Singapore board directors to get cyber crisis training

Board directors are being thrown into the hot seat in a new cyber crisis simulation programme designed to sharpen their response to the escalating threat of data breaches and ransomware demands.

The initiative, launched today by the Singapore Institute of Directors (SID) and Ensign InfoSecurity, aims to train 1,000 board members by 2028 through a series of 90-minute workshops that use real-world scenarios to move beyond technical jargon and focus on the strategic, high-pressure decisions directors must make during a corporate crisis.

“It’s the boardroom’s flight simulator for preparing leaders before a real attack strikes,” said Lim Minhan, executive vice-president of consulting at Ensign InfoSecurity, a Singapore-based cyber security firm. “Cyber security is no longer just a technical problem; it’s a whole-of-organisation response. These workshops give directors a safe, realistic way to experience the pressure of an actual incident and sharpen their response.”

The programme launch comes as cyber attacks have become more sophisticated, with threat actors increasingly targeting high-value assets and using double-extortion tactics. Lim highlighted the rising threat from nation-state actors in the region, whose objectives often include espionage and “pre-positioning” for future disruptive activities.

During the first run of the programme today, participants were put in the shoes of the board of a fictional company hit by a ransomware attack. The simulation detailed how attackers gained access on a Friday night through a compromised virtual private network (VPN) account – whose credentials were likely already available on the dark web – and targeted the company’s hypervisor that hosts critical applications.

The board was then faced with a series of escalating dilemmas: a $1.5m ransom demand in Bitcoin with a 72-hour deadline, the discovery that backups were also encrypted and useless, and the exfiltration of 70 gigabytes of sensitive data.

Through an interactive poll, attendees were forced to make difficult choices, such as whether to engage with the attackers, how to prioritise communication with regulators and customers, and whether to risk financial ruin by refusing to pay the ransom. “Every decision involves trade-offs, and there is never a perfect one,” Lim said.

Terence Quek, CEO of SID, noted that organisations will need to understand the distinct roles of the board and management team during a cyber crisis.

“As a board director, please stay out of the way of the management; let them manage the crisis,” said Quek. “But as a board, you need to start thinking about the long-term impact on reputational risk, financial risk and operational risk. The key question is, what is your role and responsibility?”

The programme addresses the reality that board directors cannot afford to be unprepared. “The adage is no longer a question of if, but a question of when,” said Quek, adding that digital competency, including cyber resilience, is a core part of SID’s competency framework for directors.

Quek noted while cyber resilience may not have been a top board priority five years ago, today it is non-negotiable. “As a director, you can’t afford not to know,” he said.

As part of the broader partnership, Ensign InfoSecurity will also offer its incident response services on a complimentary basis to SID’s corporate members, providing 24/7 access to certified specialists to help contain a breach upon activation.