Cybersecurity Imperatives for Boards: Crisis Simulation and AI Threat Intelligence

NACD Northern California had the pleasure of hosting a critical session on cybersecurity and AI at Foley & Lardner LLP's Palo Alto office.

We were grateful to have Judy Chock, Greg Park, and Mike Hinton from the FBI, alongside Scott Alford and Donald E. Hester from CISA, providing important insights on how to work with them and what board directors need to know and be aware of as cyberattacks continue to grow more sophisticated and increasingly common.

Joseph Talmadge from Heffernan Insurance Brokers shared his thoughts on the evolution of cyber insurance, followed by a panel discussion on AI as the New Frontier in Cyber Warfare featuring leading voices in cybersecurity and AI, including Michael Adams, Katie Gray, Patrick Huston, Rob Sloan, Jennifer Urban, and moderator Louis Lehot.

KEY TAKEAWAYS

Learnings from CISA and FBI

• The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI offer critical intelligence and guidance to help businesses prepare for and respond to cyberattacks. Reporting threats helps build their intelligence database and can lead to valuable resources during an incident. Even small ransomware issues might be part of a larger crime ring or have national security implications, so reporting them is essential.
• Seventy-five percent of cyber intrusions result from inadvertent access due to human error. Boards must prioritize employee training, implement zero-trust policies, and align third-party cybersecurity protocols with their business’s risk tolerance.
• If involved in a cyber incident, never engage directly with attackers. The FBI can offer negotiators, or companies can employ a third-party negotiator.
• Cybersecurity tabletop exercises are essential for boards to practice responding to different scenarios. The board’s role is primarily to observe, review the outputs, and pressure-test the company’s incident response plan. It’s crucial to agree in advance on risk tolerance, materiality assessment, and action steps.

Key Boardroom Questions:

• Have we conducted a recent cybersecurity tabletop exercise? What lessons were learned, and what are the next steps?
• Who within the company has the authority to pay a ransom, and under what circumstances? Have we established clear thresholds and delegation processes?
• Are we connected to CISA and the FBI, and who manages these relationships?
• What is our incident response plan, and how does it integrate with our cyber insurance and legal counsel?
• Do we know how to report to the Internet Crime Complaint Center (IC3.gov) and what triggers involvement from the US Securities and Exchange Commission?

Cyber Insurance

• Cyber insurance is becoming more complex as cyber threats evolve. Insist on dedicated cyber-related claims and incident response experts, and ensure you fully understand policy limitations and pre-approve advisors.
• Policies are increasingly interrelated, and victims may now claim emotional harm if their information is stolen. Artificial intelligence (AI)–related breaches may fall under different policies, and multiple deductibles could apply if various types of insurance are involved.
• Use the cybersecurity assessments, threat intelligence, and risk management tools that often come with insurance policies—they are frequently underused.

Key Boardroom Questions:

• Which incidents are not covered by our policy? Are there any gray areas?
• Who is on our insurance claims team, and does the team include cyber, legal, and response experts?
• Have we mapped our full risk portfolio—cybersecurity, directors and officers, crime, general liability—to identify overlaps and exclusions?

AI-Driven Cyber Threats & Corporate Defense

• AI accelerates threats, such as with deepfakes, phishing, and voice cloning, and is used by bad actors for reconnaissance. However, it also strengthens defenses through automated alerting, anomaly detection, and encryption, requiring significant investment in talent and resources.
• Cybersecurity is a strategic board risk as it impacts brand reputation, operations, compliance, and potential mergers and acquisitions. Boards must prioritize resilience to ensure continuity and rapid recovery when breaches occur.
• Monitor the company’s AI and cyber talent gaps, ensuring that management and chief information security officers (CISOs) have the necessary resources and organizational alignment to succeed in the face of increasing AI-related compliance demands.
• Zero-trust architecture is a security model that assumes no user or device, even inside the network, should be trusted by default, and it requires strict verification and continuous monitoring for access to systems and data. It is essential for securing systems, particularly with a remote workforce, and is the recommended system architecture from the National Institute of Standards and Technology.
• Shadow AI, or unapproved tools used by employees, poses significant risks and must be mitigated. Employees will use AI on their personal systems regardless of your best efforts, so it’s important to create a system they can use within your risk tolerance.
• AI systems used in security may lack transparency in decision-making, so human oversight and ethical accountability remain critical.
• Boards should consider the risks posed by quantum computing, particularly in breaking security encryption, and prepare post-quantum resilience strategies to safeguard intellectual property and trade secrets.
• Boards should understand how AI tools work and the potential risks and opportunities they present for both defense and offense.

Key Boardroom Questions:

• Question for CISO: Where are our greatest cybersecurity and AI weaknesses, and what resources should we prioritize to close these gaps?
• Do we have an AI risk framework in place? How are we addressing issues such as hallucinations, explainability, and data provenance?
• What measures are in place to prevent the use of shadow AI across the organization?
• What is our zero-trust architecture, and how is it implemented across remote access and partner systems?
  How are we ensuring that AI and cybersecurity are considered at every stage of product development?
• Are we benchmarking against global AI and cybersecurity regulations? How are we demonstrating compliance?
• Who should be included in our incident response team, and what alternative communication methods are in place if systems go down?

Thank you to our generous partners for making this event possible: