SharePoint Under Siege: What Directors Need to Know

Microsoft has identified a serious vulnerability in its SharePoint server software, a widely used platform for internal collaboration and document sharing. The New York Times was among the media outlets reporting that hackers have already exploited this flaw to gain unauthorized access to sensitive organizational data. Companies relying on older, on-premises versions of SharePoint are at heightened risk, while the cloud-based version remains unaffected.

The breach has impacted at least 400 businesses and government agencies globally, according to the company that discovered the bug. Victims include the US National Institutes of Health and the US National Nuclear Security Administration, part of the Energy Department. Microsoft has attributed the attack to Chinese state-sponsored groups that have previously targeted government, defense, media, financial services, and more in the US, Europe, and East Asia.

Even after patches are applied, attackers may have continued access, posing long-term risks to compromised organizations.

Boards must ensure management understands their exposure and evaluates their reliance on on-premises SharePoint servers. Directors should push for immediate security updates, thorough risk assessments for compromised systems, and a plan to migrate to secure cloud-based platforms if feasible. Oversight should extend to testing incident response plans and implementing modern security frameworks like zero trust to prevent future breaches.

Questions Directors Should Ask Management

• Do we have on-premises SharePoint servers? If so, have they been patched, and how are we confirming they are secure?
• What steps are we taking to identify and mitigate risks related to compromised systems or data?
• What is our plan to transition to zero trust architecture, which will prevent attackers from being able to exploit such vulnerabilities?

How are we auditing cybersecurity practices among vendors that provide critical IT services like identity management?

Clorox, a global maker of household and commercial goods, is suing IT services giant Cognizant for US$380 million, claiming negligence that enabled a major cyberattack in August 2023. According to media reports, hackers used social engineering to impersonate a Clorox employee and trick Cognizant’s help desk into resetting critical credentials without verifying the caller’s identity. The breach caused widespread disruption to Clorox’s production and distribution of household goods, inflicting long-term financial, operational, and reputational damage.

This case highlights the risks associated with third-party vendors managing identity management and service desk support. Social engineering attacks targeting poorly trained support teams have become an increasingly common tactic for cybercriminals. Boards must review how management is enforcing strong vendor accountability and whether third-party practices adhere to organizational security standards and protocols.

How much of our cyber insurance coverage will realistically offset the financial impact of a major attack?

British retailer Marks & Spencer expects to claim up to $135.5 million from its cyber insurance policy following a recent cyberattack that disrupted operations and potentially exposed customer data. The attack is projected to cost the company more than $400 million before insurance recovery. While M&S had doubled its cyber insurance limits the year before the attack and boosted its cybersecurity resources, chairman Archie Norman noted that the claim process could take up to 18 months, further illustrating the financial and operational challenges companies face post-attack.

This report underscores that cyber insurance is a tool to manage—not eliminate—cyber risk. Boards must evaluate whether policies are complemented by meaningful preventive measures and whether relying on insurance might expose the organization to reputational or financial harm during lengthy claims processes.

Are we fully aware of the legal, financial, and reputational consequences of making ransom payments, including compliance with emerging regulations?

The UK government plans to ban public sector organizations from paying ransoms while requiring private companies to notify authorities before making such payments. This effort aims to disrupt the ransomware business model but shifts the onus onto companies to strengthen defenses and prepare for the operational ripple effects of such bans. I have previously written about the positive impact such a policy would have.

While the government pledges cooperation with industry to support these measures, the ban underscores that organizations must continue strengthening their cybersecurity posture. Practices like offline backups, continuity planning, zero trust architecture, and adherence to established frameworks remain essential defenses as attackers increasingly pivot to data theft and extortion in response to shrinking ransom payments.