Never waste a good crisis – what we can learn from the misfortune of other organisations

Holding Redlich General Counsel, Lyn Nicholson

The old saying “never waste a good crisis” has never been as relevant as it is now. Many organisations are facing business issues in circumstances they never expected and are needing to respond in agile ways. 

While we see some organisations doing well, we also see some suffering adverse consequences and a good board will think deeply and regularly about these two questions:

1.          Could this happen to us?

2.          How can we protect ourselves against either this happening or mitigating any adverse consequences if it did?

The recent cyber-attack on drinks manufacturer, Lion, causing it to shut its IT systems, raises the point of vulnerability and business continuity plans in the event of such attacks. 

As much as organisations spend significant time and money seeking to put themselves in a position to prevent attacks, it is equally necessary to consider what back up plans are in place if an attack is successful.

This is a question that must have been exercising the minds of executives in Toll Logistics, who suffered two ransomware attacks this year and lost significant corporate data in both attacks, see here

For those who have the time and interest, the technology magazine, WIRED, prepared in 2018 an article that examined the NotPetya cyber-attack on the shipping organisation Maersk here. It is a riveting read and one of those situations where truth is almost stranger than fiction and the resurrection of the organisation relies almost entirely on a single standalone computer in the middle of nowhere that has not been updated in many years to allow the organisation to bring its system back online. It also provides a fabulous illustration of the breadth of consequences that can arise from a cyber-attack where the real world devastation, e.g. cargo unable to be moved and perishable cargo liable to rot and waste, as well as major traffic jams at all the ports where Maersk operated, can occur.

Preparation is key

Whatever your industry, the significance of preparing not only for cyber-attacks but for workarounds, is a significant one. Many organisations will be proud (if not relieved) that their systems held up through the COVID-19 crisis. However, the fact that this crisis was weathered, does not mean that vigilance is not warranted.

Boards need to be continually looking at what is happening in the broader business world and asking the question, if this happened to us, how would we respond?

If this article prompts you to do nothing other than read the WIRED Maersk story and the Toll Group second ransomware story, then the questions you can ask your CEO and their team will help the organisation into the future. 

As lawyers, much of this falls outside of our scope of work and revolves around IT security specialists and systems. However, robust corporate governance systems, which allow organisations to be flexible and to understand how to operate in the event of a crisis, help to ensure that the negative impact of such crisis is minimised. 

Annual attention to corporate governance structures, business continuity plans, desktop simulations of cyber attacks and other exercises help prepare organisations to deal with these crises and boards should continually be alert to these opportunities, and the potential costs of not investing time in preparing for the worst.

The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.