For the CEO

Can you say for certain that we aren’t under cyber attack right now?

If we are being hacked, how safe is our most valuable data—and is the entire organization prepared if our systems go down for an extended time?

What is your best estimate of the impact on our finances, investors, and customers? 

These questions would send chills down the spine of almost any CEO. But corporate chiefs need to be prepared to answer them. Because their boards will be asking.

The Cybersecurity Questions Every CEO Must Answer

Until recently, accountability for cybersecurity issues tended to be pushed to chief information or security officers. Those days are gone. New disclosure and transparency rules in the US and Europe, growing criminal capabilities, and the soaring cost of attacks are vaulting cybersecurity to the very top of the CEO agenda.

“All of this has escalated cybersecurity from a technical challenge for CEOs and boards to an even higher strategic and cross-organizational priority,” says Tad Roselund, a BCG managing director and senior partner and the firm’s former chief risk officer.

When a public company suffers a serious cyber attack, the CEO is now expected to explain the details and implications—within days—to regulators, the investing public, and other stakeholders. Boards are on the hook for tougher oversight as well.

The pressure is ratcheting up as cyber attackers, armed with an ever-growing array of sophisticated but easy-to-use tools, exact a higher and higher toll on businesses and the broader economy. Cyentia Institute estimates the median cost of a single high-magnitude breach at $52 million; in the manufacturing sector alone, the average is $108 million. In all, cyber crime costs the global economy at least $2 trillion a year, BCG estimates.

Compounding the challenge for CEOs is the imperative to successfully steward digital transformations and develop new AI capabilities. These efforts can boost competitiveness and build operational resilience—including cyber resilience—but they also create more openings for malicious actors to exploit.

“You can’t be frozen by the fear of digitizing,” says Vanessa Lyon, a BCG managing director and senior partner who leads the firm’s cybersecurity work globally. “You need to get out of the cave, fully armed.”

CEOs can strike the right balance by ensuring that new digital tools and technologies are designed and deployed with security in mind from the outset. They can also be more strategic about cybersecurity investments by focusing on recovery capabilities as well as protective measures.

Most of all, CEOs must be prepared to lead, and engage in, the company’s cybersecurity strategy. Because it’s no longer a question of if their company will be attacked—but when.

The Broadening Cyber Battlefield

For years, the overwhelming majority of cybersecurity breaches have stemmed from organizational or human failure. That’s still the case, but new tools are making phishing attacks—long the most common hacking technique—easier, more effective, and less time-consuming to execute. With generative AI, for example, infiltrators can create more realistic deepfake text messages, photos, websites, company documents, video, and even real-time voice conversations in minutes.

A recent scam at the Hong Kong branch of a multinational company illustrates the evolving ingenuity of cyber criminals. Scammers reportedly invited a finance manager to an emergency video meeting with the company’s UK-based chief finance officer and several other colleagues. But it turned out the meeting attendees were deepfakes, created with publicly available video and audio. The fraudsters tricked the manager into executing 15 money transfers worth a total of $25.6 million to five bank accounts, according to press reports.

That’s just one incident. A whole industry has emerged to make hackers’ jobs easier. GenAI phishing tools, fraud tutorials, money laundering services, ransomware-as-a-service solutions, and cloned drivers’ licenses and credit cards are all readily available for modest sums on dark web markets.

Cyber criminals are finding direct ways into corporate networks by obtaining valid passwords, usernames, and other login credentials. And it’s happening with greater frequency. Cyber attacks leveraging user credentials rose 71% in 2023 from the previous year and became the most common entry point, according to the IBM X-Force Threat Intelligence Index.

“More attackers are simply logging into networks, rather than hacking in,” says Michele Alvarez, IBM X-Force’s manager of strategic threat analysis. “Our findings show an identity crisis is now hitting from all directions.”

Credentials can be swiped with “infostealer” software and harvested through phishing attacks that give adversaries control over a server or web page. Or they can simply be purchased, relatively cheaply, on the dark web.

Threats to Digital Transformation

Some of the most sophisticated and damaging attacks—often by government-backed criminal organizations with abundant time and resources—are penetrating tools and solutions that are integral to corporate digital transformation efforts. In May 2023, for example, a ransomware gang called Clop exploited a vulnerability in a popular enterprise file-transfer tool. Before patches could be installed, Clop stole data from more than 1,000 government and business organizations worldwide, affecting millions of people.

Cyber criminals are also managing to infiltrate virtual private networks and cloud-computing applications that executives often assume are completely secure.

“Companies that are going through digital transformation are vulnerable,” says Or Klier, a cybersecurity expert and BCG managing director and partner. “They have to manage two types of technologies—their legacy IT and solutions and those they are migrating to.”

Third-Party Vendors at Risk

Companies are also expanding the number and type of third-party vendors they work with, and their supply chains are becoming more complex. Each additional link to a third party presents a potential window into a company’s network.

“As your supply chain grows more complex and adds more third parties, you might become more vulnerable to attackers that look for the weakest link to penetrate,” Klier says.

Verizon Business, which analyzed more than 10,000 confirmed successful attacks in 2023, reported a 68% increase in third-party breaches and a 180% increase in the exploitation of web applications as the critical path into IT systems. Companies surveyed by computer service firm BlueVoyant reported an average of more than four supply-chain breaches in 2023 that negatively impacted their businesses.

Intensifying Regulatory Oversight

Mounting systemic threats have prompted regulators in the US and Europe to impose a greater legal onus on boards to ensure their companies have robust cybersecurity risk-management procedures, controls, and governance in place. Government watchdogs are also requiring companies to be more transparent about breaches and their consequences.

In 2023, the US Securities and Exchange Commission expanded its cybersecurity disclosure requirements. Under the new rules, companies must now report annually on how their cybersecurity processes are integrated into overall risk-management systems and identify risks associated with third-party service providers. When a public company determines a cyber incident has a “material” impact on a company’s finances, investors, and customers, it must disclose that within four business days. And it must estimate the financial impact as well as whether it breached propriety customer data.

In cases of egregious lapses, regulators are also indicating a greater willingness to penalize companies, and even individual executives, for lax cybersecurity. In October 2023, the SEC filed a civil lawsuit against the provider of the enterprise file-sharing software that was exploited in the Clop attack—along with the company’s chief information security officer—alleging that it defrauded investors by concealing cyber vulnerabilities. (The company denied the allegations, and a judge later dismissed most of the fraud charges.)

Elsewhere, the US Federal Trade Commission recently took enforcement actions against leaders of several online marketplaces that were cyber attack victims, accusing them of inadequately protecting sensitive consumer data.

The Cybersecurity Questions Every CEO Must Answer

Given the increasing strategic importance of cybersecurity, the growing volume of threats, and rising regulatory scrutiny, CEOs must lead the effort to better insulate their company’s IT systems and data from attack. They must also be ready to spearhead response and recovery if a serious breach occurs.

To successfully fulfill that remit, CEOs should be ready to answer the following questions:

How prepared am I for a strategic discussion with my board?

Few CEOs need to dive into the technical weeds of cybersecurity. They do, however, need sufficient command of the subject to hold an in-depth, accessible discussion with their boards, regulators, managers, and key stakeholders.

That starts with understanding the greatest cybersecurity threats their company faces and the key vulnerabilities and risk exposure of their most critical systems. CEOs need to know their organization’s “crown jewels”—assets that, if successfully attacked, would cause the most serious damage to their organization, investors, and customers—and what is required to protect them. They need a firm grasp of how effectively their cybersecurity controls can manage third-party risk as well as the metrics and other means they use to verify those controls.

Once they have a clear view of their organization’s cyber landscape, CEOs need to be able to explain to their boards what would happen to the organization—and those that depend on it—in the event of a major attack. What’s the impact, for instance, if IT systems are offline for weeks or months? Finally, CEOs need to convey how residual risks (those that the company will have to keep living with) will be managed.

How secure is our digital transition?

As organizations race to digitize, CEOs should not assume that the IT solutions and cloud platforms they’re migrating to are sufficiently secure.

“We see a lot of security gaps that are due to misperception or mismanagement up front,” says BCG’s Klier. “Many companies moving to the cloud, for example, don’t have a clear plan to manage the transition from legacy systems. They mistakenly believe that all the security they need is supplied by the cloud provider. And many companies that are experimenting with GenAI have limited understanding about how to do that responsibly and securely.”

This presents CEOs with a balancing act: they must ensure their migrations are secure, but they can’t postpone adopting new digital solutions for so long that they lose competitive advantage. BCG, for example, estimates that by 2025, companies at the leading edge of leveraging technological and digital innovation will generate two-thirds more value than digital laggards.

Going overboard with firewalls can also do more harm than good. “Some companies try to overprotect everything with more and more constraints on new digital tools,” says BCG’s Lyon. “But unfortunately, we’ve seen several instances of employees trying to work around them and handle data in ways that are even less secure.”

Lyon says she’s seen situations where employees might bypass file-sharing systems that don’t work or are too difficult to use and instead transmit spreadsheets via email, storing them in temporary folders on their hard drive. Holding off on developing GenAI tools also risks encouraging a company’s product developers, data analysts, and content creators to experiment on their own with publicly available GenAI bots, many of which are ridden with vulnerabilities.

AI can itself be extremely valuable in helping companies bolster their cybersecurity. So rather than delaying digital overhauls and AI development, experts say, CEOs can ensure that security is rooted in new tools and systems from conception. “When digitizing, use a concept called ‘secure by design,’” Klier says. “Embed security during installation.”

When adding new vendors and third parties, Klier advises CEOs to understand their risks and demand security levels that are appropriate for the technology, the type of threats their company is exposed to, and its crown-jewel assets. Software design teams, trained to work quickly in sprints and agile methods, also need to embed security when developing and updating apps.

In addition, secure IT design requires coordination with the corporation’s other risk-mitigation frameworks, such as privacy protection and responsible AI.

Are we spending the right amount on cybersecurity—and in the right places?

With enough time and money, criminal organizations can conceivably hack into any system. Cyber criminals can also exploit gaps much faster than most organizations can find and close them. This is especially true if a company’s digital maturity is still developing or if the organization is amid a major IT transition.

The real challenge, says IBM X-Force’s Alvarez, “is to quickly detect and address a breach before hackers can scale up.”

IBM’s “Cost of a Data Breach” report estimates that it currently takes 204 days, on average, for organizations to identify a cyber breach. Not nearly enough, however, is invested in responding to cyber breaches, which take an average of 73 days to contain, according to IBM estimates. The vast majority of cybersecurity spending goes toward defending against attacks. BCG estimates that only 20% is devoted to response and recovery.

When an attack occurs (and odds are it will) the goal is to get systems back online as soon as possible—once the proper forensics have been conducted to ensure vulnerabilities have been identified and addressed. CEOs who devote as much focus and budget to rapidly responding and recovering from breaches as they do to defending against them will be better equipped to reach that goal.

Understanding how the company will run while systems are disrupted is also essential. So is ensuring that the recovery response is coordinated not just within IT but across the organization, including functions such as customer management, finance, communications, and government relations.

Do we have the right capabilities, culture, and talent to enable us to evolve securely?

Most companies have made good progress training their employees to be on the lookout for phishing emails, be more careful when sharing and storing data, and follow other security practices.

But human error is still involved to some degree in most breaches, and around 30% of hacks are accomplished through phishing, according to Verizon Business. This alone indicates CEOs should examine whether cybersecurity—from detection and protection through response and recovery—needs to be further embedded in their company culture.

“Cybersecurity can no longer exist in a silo,” says BCG’s Roselund. “Everybody must be engaged, and that requires new ways of working.”

The CEO needs to ensure that all business functions—not just the IT department and risk management—are actively involved in cybersecurity initiatives and that all employees are properly trained to mitigate risks. It’s also important that training is up to date. While staff may have been warned to not click on an attachment in a suspicious email, are they on guard against deepfakes of voice, videos, and company documents? For that matter, would they be fooled by a deepfake of a call or video message from their CEO?

Finally, CEOs should consider the potential action to take if a key executive continues to fail a phishing test or keeps using an unauthorized messaging platform.
 

The cybersecurity stakes are only getting higher for CEOs and the companies they lead. As exploitable entry points proliferate and the toll from attacks grows, so do the demands for corporate leaders to assume greater accountability.

CEOs can rise to the moment by investing sufficiently in recovery and protection, embedding security in digital transformation efforts from the word go, and ensuring that everyone across the organization remains vigilant. Because if there is a significant attack, the ultimate responsibility for dealing with the consequences will fall squarely on the CEO’s shoulders.

Pete Engardio is a senior writer at BCG.