investments that can create an increased risk for the organization. It’s not the board’s decision to decide upon those technology investments, but it is their role to guide management and govern risk. Directors can often offer helpful insights or ask probing questions that lead to better management decisions.
© 2020 Lorraine A. Moore. All rights reserved. Permission granted to excerpt or reprint with attribution.
During these challenging times, we need each other. Reach out to discuss how I may support your success. Contact me today.
If you found this beneficial, click here to sign up for my newsletter or share it via social media.