Boards and Brand Reputation: 7 Cyber Steps to Boost Investor and Consumer Confidence

A little over 10 years ago, Target hired its first chief information security officer (CISO) as part of the retail giant’s efforts to restore its tattered reputation after a massive cyber breach. Hackers had swiped the electronic credentials of a refrigeration vendor, infiltrated Target’s computer network, and stole credit and debit details of 40 million accounts and the personal information of 70 million customers.

Among the devastating consequences, in-store and online sales dipped to their lowest point in three years, the CEO and the CIO resigned, the Senate grilled the CFO in a highly publicized investigation, and the company agreed to pay a record-breaking $18.5 million to settle claims brought by 47 states and the District of Columbia. To regain consumer trust, Target instituted a slew of security upgrades, including expanded use of multifactor authentication, improved employee training on password safety, and better access management.

The debacle sent shockwaves through companies everywhere. If Target could be hacked, then anyone could. The lesson for corporate boards was clear: Don’t wait for an attack; check the system for weakness now.

Learn the status of all your devices – those you know and those you don’t – in real time (and in seconds) with this comprehensive inventory of hardware and software assets

That was a decade ago — and we’ve seen scores of high-profile retail cyberattacks since then, including Ticketmaster, AT&T, Verizon and Dell this past year alone. So how many boards have really taken the lesson to heart and invested in cybersecurity improvements?

After all, from the Target breach and all the other whoppers, we’ve seen how brutal the fallout can be:

• First, there’s the critical loss of customer trust. With their sensitive information compromised, 80 percent of consumers in developed nations will defect to other providers, according to the IDC. In fact, some research suggests nearly 60 percent of businesses fail after a breach.
• Then there’s the negative media coverage, particularly when big names are involved. This can accelerate the loss of trust and the adverse perceptions that often build in the aftermath of major media exposure, tarnishing both the company and individuals within it.
• As a company’s reputation tumbles, so does its market value. Companies victimized by data breaches can see their stock price underperform the market for several years. Additionally, the financial losses from a cyberattack – including data recovery costs, legal fees, and compensating affected customers – can be significant. They averaged $4.88 million per breach in 2024, a 10% rise over the previous year and the biggest jump since the pandemic.
• Depending on the seriousness of the breach, a company’s reputation can fall so far that investors avoid it, and it may lose opportunities to build new relationships and engage in collaborative efforts, potentially limiting growth.
• Finally, a cyberattack will hurt employee morale and hinder recruitment efforts. Workers whose information was stolen may – at the least – feel the company was lax in protecting them. And companies with tarnished reputations can find that talented, top-tier job candidates would prefer to work elsewhere.

I can tell you, it is really hard to read about the company that you put your blood, sweat, and tears into getting raked over the coals.

Meredith Griffanti, now a senior managing director at FTI Consulting, was an officer at Equifax during that firm’s security breach in 2017, and she remembers how demoralizing the experience felt.

“I can tell you,” she said, “it is really hard to read about the company that you put your blood, sweat, and tears into getting raked over the coals on the front page of the press. It’s emotional.”

Why cybersecurity is a competitive advantage

In the interest of transparency, the Securities and Exchange Commission (SEC) in 2023 added disclosure rules that mandate a more intense process for reporting cyberattacks. The new rule makes companies responsible for giving investors current, consistent, and “decision-useful” information about their cyber risk policies; and it obligates companies to disclose information about “material” cyber incidents within three days. It puts further pressure on boards to be more proactive, as the best way to protect brand reputation is to implement and nurture a culture of cybersecurity.

“Some companies use security as a competitive advantage,” says Robert Strickland, CEO and founder of M37 Ventures and former CIO of T-Mobile. “Being Fort Knox becomes part of their brand, a way to attract and retain customers.”

The old adage about an ounce of prevention applies. Actually, that 16-to-1 ratio may underestimate the value of proactivity when it comes to cybersecurity. There is no one-size-fits-all solution, but our expert sources mentioned (and we assembled) several agreed-upon steps for constructing a defense.

Here are seven ways boards can guard against reputational damage:

1. Demand a multi-layered security posture

Think about protecting a medieval castle. “There wasn’t just one defense,” notes Strickland. “There was the moat, the spikes, the hot oil, the catapults.”

Some companies use security as a competitive advantage. Being Fort Knox becomes part of their brand, a way to attract and retain customers.

Make sure that you, like they, have a layered security strategy, he advises. One level is never enough. Test it constantly to find vulnerabilities. Train people not to be phished and not to give away passwords.

2. Ask good questions

It may seem obvious, but a key thing that boards can do is ask really good, thoughtful questions, says Arvind Swaminathan, a partner at the global law firm Orrick, where he founded the cyber privacy data innovation practice group. He points to Orrick’s list of questions all boards should be asking their companies, and he cites similar lists from the National Association of Corporate Directors (NACD) and other corporate governance associations.

[Read also: 4 critical leadership priorities for CISOs in the AI era]

3. Drill, baby, drill those playbooks

The focus on readiness is ramping up. “We’re seeing boards put a lot of pressure on their leadership teams to be more prepared,” says Griffanti. That means revisiting and strengthening incident response plans, crisis communications plans, and business continuity plans, and making sure they all work together.

4. Put the board together with the CISO

A board can’t get sufficient insight into a company’s cybersecurity posture through quarterly presentations alone.

Having a visible relationship between the board and the CISO makes it very clear to the whole company that cybersecurity is worthy of their time.

“Board members should arrange to visit the security team and receive orientations firsthand from personnel situated on the front lines of cybersecurity,” writes J.R. Williamson, senior vp and CISO at Leidos, in the 2023 Director’s Handbook on Cyber-Risk Oversight, published by the Internet Security Alliance.

Greater familiarity with the team’s mission and leaders will pay dividends in the event of a crisis, he notes. It also sends a powerful message: “Having a visible relationship between the board and the CISO makes it very clear to the whole company that cybersecurity is worthy of their time.”

5. Add social media to your purview

This is where some of the worst damage can happen. “If you’re a big brand and you’ve got a consumer-heavy focus or a large employee base, you should be monitoring the social media landscape in advance,” says Griffanti.

It’s becoming increasingly important for smaller businesses, too, though they may not have the staff or bandwidth to take this on. “Keep tabs on anything from Reddit forums to tweets to YouTube posts,” says Griffanti, “so you can catch controversy before it goes viral.”

[Read also: Disinformation-gone-viral is gaining on the corporate sector, hitting profits and market share – here’s your comprehensive guide]

6. Start playing games

Simulations make it real for board members. Griffanti notes her firm has designed exercises so boards can put themselves in a “live-fire situation” and understand the nuances and critical decisions that need to be made in a split second.

As she says, “When do you pull the plug on the whole network? What do you bring back online first? What services and applications are mission-critical?”

[Read also: 5 key goals to guide cybersecurity budgets in 2025]

7. Define your principles and rely on them.

Despite the pressures of market expectations and past behaviors, it’s important to remember who you are as an organization.

“You have to understand what your mission, vision, and values are, and how you will uphold them when you’re in a moment of crisis,” says Swaminathan. “Because that’s how you protect your brand reputation. That’s how you build trust.” The right thing isn’t always easy to define, he says. But it’s the path to a good reputation.