Yahoo and ‘the failure to comprehend’

Yahoo Inc. recently told the SEC that its senior executives failed to "properly comprehend or investigate" the 2013 and 2014 security breaches that affected more than 500 million accounts, according to a review by an independent board committee.

The review found fault at several levels of the organization. There were problems with internal reporting, management, communication around the breach, the company said.

The fallout from these breaches has been severe. In addition to several class action lawsuits, the breaches also put Verizon's $4.83 billion pending acquisition of Yahoo! in jeopardy. Now, in addition to all of these problems, the findings of the board committee were accompanied by financial fallout for the company's CEO, Marissa Mayer. The board decided not to award Mayer her 2016 cash bonus and Mayer offered to forgo her equity award in 2017 and the board accepted.

When it comes to cybersecurity, the onus is on boards and C-suite executives to establish clear business processes and accountability and as well as clear lines of communication. If that wasn't clear before, it should be crystal clear now.

It's tempting to sit back and point fingers at Yahoo! but the reality is that this breach is hardly an isolated incident. One of the biggest challenges facing the C-suite and boards is the failure to comprehend the universality of cyber security threats and the negative impact of a major cyber security breach. This failure to comprehend the scope of the problem means the necessary reporting and processes needed to effectively manage this risk are neglected and de-prioritized.   

Harvard Business Review published a new study  that sheds light on exactly how serious this problem is. The study evaluated responses from over 5,000 board members from over 60 countries and while cyber security ranked as one of the top political issues and directors see it as an urgent global issue, most failed to make the connection between the immediacy of these risks and the processes in place to manage them. 

In fact, when asked about reviews of data breach contingency plans directors gave their boards extremely low marks. Even worse, of the 23 business processes directors were asked to rank the ones related to cyber security ranked dead last.

These failures to comprehend and effectively manage cyber security issues at the board level are a serious problem. An IBM study found that the average cost of a data breach is $4 million. A recent Cisco study  found that 50 percent of companies faces public scrutiny after a breach, 22 percent of them lost customers, and 23 percent lost business opportunities.

Cyber security can be a complex and challenging topic for non-technical executives but there are many concrete things boards can do to prioritize these issues. Here's a list of five things every board should do today:

• Make cyber security briefings a regular agenda item at board meetings.
• Bring in an expert; if there isn't a cyber security expert on the board bring one in or hire an external expert.
• Make sure these risks are evaluated as business risks; resist the temptation to consign them to the audit committee.
• Hold executive management accountable for evaluating cyber security risks maintaining response plans.
• Build cyber security into the organization’s long-term business strategy and review it whenever new business initiatives and product or service are evaluated.

None of these recommendations is surprising — there is a lot of information available to boards that want practical advice on how to address cyber security issues. The real cyber security questions for most organizations are connected with leadership and prioritization. I've been sitting on boards (and executive teams) advocating for over 17 years and I've found that the answer to these question determine how effectively an organizations adapts to the evolution of cyber security threats.