Dysfunctions of the NRA Board - Part 1 - Cybersecurity
Did the cost-cutting to free up enough funds to pay the Brewer firm eliminate some of the “Top Men” in web security and create the environment that led to this exposure?
I was in the middle of writing a post on the Dysfunctions of the NRA Board when the news of the hack and ransom attack of the NRA hit NBC News. This topic deserves its own piece.
NBC reported that the NRA was hacked and that files from the NRA Foundation, including minutes of the last Foundation Board meeting, were leaked to the Dark Web. It is not clear if any personal Identifying Information (PII) or Personal Credit information (PCI) data was captured as part of this ransom attack. This attack came during Cybersecurity Awareness Month.
Cybersecurity is one of the top 10 areas of focus for a functioning Board of Directors.
I’ve attended 4 NRA Board of Directors meetings and 1 Audit committee meeting over the past 2 years. Cybersecurity was never mentioned. I checked with Rocky Marshall (currently working to Intervene in the NY AG case on behalf of NRA members) and Cybersecurity was never mentioned in Board or committee meetings he attended. A former board member mentioned that Cybersecurity was mentioned at the time of the Ackerman McQueen dispute and that there were hacking attempts by the Anti-firearm rights groups that were successfully blocked and that board members were assured by management that “Top Men” were working in the web security area. Top. Men.
Cybersecurity is a Board level issue, not something that is completely delegated to management.
Directors and Boards recently held a Cybersecurity webinar led by representatives from RSM US (the Accounting firm that Fired the NRA as a client in 2019).
In their session, they reported that:
Boards typically have a small dedicated cybersecurity committee or a subcommittee that is part of the Audit Committee;
Over 264,000,000 ransomware attacks happened in the timeframe of 2016-2020;
A ransomware attack like this will cost an average of $352,000 in business interruption costs, not to mention the reputational cost of the leaked information;
An attack like this will typically have a ransom of $250,000, with insurance covering the amount above the deductible (subject to OFAC conditions);
In many cases the organization ransoming the data will release the data even if the ransom is paid;
As many as 80% of firms hit with an attack of this type will be hit again in the near term; and,
The cost of Cyber insurance is skyrocketing as are the deductibles, and policies have not been renewed (have we seen this before with Directors and Officers Insurance) if industry-standard policies and procedures like having modern systems, keeping up to date with system patches, and maintaining appropriate board oversight is lacking.
Since the NRA apparently does not have a standing Cybersecurity committee, and it also does not appear that the Audit committee oversees Cybersecurity it begs the question, who is dealing with this? Does this become yet another matter given to the Special Litigation Committee? Who on that committee (or the Board for that matter) has any cybersecurity expertise? Or will this be another way for the Brewer firm to rack up additional billable hours? What will the Board of the NRA change to provide the necessary oversight? Did the cost-cutting to free up enough funds to pay the Brewer firm eliminate some of the “Top Men” in web security and create the environment that led to this exposure?
Given the NRA’s propensity to rush blindly into solutions without proper research (see the Carry Guard program) There is an issue on the Ransom as the Grief organization claiming to have made the hack is just the renamed version of the Evil Corp which is sanctioned under OFAC. OFAC maintains the lists of countries and organizations that US firms may NOT do business with, even to pay a ransom. Wired published a good summary of the NRA’s OFAC exposure today.
Hopefully, the Board will recognize the seriousness of this issue and establish a proper cybersecurity oversight function that is standard on all organizations f the size and complexity of the NRA.
I ask that anyone interested in getting a reformer focused on transparency and accountability on the NRA Board print out the petition and legibly fill out the information. If you don’t know your NRA member number, I can get it from the membership office if I can read your name and address.
The petition is here: http://cxoservices.com/images/NRA_Petition_Blank.pdf
The NRA requires “wet” signatures, so you have to print out the petition and physically mail me the petitions.
Mail to: Frank Tait, 425 W. Wayne Ave. Wayne PA 19087
I have to submit the signatures to the NRA no later than November 16. Please mail any completed petitions to me no later than November 11.
Thank you for your support! Please email me if you have any questions at franktait@me.com
Please subscribe for further updates.