Network Breach at Lydian Technologies

Lydian Technologies, a cloud services and software provider, has suffered a sophisticated breach.

Instructions

This simulation is inspired by real-world events and will unfold over three steps. At each stage, you should select all of the responses that you feel are appropriate given the information you have received up to that moment. After each submission, your selections will be checked and the scoring rationale for each choice will be provided.

To get started, please enter your email:

Strengthening Cyber Governance

Lydian Technologies, a cloud services and software provider, has suffered a sophisticated breach. Hackers gained access via a software update from a widely used third-party provider, compromising Lydian’s monitoring product across critical sectors. The breach went undetected for months and was revealed by an external cybersecurity firm. The board was notified only after the public disclosure and is now facing scrutiny from regulators and clients. Directors discover that cyber risk was framed as a compliance item rather than a strategic enterprise risk, and that many felt underprepared to assess these issues. What should the board do now?

A. Hire a cyber forensics firm to conduct an independent post-breach review

B. Review previous board and committee records to assess cyber oversight patterns

C. Make cyber risk a recurring item on full board agendas

D. Change the CIO’s reporting line to report directly to the board

E. Immediately begin recruiting a new board member with cyber risk credentials

F. Initiate cyber education for directors, with a focus on third-party vulnerabilities

G. Publicly reprimand the CIO for the oversight lapse

Choice	Rationale	Answer
A	Independent analysis improves board understanding and enhances accountability.	✅
B	Helps the board reflect on past blind spots and strengthens future oversight.	✅
C	Elevates cyber as a strategic risk, ensuring routine, board-level attention.	✅
D	Reporting structures are management’s purview; boards should ensure visibility, not override org charts.	❌
E	Helpful in theory, but cyber literacy should be built broadly across the board.	❌
F	Education is essential for board readiness in governing cyber risks.	✅
G	Public blame undermines psychological safety and escalations.	❌

Addressing Disclosure and Materiality

Senior management internally debated the materiality of the breach for nearly two weeks, delaying disclosure. Arguments centered on reputational damage versus the extent of known customer impact. The board was not involved in those discussions. What steps should the board take now?

A. Establish a formal escalation protocol for potential cyber incidents

B. Review disclosure policies and ensure they reflect regulatory expectations

C. Seek advice from external counsel on materiality under current rules

D. Reaffirm that materiality is solely a management decision

E. Ensure all dimensions of risk — including legal and reputational — are considered in future materiality assessments

F. Assign materiality decisions related to cyber risk exclusively to the board

G. Wait to disclose future breaches until customer data compromise is confirmed

Choice	Rationale	Answer
A	Ensures timely board involvement and oversight in future incidents.	✅
B	Fundamental for directors to understand the triggers and thresholds for disclosure.	✅
C	Legal input supports defensible and consistent materiality determinations.	✅
D	Boards must actively oversee materiality decisions, especially for reputational or legal impact.	❌
E	Properly frames materiality beyond financial terms to include broader stakeholder impact.	✅
F	Board should oversee, not take over, disclosure decisions.	❌
G	Waiting for confirmed exfiltration is inconsistent with best practices and SEC expectations.	❌

Enhancing Cyber Resilience and Third-Party Oversight

Customers and regulators are demanding to know how Lydian will address the weaknesses in its third-party risk model and prevent future cyber breaches. What would be appropriate actions for the board to take?

A. Broaden the board’s oversight scope to explicitly include third-party cyber risk

B. Require management to provide periodic updates on vendor security posture

C. Issue a public statement outlining board-level cyber governance practices

D. Hold direct briefings with major customers to explain incident mitigation steps

E. Refrain from public comment to avoid legal exposure

F. Form a dedicated cyber committee to enhance board oversight

G. Evaluate cyber insurance adequacy and incident response funding

Choice	Rationale	Answer
A	Broadens governance scope appropriately following a supply chain breach.	✅
B	Keeps the board informed without overstepping operational boundaries.	✅
C	Reaffirms the board’s strategic oversight role to external stakeholders.	✅
D	Direct customer engagement is best left to management.	❌
E	Withholding may harm reputation and regulatory standing.	❌
F	A dedicated committee structure strengthens risk governance.	✅
G	Adequacy review is a valid oversight action, but renegotiation is operational.	❌

2 Responses

Onboards_Admin says:

July 7, 2025 at 2:53 pm

This was fun!

Reply
Brian Williams says:

July 15, 2025 at 1:43 pm

This was fun, definitely enjoyed the learning!

Reply

Network Breach at Lydian Technologies

Instructions

Strengthening Cyber Governance

Answer Key

Addressing Disclosure and Materiality

Answer Key

Enhancing Cyber Resilience and Third-Party Oversight

Answer Key

2 Responses

Leave a Reply Cancel reply

Network Breach at Lydian Technologies

Instructions

Strengthening Cyber Governance

Answer Key

Addressing Disclosure and Materiality

Answer Key

Enhancing Cyber Resilience and Third-Party Oversight

Answer Key

2 Responses

Leave a Reply Cancel reply

More Filters

Thank you for browsing our resources.