Regardless of what business your family is in, cyber security is the new existential threat to address. Many of the crimes in cyberspace are based on risks that all businesses face, such as corporate account takeover, identity theft, stolen data and intellectual property. Family businesses are perceived to have a greater risk than public companies since they typically have fewer resources for defensive measures.
Cyber risks include both data security and access to your systems. Most intruders are motivated to steal your data, since that has value in the black market. But disgruntled employees and other bad actors may be motivated to damage your reputation. The risks may be latent; it is not unheard of for hackers to plant a bug that can live undetected in your system for months.
Pragmatically, it is a matter of when not if you will have a problem. If you have already been hacked, you need to assume you will be hacked again. Cyber security is the word which asks directors “what are you doing to protect shareholders from unseen criminals?” The board can no longer delegate this responsibility to an officer and ignore it. Family businesses need to exercise the same types of judgment as large, non-family companies.
Make a decision – there are only four choices
To simplify this complicated subject, there are only four decisions to make when it comes to digital risks: Accept, Avoid, Mitigate or Transfer. Like all other risk/reward trade-offs, you need to understand each option before making a decision. Here is a quick summary of your options:
Accept: Some risks are worth accepting if their frequency and severity are below a tolerable threshold of loss. These risks are similar to insurance deductibles. For the risks you accept, you need to build them into your operating plans. Who is going to deal with them when they occur?
Avoid: If certain risks are unacceptable, then your business plans need to be adjusted to keep them out of bounds. A good analogy is when businesses avoid certain markets due to political risk.
Mitigate: Most of the work in cyber security is in minimizing risks that cannot be accepted or avoided. Responsible boards create comprehensive plans to provide funding, talent, training and crisis management. This is not a task to delegate to IT; it is a board responsibility. In some jurisdictions, the regulators are setting requirements for board action, along with penalties for non-compliance.
Transfer: You can purchase cyber insurance to transfer certain risks to third parties. These products are new, and the underwriting data is limited, so pricing has not yet stabilized. If you recently transitioned your infrastructure to the cloud, be aware that underwriting cloud infrastructure may be different from underwriting on-premise systems.
As owners and directors of a family business, you need to consider how these four options, together, enable you to protect your business and your family’s reputation.
What directors can do about cybersecurity
Directors are responsible for protecting the shareholders’ tangible and intangible assets, regardless of the form of the threat. Directors need to initiate protective actions and provide on-going oversight for cyber security. These efforts should start by committing to a methodical course of action. The path forward starts with:
Accept the situation – In today’s interconnected world, providing cyber security is just another cost of doing business.
Get educated – As a director, you need to learn enough about cyber security to understand and prioritize the issues and risks.
Put the issues into context – How do the risks and costs of cyber security compare to the other risks you need to manage?
Assess your vulnerabilities – How and where can you be hurt? What might someone want to steal from you and why?
Understand the total costs of an attack – Remediation and crisis management costs may greatly exceed the actual or insurable loss.
Decide to accept, avoid, mitigate or transfer risks – A primary duty of directors is to evaluate and manage enterprise-level risk. This is a prescient example.
Get help when needed – You will need to decide what expertise you want to maintain internally, versus what expertise should be outsourced.
Test your readiness – Just like an emergency evacuation plan or a backup system, you need to test it to make sure it works, before you need it to work.
Make cyber security a regular board agenda item – By keeping cyber security top of mind in the boardroom, you are more likely to exercise the proper duty of care to protect your shareholders.
Directors do not need to be experts in cyber security, but they need to actively manage the risks. Creating a comprehensive plan, directing management to enforce the plan, and holding management accountable are the board’s responsibility.
Directors are responsible for creating and protecting the shareholder value, including the threat of major losses. As with similar threats in the past, there is a logical methodology to managing this new risk. It is an added layer of expense and distraction from your business focus, but is part of the cost of being in business today. Developing and managing a comprehensive solution is why shareholders elect directors – to protect their vital interests.
Bruce Werner is the managing director of Kona Advisors LLC, which gives strategic advice to family-owned enterprises. He is also a third-generation member of a family business.