Interesting to see the real-life consequences of a cyberattack. More than two months after a cyber-attack in Europe, some of FedEx processes still have to be handled manually and the annual earnings could be 4% to 7% lower because of this incident.  Fedex said it didn’t have insurance in place that would cover the cyberattack. They were infected by the Wannacry ransomware, and the virus entered through a tax software used in the Ukraine. This demonstrates that board of directors of smaller companies also should be concerned with Cybersecurity, since their infrastructures can be used to penetrate a large partner.

https://www.bloomberg.com/news/articles/2017-07-17/fedex-says-tnt-systems-may-never-fully-recover-from-cyberattack

I was trying to identify a few sources of relevant information to keep up to date with the rapid pace of evolution of cyber-risks, and found this list of experts. Most of the people proposed take a technical approach to cyber-risks as opposed to a governance approach. But if you take the time to read some of what they publish, you can identify a few that are a source of information adapted to your needs and that can help you stay current on cyber-threats and what is being discussed across industries. Important to support your oversight responsibilities. Do you have other sources to propose, maybe some Canadian ones?

https://www.safervpn.com/blog/top-cyber-security-influencers/

As I was researching information on board expertise level for cyber-security, I found this report dating from 2016, but still so relevant. It shows that 40% of all directors surveyed admit they did not feel responsible for the repercussions of a cyberattack, reflecting a lack of cyber-risks understanding by directors. Moreover, independent director cybersecurity literacy lagged that of other groups of executives, which is not reassuring. Boards in general and independent directors in particular have work to do to meet their cyber-security oversight mandate. How do you feel about the cyber-literacy of your board?

https://corpgov.law.harvard.edu/2016/05/01/grading-global-boards-of-directors-on-cybersecurity/

Published June 2nd 2017 - Even with the increasing exposure cyberthreats are receiving in the media, most boards of directors are not ready to deal with cyber-risks. This HBR article highlights survey results showing that only 38% of directors have a high level of concern with cyber-risks, yet the average cost of a data breach is $4 million. Two reasons discussed for this disconnect are the lack of effective processes for cyber-risk oversight and the lack of expertise. Do you agree?

https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats

I just attended a Cybersecurity talk and wanted to share a few interesting insights for corporate directors.

Beware of the four basic types of people performing cyber-attack as each has different motivations influencing his mode of operation: Criminal looking for money, Spy looking for secrets, Hacktivist looking to make a statement and Internal looking to disrupt.

One way to check if your accounts have been breached in a major hack is to visit regularly the website www.haveibeenpwned.com to enter your email address.

According to CSO on-line, the threats to watch in 2017 are ransomware targeting more devices including mobile, manipulating IoT devices to wreak havoc, malware laden mobile phones, and politically motivated hacking that is on the rise and will now target a wide variety of businesses.

http://www.csoonline.com/article/3156893/data-breach/watch-these-top-4-cybersecurity-trends-in-2017.html

Thank you @BobZukis for sharing this interesting article that leverages interest in Trump tweets to remind boards of the increased security risks if social medias are not managed properly. Boards should make certain companies have and follow a social media process policy that includes quality control. A few relevant advices: Ensure all mission critical directives to employees or third-parties are properly authenticated; Make certain high visibility executives are engaging in cybersecurity conversations with family members ; Avoid file transfer via external devices such as USB drives given to you by third parties, at conferences for example. But most importantly, verify that when using social medias, your executives, including board members, are putting the company reputation first. Also, that they are adhering to policies and procedures, have had situational awareness training and remember it when opening emails or clicking on links when abroad.

http://www.csoonline.com/article/3164840/social-networking/what-company-execs-can-learn-from-trumps-tweets.html

I just attended a refresher training on board minutes and wanted to share a few of the take-away I found most relevant.

1. The minute should have enough details to reflect the level of analysis, discussion and thoughts that lead to a decision. In that spirit, noting the start and end time of meetings can help demonstrate enough time was allocated to make insightful decisions.

2. It is good practice to keep a table of minutes’ follow-up items, including what, who and when. It is however recommended to not include this table in the board minutes. This table is a working tool and having it inside the minutes makes it admissible for litigation purposes.

3. If you circulate a resolution via email for signature in lieu of a meeting, all directors have to sign, as opposed to only the directors present at a meeting. It is acceptable to keep a photo or scan of the signature page as proof of signature.

An important read for directors that want to understand the current legal landscape on board cybersecurity oversight, to evaluate how current their cybersecurity approach is and how exposed they are personally. Boards have to be able to defend that they meet reasonable standards in security. And just being compliant is not enough, cybersecurity policies must meet the industry norm. This is even more important for boards of unregulated industries, for example mobile services and apps, and of small and medium companies that feel wrongly they could not be the target of cyberattacks.

http://www.csoonline.com/article/3147628/leadership-management/why-security-leaders-need-to-embrace-the-concept-of-reasonable-security-now.html

I am honored to announce that I have been nominated to the board of Canada Health Infoway. I will serve as an observer until July 2017. I am very much in agreement with Infoway mandate to accelerate the development, adoption and effective use of digital health solutions across Canada. My career in digital health solution in Canada and the US enables me to understand first hand the importance of digital solution to transform healthcare and keep it affordable for all Canadian. I am glad to be able to actively contribute to the advancement of digital healthcare solutions and to leverage my technology and governance background in this role.

I just participated in a Gartner Webinar: Top Predictions 2017 and Beyond; Surviving the Storm Winds of Digital Disruption. These events help keep me abreast of technology that impact my governance role. Of interest, for consumer facing businesses, was the gradual adoption of virtual reality in the shopping experience and of voice interface to browse the web without screens. For other business, its is worth noting that more and more algorithms will influence the tasks of global workers thus reducing cost of operations and that business should achieve 10% maintenance-cost reduction with the adoption of specific IoT devices. Board of directors must keep a watchful eye, digital disruption is everywhere, after all driverless cars were not invented by car producing companies…

http://www.gartner.com/newsroom/id/3482117

I will have the opportunity to attend the Canada Health Infoway partnership conference in Toronto on November 17th. I look forward to learning more about digital health in Canada, more specifically medication management, interoperability and consumer health solutions. Come meet me there…

https://www.infoway-inforoute.ca/en/what-we-do/partnership-conference?gclid=CjwKEAiAjIbBBRCitNvJ1o257WESJADpoUt0Um3q3h-fmpyUaYsP-tx6dSVZXwgKyvdbEdws8SQ3rhoC2inw_wcB

An informed blog on the current situation with cybersecurity but more interestingly proposing solutions from trusted source (DoD) for businesses that are overwhelmed by the pace of intrusions: Simplify networks, Build your cyber support community but, most importantly, Be ready for cyber incidents and practice practice practice. Do we have more work to do? Absolutely. This is an area where every time you get better, so does the threat

http://www.govtech.com/blogs/lohrmann-on-cybersecurity/your-security-team-is-outgunned-wheres-the-help.html

A look at some statistics that show many boards do not have enough members with professional technology experience and are putting businesses at risk

https://www.linkedin.com/pulse/do-you-have-enough-technology-expertise-your-board-directors-morin?published=t

An interesting overview of why corporate risk managers are being pushed to adopt a better cyber-risk posture and what role cyber-insurance can accurately play in mitigating cyber-risk. The key questions enterprises struggle with are of particular interest to board members as a basis of discussion with management: (a) What is at risk for our enterprise — is it business continuity? Will we experience denial of service or intellectual property theft? Do we hold consumer /financial /patient data?; (b) What is the probability of an event occurring?; and (c) What are the estimated damages?

http://techcrunch.com/2016/05/23/can-startups-disrupt-the-20-billion-cyber-insurance-market/

A good summary of how board should be discussing technology. Instead of seeing technology as a functional tool, the highest performing boards see technology as a strategic lever, on the same level as people, brand and capital. The board must ensure it has enough technology savviness to foster an understanding of what the technology can do for the business and where it fits in the overall strategy

https://www.linkedin.com/pulse/10-most-powerful-technology-questions-any-board-russell-yardley-faicd