Over the last year, a fast-evolving cybercrime landscape and other unforeseen business disruptions, such as the power loss at Heathrow Airport and major outages of cloud services, have highlighted vulnerabilities and pushed response and recovery strategies up the agenda.

The government is keen for boards to take increasing responsibility. Last October, Chancellor Rachel Reeves and senior ministers wrote to CEOs and boards of FTSE 350 companies urging them to make cyber risk a board-level priority and part of strategic decision making.

In response to this, the ICAEW has developed a new course, 'Leading boards through disruption', which launches in April. The virtual course is aimed at board members, CFOs, and other leaders who want to develop the skills to lead confidently through a crisis.

It will look at a range of scenarios, with a particular focus on cybercrime, and give a general grounding on the role of the board in crisis management, as distinct from that of the executive, as well as providing resources and signposting.

The ICAEW course is led by Louis Cooper, a governance, risk and assurance specialist with more than 30 years’ experience, and is a collaboration between with Beyond Blue, a consultancy that helps organisations build resilience in the face of a complex digital future.

David Ferbrache OBE, Managing Director of Beyond Blue, has decades of experience in cyber security and operational resilience, having held senior roles in the UK Ministry of Defence, as KPMG’s Global Head of Cyber Futures, and as chair of the Scottish National Cyber Resilience Advisory Board.     

Threats and attack methods are changing, most recently with the advent of deepfakes and cyberattacks supported by AI, and staying on top of the threat landscape is increasingly difficult, according to Ferbrache.

“Cyber criminals are ruthless and rational,” he says. “They’re very adaptive, are constantly looking for new ways to attack, and are hard-nosed businesses interested in making money so they’re looking for extortion and blackmail opportunities.

“There’s also an overlay of geopolitics that boards need to understand as much of what we’re dealing with is transnational or state sponsored.”

The service sector is being targeted

Professional services is one of the most frequently targeted sectors, adds Ferbrache. This is not only because of the nature of its data, but because clients often have some degree of system access and a high level of trust in communications appearing to come from firms. 

Cyberattacks bring a fresh set of challenges that boards often haven’t encountered before and are quite unlike those caused by short-term disruptions, such as a fire, flood or the loss of some data.

Ferbrache says:  “It feels very different when you have a malicious attacker inside your system for an unknown period of time doing unknown things, and you’re now having to engage with an organised crime group that has access to some of your key data.”

In such scenarios, boards need to make some difficult decisions, often under extreme time pressure, and will potentially be faced with many months of rebuilding. Ferbrache outlines four steps that boards can take to create a resilient organisation.

Four steps

1. Switch to a resilience mindset

Ultimately, what’s required is a shift in mindset from risk to resilience, says Ferbrache. A conventional risk management approach often assumes that existing preventative measures make severe disruptions very unlikely. 

“With resilience, the discussion starts in a different place: this event might happen and if it does, what are the resilience measures that would help us deal with the impact?” He explains.

“It’s getting us to think about the very disruptive and potentially catastrophic events that might really stress the organisation, even if there’s a low probability of them taking place."

Boards need to ask: how will the organisation absorb that shock and stress, and what can be done to limit the impact on the financial solvency of key customers and stakeholders?

“It’s a slightly different mindset as it very quickly gets you into thinking about how you recover and rebuild in a way that classic risk management doesn’t,” says Ferbrache.

2. Ask the right questions

Given that not all board members will have a high level of technical knowledge and expertise, he adds: “One of the biggest challenges faced by boards is knowing the right sort of questions to ask of the executive about preparedness.”

These include:

• Have risks have been identified properly?
• Does the organisation has access to the right specialist advice, back-ups and access to the data to keep important business services running? 

3. Be aware of supply chain impacts

Boards also need to consider the likely consequences for their supply chain, something highlighted by the widespread disruption caused by the attack on Jaguar Land Rover. 

4. Create a communication plan

Another issue for boards dealing with a crisis is that it can very quickly spill over into the media. “Now that the whole world is on social media, public discourse is very different,” says Ferbrache.

“Suddenly, the board gets dragged into having to support the executive while it makes some very hard choices about recovery priorities.”

In this situation questions arise, such as:

• How do we communicate this externally?
• What’s the corporate messaging around this?
• How do we maintain the confidence of the shareholders and investors?

Creating a communication plan helps to ensure that these questions are being addressed clearly during a crisis.