Le dilemme d’un administrateur indépendant dans un cas de vol de données


Voici un cas publié sur le site de Julie McLelland qui aborde une situation où Trevor, un administrateur indépendant, croyait que le grand succès de l’entreprise était le reflet d’une solide gouvernance.

Trevor préside le comité d’audit et il se soucie de mettre en place de saines pratiques de gouvernance. Cependant, cette société cotée en bourse avait des failles en matière de gestion des risques numériques et de cybersécurité.

De plus, le seul administrateur indépendant n’a pas été informé qu’un vol de données très sensibles avait été fait et que des demandes de rançons avaient été effectuées.

L’organisation a d’abord nié que les informations subtilisées provenaient de leurs systèmes, avant d’admettre que les données avaient été fichées un an auparavant ! Les résultats furent dramatiques…

Trevor se demande comment il peut aider l’organisation à affronter la tempête !

Le cas a d’abord été traduit en français en utilisant Google Chrome, puis, je l’ai édité et adapté. On y présente la situation de manière sommaire puis trois experts se prononcent sur le cas.

Bonne lecture ! Vos commentaires sont toujours les bienvenus.

Le dilemme d’un administrateur indépendant dans un cas de vol de données

 

 

 

 

 

 

 

 

 

Trevor est administrateur d’une société cotée qui a été un «chouchou du marché». La société fournit des évaluations de crédit et une vérification des données. Les fondateurs ont tous deux une solide expérience dans le secteur et un solide réseau de contacts et à une liste de clients qui comprenait des gouvernements et des institutions financières.

Après l’entrée en bourse, il y a deux ans, la société a atteint ou dépassé les prévisions et Trevor est fier d’être le seul administrateur indépendant siégeant au conseil d’administration aux côtés des deux fondateurs et du PDG. Il préside le comité d’audit et, officieusement, il a été l’initiateur des processus de gouvernance et de sa documentation.

Les fondateurs sont restés très actifs dans l’entreprise et Trevor s’est parfois inquiété du fait que certaines décisions stratégiques n’avaient pas été portées à son attention avant la réunion du conseil d’administration. Comme l’expérience de Trevor est l’audit et l’assurance, il suppose qu’il n’aurait pas ajouté de valeur au-delà de la garantie d’un processus sain et de la tenue de registres.

Il y a trois semaines, tout a changé. Une grande partie des données de l’entreprise ont été subtilisées et transférées sur le « dark web ». Ce vol comprenait les données financières des personnes qui avaient été évaluées ainsi que des données d’identification tels que les numéros de dossier fiscal et les adresses résidentielles. Pire, la société a d’abord affirmé que les informations ne provenaient pas de leurs systèmes, puis a admis avoir reçu des demandes de rançon indiquant que les données avaient été fichées jusqu’à un an avant cette catastrophe.

Plusieurs clients ont fermé leur compte, les actionnaires sont consternés, le cours de l’action est en chute libre et la presse réclame plus d’informations.

Comment Trevor devrait-il aider l’entreprise à surmonter cette tempête ?

Pour prendre connaissance de ce cas, rendez-vous sur www.mclellan.com.au/newsletter.html et cliquez sur « lire le dernier numéro ».

Adam’s Answer

 

This is a critical time for Trevor legally and reputationally, it is also a time when being an independent director carries additional responsibility to the company, the shareholders, the staff and the customers.

All Directors and Executives can only have one response to a blackmail attempt.  That is to immediately report it to the police and not respond to the ransomware demands.  Secondly the company should have had a crisis management plan in place ready for such an eventuality.  In this day and age, no company should operate without a cybercrime contingency plan.

In this case it is unclear, but it appears that the authorities were not informed and that Trevor’s company was unprepared for a data breach or ransomware demands.

There are 2 scenarios open to Trevor:

1) If Trevor was not informed straight away of the ransom demands and the CEO and founding Executive Directors knew but did not brief him on the ransom issue and the company’s response, then his independent status has been compromised and he should resign.

2) If Trevor was informed and the whole Board was involved in the response, then Trevor must remain and help the company ride out the storm.   This will involve working with the police, the ASX and crisis management guidance from external suppliers – technical and PR. 

The rule to follow is full transparency and speedy action. 

Trevor should refer to the recent ransomware attack on Toll Logistics and their response which was exemplary.

Adam Salzer OAM is the Chair and Global Designer for Whitewater Transformations. His other board experience includes Australian Transformation and Turnaround Association (AusTTA), Asian Transformation and Turnaround Association (ATTA), Australian Deafness Council, Bell Shakespeare Company, and NSW Deaf Society. He is based in Sydney, Australia.

Julie’s Answer

 

This is a listed company; Trevor must ensure appropriate disclosure. A trading halt may give the company time to investigate, and respond to, the events and then give the market time to disseminate the information. His customer liaison at the stock exchange should assist with implementing a halt and issuing a brief statement saying what has happened and that the company will issue more information when it becomes available.

This will be a costly and distracting exercise that could derail the company from its current successful track.

Three of the four board members are executives. That doesn’t mean the fourth can rely on their efforts. Trevor must add value by asking intelligent questions that people involved in the operations will possibly not think to ask. This board must work as a team rather than a group of individuals who each contribute their own expertise and then come together to document decisions that were not made rigorously or jointly.

Trevor has now learnt that there is more to good governance than just having meetings and documenting processes. He needs to get involved and truly understand the business. If his fellow directors do not welcome this, he needs to consider whether they are taking him seriously or just using him as window-dressing. He should ensure that the whole board is never again left out of the information flow when something important happens (or even when it perhaps might happen).

He should also take the lead on procuring legal advice (they are going to need it), liaising with the regulators, and establishing crisis communications. Engaging a specialist communications firm may help.

Julie Garland McLellan is a non-executive director and board consultant based in Sydney, Australia.

Jinan’s Answer

 

I recommend three separate parallel streams of work for Trevor. 

1. Immediate public facing actions
Immediately apologize and state your commitment to your customers.  Hire a PR firm and have the most public facing person issue an apology. The person selected to issue the apology has to be selected carefully (cannot be the person responsible for leak, and has potential to become the new trusted CEO)

2. Tactical internal actions
Assess the damage and contain the incident.  Engage an incident response firm to assess how the breach happened, when it happened, what was stolen. Confirm that leak doors are closed. Select your IR firm carefully – the better reputed they are, the better you will look in litigation.
Conduct an immediate audit and investigation. You need to understand who knew, when and why this was buried for a year.
Take disciplinary action against anyone who was part of the breach. Post audit, either allow them to keep their equity or buy them out.

3. Strategic actions
Review and update your cybersecurity incident response process.  This includes your ransomware processes (e.g. will you pay, how you pay, etc.), and how you communicate incidents. 
Build cybersecurity awareness, behavior and culture up, down and across your company.  Ensure that everyone from the board down are educated, enabled and enthusiastic about their own and your company’s cyber-safety. This is a journey not a one-off miracle.
Extend cybersecurity engagement to your customers. Be proactive not only on the status of this incident, but also on how you are keeping their data safe.  Go a step further and offer them help in their own cyber-safety.
Create a forward thinking, business and risk-aligned cybersecurity strategy. Understand your current people, process and technology gaps which led to this decision and how you’ll fix them.
Elevate the role of cybersecurity leadership.  You will need a chief information security officer who is empowered to execute the strategy, and has a regular and independent seat at the board table. 

Jinan Budge is Principal Analyst Serving Security and Risk Professionals at Forrester and a former Director Cyber Security, Strategy and Governance at Transport for NSW. She is based in Sydney, New South Wales, Australia.