New Cyber Security Governance Principles
This month (October 2022) The Australian Institute of Company Directors published “Cyber Security Governance Principles for Directors (link here). REDD’s duty of care is to bring this to the attention to all Directors and Senior Managers to review this document and consider the principles in the context of your business.
The following principles have been extracted from the recent publication and can be found using the following link:
To help directors proactively guard against the threat, the AICD and the Cyber Security Cooperative Research Centre (CSCRC) have developed a practical framework for directors to build organisational cyber resilience. The five cybersecurity governance principles each represent an aspect of cybersecurity that requires board-level attention and oversight.
The principles draw on established risk governance frameworks as well as expertise from regulators, cybersecurity experts, senior directors and government agencies.
Set clear roles and responsibilities
The board needs to identify specific individuals within the organisation who are responsible for the various components of cybersecurity management, including the role of external parties. For example, even when an organisation is deferring to external legal counsel or an insurer, the board must be consulted throughout.
Having a plan in place around how the board will work with management and external consultants in the event of a significant incident can significantly reduce the potential for miscommunication during a critical time.
Hiring external experts is far preferable to limiting a cybersecurity strategy to in-house knowledge, says Green. However, knowing how to select external parties and work with them effectively is critical.
“The key thing is getting the right expert for the right problem, and finding experts who have the experience you need rather than people who might be learning on the job with you,” he says.
“You want people who’ve been in the wars. I would be asking them at the end of any discussion, ‘If you were sitting in my shoes as a director, what would you be doing right now that we are not doing, or what questions would you be asking that we haven’t asked?’ They’re pretty open questions that can sometimes get you surprising and useful answers.”
The board must also explicitly set out their own responsibilities in preventing and responding to a cybersecurity incident. “Without clear roles set out prior to an incident, confusion ensues,” says CSCRC head Rachael Falk MAICD. “Defining clear roles is a foundational component of building effective cyber resilience.”
Develop, implement and evolve a comprehensive cyber strategy
A key part of a comprehensive cyber strategy is identifying an organisation’s key digital assets and data and who is responsible for them. The strategy will also identify potential risks associated with third party suppliers. The guidance makes clear that a cyber strategy is a forward-looking tool to building cyber resilience, and part of that involves identifying existing weaknesses. A regular stocktake of the data that organisations hold is also cited as crucial.
One of the major issues with cybersecurity is that the risk is asymmetric, says Green. This means that those with a malicious intent must be kept away from an organisation’s data all the time — one crack in the system at a single point in time still constitutes a major risk. A cyber strategy must therefore acknowledge all the potential weaknesses.
“The risk of a cyberattack is probably much greater than most people assume,” he says. “For example, if one person in your organisation doesn’t update the software on their computer, they’re potentially exposing the organisation to a risk. How do you deal with that, and how do you improve and get them to improve?”
Green notes that this is particularly challenging for smaller organisations, because larger organisations typically have access to automated solutions to cover many potential areas of risk.
“When developing a strategy, it can be helpful to think about what your worst nightmare might be in a cybersecurity sense, and then set up a mock attack in real time,” he says. “See what your response should be — both from management and the board. How would you deal with it on a timely basis?”
Embed cybersecurity in existing risk management practices
Cyber risk is an operational risk that fits within an organisation’s existing approach to risk management. It should be embedded rather than separated off to one side. However, it is not a static risk, points out Melinda Conrad FAICD, who provided a case study for the Principles.
“The cyber threat environment is dynamic and constantly evolving, often at a much faster pace than other operational risks an organisation faces,” says Conrad, who is director of ASX, Ampol Australia, Stockland, Penten and the Centre for Independent Studies. “It is for this reason that oversight of cyber risk warrants an elevated focus by the board, and directors should be continuously looking for ways to uplift their skills and knowledge and identify where external help may be needed.”
The guide recommends applying the tools that are utilised for other risk settings to cyber risks, along with oversight by the risk committee in large organisations. Demystifying the topic is also key, with directors needing to ask for management reports that are easily decipherable and not filled with technical jargon.
Promote a culture of cyber resilience
The behavioural element of cyber risk is a crucial component of cyber resilience, and it starts with the board. Regular and relevant training is essential, including specific training for directors, and simulation and penetration exercises. It can mean the difference between a staff member spotting a phishing email and reporting it, or falling for it and compromising sensitive data.
“A truly cyber-resilient culture begins with the board and flows through the organisation,” says Falk. “In short, culture is everything in an organisation. When the board and the CEO actively promote culture, it is incredibly powerful.”
The benefits of the right cyber governance and incentives are twofold — the workforce understands how to respect cybersecurity to protect customer data, and if something goes wrong, there’s a culture of reporting.
Plan for a significant cybersecurity incident
Even with the best defences, the sheer scale of cybercrime today means it is more of a question of when, not if a cyberattack will occur. This applies to organisations of all sizes and in all industries. “No-one is immune to a cybersecurity event,” says Falk. “If you’re running a system that’s connected to the internet, then your organisation shares this collective risk and challenge.”
Proactive preparation is vital to being able to contain the ramifications of data being compromised. There are immediate issues to be addressed, as well as communicating in a timely and effective manner with employees, customers and regulators. This principle underscores that a transparent approach to communications is critical in mitigating reputational damage and allowing for an effective recovery.
“Know well ahead of time who your communications advisers, incident responders and external legal counsel are going to be,” says Falk. “There’s a saying that you should never exchange business cards in a crisis. Always have this in place beforehand so that you’re not doing the key elements of mitigating during the actual incident as it’s unfolding.”
It also cannot be a set-and-forget exercise. Plans need to be regularly revisited and refreshed, because threats are continuously evolving and directors and key personnel likely to change over time.
Many organisations prepare for a cyber incident by having third-party providers test and practise their systems with simulation exercises. This can help assess whether the processes in place under the response plan are appropriate, and provide the opportunity to fine-tune them. Such rehearsals also allow directors to become familiar with their oversight responsibilities and identify areas for improvement.
It is vital for directors to obtain independent oversight on a regular basis, says former chair of Toll Group and current Telstra chair John Mullen AO, who appears as a case study in the Principles.
“It needs to be regular,” he says. “You don’t say, ‘We’re not going to do an audit this year, we did that last year’. You wouldn’t do that with finances. You need to systematise [cyber] as well.”