Board members need to take this threat seriously. MFA is 100% compulsory for all systems on the internet & also cyber awareness training. Best practice nowadays is not to mandate regular password changes as people just add 1,2,3 etc to the end. It’s also important to monitor for RSS rules and block external forwarding. Even with all these simple steps in place it’s not 100%

Silly hacker ... let the docs go through to the inbox, and just send a copy to the RSS .... they will never find it and you'll know all the financial info for the company.