One of the ways I try to make a difference in the world of business is by serving on boards of directors, both fiduciary and advisory, for privately owned companies and nonprofits. A year or so ago I raised the issue of cybersecurity for one of our larger clients, a large operator of franchised fast food restaurants for whom I have served for several years as a member of their Advisory Board. The executive in charge of IT resisted bringing the discussion to the Board because, as they maintained, the data they managed was controlled by their franchisor, who had responsibility for keeping it safe. After some coaxing the issue made it to a quarterly meeting agenda, and was then disposed of after a brief discussion, based on the premise that it was the franchisor’s job and they had no risk they needed to manage.
This week, about a year later and one day before this quarter’s scheduled meeting, the President announced in a short email that they had to cancel the meeting because they have been dealing with a cybersecurity incident. After a week of working the problem they still don’t have access to all their files, and thus were unable to prepare for or participate in the scheduled board meeting. We even got an email from their attackers – likely the same message our client received – outlining the steps to take to make the payment necessary to get access to their files, with lots of warnings if they don’t act in accordance with those steps. Serious language with a very serious intent – to be paid a lot of money.
Admittedly, since we are only an advisory board, the company’s management has no obligation to follow our advice or even hold meetings. We only offer advice, we don’t issue orders. A fiduciary board might have reacted differently a year ago and almost certainly this week, so management has been working within their authority. But you have to ask yourself: Why was it so easy to dismiss the risk management issue a year ago, when systems in place apparently didn’t have the safety that management thought they did. Perhaps an assessment by an outside expert – an option that was offered but not taken a year ago – might have shed fresh light on the nature and magnitude of the risk.
Because only when you understand what your company’s risks are can you formulate an effective defense against them. That’s why we have advisors, consultants, and outside experts. How do we know that?
We are Your CFO for Rent.