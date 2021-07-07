A majority (85%) of U.S.-based CFOs responding to the recent Q2 2021 CNBC Global CFO Council survey said their boards have had a formal discussion about recent cybersecurity attacks and the aftermath of the events. But even though directors are having these conversations, experts say they don't always know the right questions to ask to help guide their companies to the best solutions.

The critical nature of these conversations was underscored over the Fourth of July holiday weekend when information technology company Kaseya confirmed that it had suffered a "sophisticated cyberattack" on its VSA software — a set of tools used to remotely monitor and manage computers. Kaseya's software is used by large IT companies that contract out to hundreds of smaller businesses.

"Cyber security needs to be managed like any other risk," says Jim Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies. "The dilemma is that boards don't know what the standards are, what's risky and what isn't." Without that basic framework, it's impossible for directors to know the right questions to ask CEOs and chief technology officers to determine how vulnerable their companies actually are.

Michael Daniel, the president and CEO of the Cyber Threat Alliance and a former cybersecurity coordinator on the National Security Council Staff under President Obama, says the best place for directors to begin is to ask whether the CEO and other senior leaders are thinking through what cyber risk means for their company. "Just like litigation risk or natural disaster risk, cyber risk is something that directors need to be talking about with the CEO," he says.

An effective conversation will allow boards to start with these three questions: How is the company positioned to prevent a ransomware attack in the first place? Is there a way for the company to know a ransomware attack is in process? What is the plan for responding to a ransom demand?

Beyond that, boards should be asking how often data is backed up and how confident management is that backups would remain unaffected should there be a ransomware attack. CTO's and other IT leaders can reassure boards by informing them how backups are stored (offline and kept in a different location from the network or in a cloud service) and how confident the company is that it would be able to recover data from these backups.

Directors should also seek to widen the lens.

"It's not enough for the board to ask about how the company would respond to a ransomware attack from a technical standpoint," Daniel says. "The board should be discussing the legal perspective and the communications plan for the workforce, customers, and vendors. This is all part of a critical response plan for a cyber attack."