Five questions every board should ask after Sony Pictures breach

What can the board do to avoid having to answer embarrassing questions at the next shareholder meeting?

The past 18 months have seen several of the worst ever breaches, but none as damaging as the one at Sony Pictures. As a board member, have you considered how well your company would have coped if targeted in a similar way?

Most large enterprises already know much of what they need to put in place to protect themselves – they just have not done it all, for any number of reasons.

But what can the board do to avoid having to answer embarrassing questions at the next shareholder meeting? Here are the top five sets of questions to get your board started.

1. Do we have a workable and tested incident response plan (IRP)?

  • Assuming there is a plan, have board members participated in any testing or walk-throughs? Although each successive walk-through will be quicker, does the board know the response times the response team is aiming for, and does it have the resources to meet those times?
  • Is the board satisfied that the applicable legislation, regulations and legal options available have been incorporated into the plan to ensure the business can respond appropriately and is able to minimise any damaging media reporting?
  • Is the board satisfied that there are a range of pre-planned communication responses for different types of incidents and severity for employee, shareholders, regulators/law enforcement, customers, partners and suppliers?
  • The board should promote the use of two or more tests each year (with one being a non-trivial scenario) and playing out different scenarios.
  • Since success depends on skilled and experienced staff who know how to deal with on-the-spot critical decisions, do these people exist in-house, or is there a need to buy in additional capabilities to report to existing people who know the business?


2. What actions should we have taken resulting from our most recent security review or audit in the past year?

  • Check and confirm that the board has authorised high-priority actions, and have documented explanations for the remaining actions.
  • Are the timeframes for completion of high-priority actions appropriate?
  • If investigators, insurers, investors or the press were to ask questions around why certain actions were not taken earlier, is the board satisfied that it could provide a good response?

3. What cyber insurance cover does the business have?

  • Is the board aware whether the risk and response teams have agreed an appropriate option on how future incidents should be handled:
    - does the business want the insurer to own the incident and manage it until it is resolved;
    - does the business want the insurer to provide it with a list of selected providers who will manage the incident for the business;
    - does the business have its own list of service providers it would prefer for the insurer to pay for, to resolve the incident as the business decides.
  • Does the board know whether the shortlist of policies from insurers was based on the above criteria for an accurate comparison?
  • Is the board satisfied that the business has all the necessary cover across the various types of policies that cover the different aspects of cyber? Often, non-cyber policies can cover various overlapping aspects of cyber, although it is best to consider a specific cyber policy.

4. What confidence do we have that our suppliers are secure?

  • Does the company have a third-party assurance programme, which includes the management of:
    - an incident response plan detailing when and how your company will be informed about the breach in a suitable timescale;
    - contractual terms mandating the appropriate level of cyber insurance policy cover, should anything go wrong.
  • If the board is unsatisfied with the company’s assurance programme, it may be useful to consider using the UK government’s Cyber Essentials Certification Programme. If your assurance programme is complex, inadequate or just not working, it is definitely worth considering this option for your suppliers.

5. Do we have the right guidance for our staff for the data we hold?

  • Does the company have effective data governance policies, procedures and guidance with appropriate user awareness training? Good data governance will help your business understand the data it holds, your data held by third parties, your data held by third parties of third parties, and the data you hold belonging to your customers’ customers. These two extreme conditions should not exist in most cases, but inevitably do, and therefore should be considered in your data governance policy and incident response plans.
  • Guidance should include who will own the data when things go wrong, who will own the risk in these circumstances, and finally what procedures staff are expected to follow should there be a breach of that data in any of the businesses holding that data.

Read more on IT risk management

Data Center
Data Management