We’ve been talking about how your Board and shareholders have a vested interest in understanding and overseeing how your company will defend itself against the effects of cybercrime. Here are two more areas where you will need to have plans and your board should be focussed on how they will be handled
Data Loss
Unless their goal is pure mischief, most cyber thieves are seeking data that can be monetized in some fashion. Customer data is a rich trove of data, providing thieves with the information to steal identities or hack bank accounts and credit cards. Only, they don’t just want your customers' data. Your business has its own proprietary and financial information. You have company credit cards and bank accounts.
Legal
Should you suffer a significant loss of customer data, you may be subject to legal regulations. At the very least, you are likely required to notify the victims and the state or legal entity that regulates data loss in your jurisdiction or industry sector. For example, HIPAA has reporting requirements. Beyond reporting requirements, there may be financial penalties that can be imposed for significant data loss, especially if it could have been avoided via more strict internal controls. Again, HIPAA is an excellent example. California now has data regulations and the European Union imposes severe penalties for data loss that impacts any resident of the EU, even if the violator is not located within its geographic boundaries.
Your entire c-suite should be focussed on these issues and working with the Board to get the support and investment to protect the organization.