The Australian Cyber Security Centre (ACSC)’s1 2021 Cyber Threat Report revealed that over the 2020-21 financial year cybercrime reports had totalled more than $33 billion, with medium sized businesses reporting the highest average loss of $33,442.2 The ACSC report highlights that cybersecurity is now a critical issue that must be a priority for every organisation. Failure to do so presents substantial risks, including loss of customers/clients and reputational damage, as well as legal and regulatory consequences. As such, the board must add cyber risk to its risk appetite and encourage cyber awareness throughout the organisation.
Cyber risks are external and internal to the organisation. External risks are well known and include hackers, terrorists and cybercriminals, while internal risks range from employees who mistakenly open a malware infected email or share confidential documents to those who deliberately target their employers by disrupting their IT systems. There are the cybersecurity gaps created by ‘shadow IT’, a term used for the services and applications used by employees that are not sanctioned by the IT department.3
A question we hear more and more is "What can my board do to mitigate cyber risks?". It begins with educating the board about cybersecurity, including the directors’ responsibilities under key legislation such as the Privacy Act 1988 (Cth) and the Corporations Act 2001 (Cth). For example, the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act requires organisations to notify individuals and the Office of the Australian Information Commissioner (OAIC) about eligible data breaches. A director’s duty of care and diligence under section 180 of the Corporations Act also comes into play if the organisation’s cybersecurity strategy does not protect its key assets, which could include its data. Understanding these and other legal and regulatory obligations will help the board identify the best methods to mitigate potential cyber risks.
Directors are now expected to be financially literate, but as we are ever more reliant on technology, they will need to become cyber literate as well. This does not mean all directors have to become IT experts, but similar to financial literacy, they along with senior managers need to understand:
- the types of cyberattacks that are potential threats to the organisation;
- the digital assets (i.e., systems and information) that are particularly vulnerable to cyberattacks;
- the potential outcomes of particular cyberattacks; and
- what can be done to combat those potential threats, such as incident response strategies and procedures.
As with all reporting, the board must set clear expectations around the information it receives from management including the format, frequency and level of detail around cyber security the board receives. Further, to engage the board and focus directors on assessing the organisation’s cyber risks, an IT senior manager must be present in board meetings and provide information to the board in a way that is understandable and relatable.4
Depending on the size of the organisation and its cybersecurity threats, other steps the board should implement or consider are:
- Putting cybersecurity on the board’s meeting agenda at regular intervals to discuss cybersecurity issues and promote a culture of cybersecurity throughout the organisation.
- Defining the organisation’s cyber risk tolerance and ensure it aligns with the strategy and risk appetite.
- Receiving regular assurance from management that the organisation has in place an integrated risk management framework with adequate resourcing to manage cyber and other risks.
- Conducting periodic audits of the organisation’s cyber risk preparedness by independent third parties.
- Tasking a committee with overseeing cybersecurity risks.
- Taking out cyber insurance to protect the organisation against the expenses and legal costs associated with data breaches, which may occur after being hacked or from theft of personal information.
- Appoint a chief information security officer (CISO) to oversee the protection of the organisation’s data as well as its digital infrastructure and assets.
- Bringing a director with a cybersecurity background on to the board or engaging an external adviser who can report to the board regularly to ensure effective oversight of management.
It is unrealistic to expect your organisation to be totally immune from cyberattacks. However, having a board that understands cyber risk, puts in place a risk management framework that incorporates cyber risk and promotes a culture of cyber awareness will help to ensure the organisation’s cyber resilience.5 Following are some key questions for the board to consider:
- Are cyber risks an integral part of the organisation’s risk management framework?
- What are the cyber threats to the organisation’s business?
- How should cyber risk be monitored at board level?
- How often is the cyber risk mitigation strategy reviewed at board level?
- Are our cybersecurity activities properly resourced?
- Does the board need additional expertise to understand cyber risk?
- How are we making our employees aware of cybersecurity?
- What is in place to protect our critical assets from cyberattacks?
- What needs to occur in the event of a cyber data breach?
- Do we have cyber incident response plans in place?
- What contractual obligations do we have with third party suppliers in relation to cybersecurity and the protection of personal information of our customers/clients?
For more information on the cybersecurity requirements of the board, contact us.
1 The ACSC provides advice and information about how to protect organisations of all sizes via its website (www.cyber.gov.au/).
2 Australian Cyber Security Centre, 2021, ACSC Annual Cyber Threat Report: 1 July 2020 to 30 June 2021, viewed 6 October 2021, www.cyber.gov.au/, p. 17.
3 Leibel, A. & Pales, C., 2021, The Secure Board, Longueville Media Pty Ltd, Haberfield, NSW.
4 Parenty, T.J. & J.J. Domet, 2019, A Leader’s Guide to Cybersecurity: Why Boards Need to Lead—and How to Do It, Harvard Business Review Press, Boston, MA, p. 62.
5 Australian Securities and Investments Commission (ASIC), 2021, Cyber resilience good practices, viewed 6 October 2021, https://asic.gov.au/regulatory-resources/digital-transformation/cyber-resilience/cyber-resilience-good-practices/.