• A majority (85%) of U.S.-based CFOs responding to the recent Q2 2021 CNBC Global CFO Council survey said their boards have had a formal discussion about recent cybersecurity attacks.
• Cyber threats need to be considered a risk the same as litigation, natural disaster, and supply chain risk.

A majority (85%) of U.S.-based CFOs responding to the recent Q2 2021 CNBC Global CFO Council survey said their boards have had a formal discussion about recent cybersecurity attacks and the aftermath of the events. But even though directors are having these conversations, experts say they don't always know the right questions to ask to help guide their companies to the best solutions.

The critical nature of these conversations was underscored over the Fourth of July holiday weekend when information technology company Kaseya confirmed that it had suffered a "sophisticated cyberattack" on its VSA software — a set of tools used to remotely monitor and manage computers. Kaseya's software is used by large IT companies that contract out to hundreds of smaller businesses.

"Cyber security needs to be managed like any other risk," says Jim Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies. "The dilemma is that boards don't know what the standards are, what's risky and what isn't." Without that basic framework, it's impossible for directors to know the right questions to ask CEOs and chief technology officers to determine how vulnerable their companies actually are.

Michael Daniel, the president and CEO of the Cyber Threat Alliance and a former cybersecurity coordinator on the National Security Council Staff under President Obama, says the best place for directors to begin is to ask whether the CEO and other senior leaders are thinking through what cyber risk means for their company. "Just like litigation risk or natural disaster risk, cyber risk is something that directors need to be talking about with the CEO," he says.

An effective conversation will allow boards to start with these three questions: How is the company positioned to prevent a ransomware attack in the first place? Is there a way for the company to know a ransomware attack is in process? What is the plan for responding to a ransom demand?

Beyond that, boards should be asking how often data is backed up and how confident management is that backups would remain unaffected should there be a ransomware attack. CTO's and other IT leaders can reassure boards by informing them how backups are stored (offline and kept in a different location from the network or in a cloud service) and how confident the company is that it would be able to recover data from these backups.

Directors should also seek to widen the lens.

"It's not enough for the board to ask about how the company would respond to a ransomware attack from a technical standpoint," Daniel says. "The board should be discussing the legal perspective and the communications plan for the workforce, customers, and vendors. This is all part of a critical response plan for a cyber attack."

'Becoming numb'

One of the reasons why conversations at the board level are not as robust as they could be is that companies are "becoming numb" to cyberattacks, says Nicola Morini Bianzino, the global chief technology officer at Ernst & Young.

"On the one hand they are devastating events that can have a massive brand and reputational impact," he says. But when speaking with clients, Bianzino says he is not hearing that cybersecurity is a top priority.

"It's almost as if they're saying 'if I shut my eyes it will go away, or the FBI will step in and fix it, or I will just pay and I don't want to hear about it anymore.'"

None of those approaches will solve the problem, he says. "Cybersecurity is a mission-critical item," Bianzino explains. "There isn't a single CEO of any company in any sector that has the luxury to leave the cybersecurity question of strategy to one individual within the organization." Especially, he adds, when most of the time that individual is not even at the level of the C-suite, but rather reports to the COO or the CFO.

Compounding the problem is that often, when the board does hear from a CTO or chief information officer, the message is heavy with technical terminology. "I would argue that one of the critical skills that a CISO or a CTO needs is the ability to translate from the technical to the executive," says Daniel. "The board should be able to ask the questions it has and management should be able to answer them in terms that the board members can understand. That's not always happening."

To pay or not

One of the most debated aspects of cyberattacks is whether a company should pay ransom or not. Roughly 62% of the CFOs responding to the CNBC Global CFO Council survey, for instance, said that Colonial Pipeline had "no choice but to pay the ransom" after DarkSide cybercriminals hacked its IT network, crippling fuel deliveries up and down the East Coast in early May.

But while the board has a fiduciary responsibility to protect the value of a company, Lewis says he doesn't believe that CEOs should be asking directors for sign off on a ransom payment if that's the decision that is reached.

"The C-suite does not need to be asking the board's permission, but they do need to inform them that this is taking place," he says. "The last thing you want is for your board to wake up the next day and read about it in the business press."