Cybersecurity governance: are directors doing enough?
Boards need to understand director duties in cybersecurity and best practices for effective cyber risk management, writes UNSW Business School's Pamela Hanrahan
Last month's revelation of another major cyberattack in Australia – this time a ransomware attack on electronic prescription provider MediSecure – has many board and C-suite members re-examining their roles in cyber risk management.
The unavoidable truth for directors and senior executives is that cyberattacks happen constantly. They are not restricted to companies holding large amounts of third-party (such as customer or patient) personal information. Every business holds information that is valuable or protected or both and relies on IT systems to operate. This makes anyone a target. There are many reasons why a business might be attacked by an external adversary (like a criminal or state actor) or a hostile insider. This includes where the business is targeted because its IT systems provide a gateway into another entity.
Advances in connectivity, cloud computing and software as a service (SaaS) mean that no business is an island. In FY23-24, a cyberattack was reported to Australian law enforcement every six minutes. Cyber risk-management frameworks, therefore, accept attacks as inevitable and focus on strengthening defences, managing breaches (including managing business disruption, public and regulatory disclosures, and remediation) if they occur, and building up the business’ resilience (that is, its capacity to recover operability and confidence quickly).
Primary responsibility for designing and implementing the technical ‘boots on the ground’ aspects of cybersecurity should sit either with qualified and well-resourced internal staff, or well-credentialed external providers. Most businesses use a combination, operating under the supervision of senior management. But ultimate responsibility for ensuring the business has an appropriate cyber risk-management framework sits with the board.
In deciding what is appropriate for their business, directors and other officers must understand their legal duties, including their duty of care, and what it requires of a person in their role. The board’s role is to understand the threat environment, set the risk appetite, ensure adequate resources are allocated to the task, and then (either directly or through a sub-committee) monitor and oversee the development, maintenance, and implementation of suitable systems and processes for cyber defence, incident response and recovery, and cyber resilience.
At a minimum – stay informed and ask questions
Individual directors each bring different levels of current IT awareness and expertise to the task. But disengagement or complacency is not an option. It is clearly foreseeable that businesses will be attacked and that a successful attack would harm the interests of the company, financially and otherwise (for example, by exposing it to regulatory action for breach of privacy laws). So directors each have a personal duty to take reasonable care to ensure the risks are being properly managed. To do this effectively, directors must be informed and ask the right questions.
Staying informed is critical. This starts with a general awareness of cybersecurity risks and evolving economy-wide expectations for managing them. It is an area that moves quickly. At a minimum, directors should understand the Essential Eight cyber risk mitigation strategies, produced by the Australian Signals Directorate. Free guides like the Australian Institute of Company Directors (AICD) Cyber Security Governance Principles (2022) and Governing Through a Cyber Crisis (2024), produced with the Cyber Security Cooperative Research Centre, are also useful.
Read more: Company directors fall short of cyber security skills mark
Secondly, directors should inform themselves about cyber issues specific to the business. Be curious and ask for more background information, outside board meetings if needed. Understand what kinds of sensitive or protected data the business holds and the key IT systems it relies on to operate. Ask how they might be vulnerable to attack, and what the consequences of a successful attack would likely be. Consider the agreed risk appetite critically, and read the risk management framework and incident response plan to understand who is responsible for what. Ask what other businesses in the sector are doing, and for benchmarking. Ask what ‘third-line’ checks are being undertaken by internal or external auditors and experts, such as privacy audits, cybersecurity training reviews, phishing simulations and incident response tests.
Thirdly, directors should inquire about and understand the credentials and expertise of the internal and external people who lead cyber risk management in the business. If it comes down to whether a director can rely on information or advice, they must believe on reasonable grounds that it was coming from someone reliable and competent.
This information sets the foundation for directors to ask the right questions. Cyber risk should be a regular agenda item for boards, which provides the opportunity to stay across emerging issues. Then, each director must ask herself or himself: given everything I know about the business, its operations and the external environment, does this sound right to me? Am I satisfied that we have controls that are appropriate, robust, workable and regularly reviewed?
Heightened responsibilities in SOCI entities and financial institutions
Directors of some companies covered by the Security of Critical Infrastructure Act 2018 (Cth) have heightened responsibilities. So do directors of banks, insurance companies and superannuation fund trustees regulated by APRA.
The SOCI Act covers 11 sectors: communications, financial services and market, data storage and processing, defence, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage. SOCI entities have three positive security obligations, and SOCI entities holding assets that are deemed as Systems of National Significance have four additional enhanced cyber security obligations.
SOCI entities holding designated assets must have a written critical infrastructure risk management program (known as a CIRMP) that covers cyber and information security hazards. And importantly, the board must provide an annual report to the relevant regulator (usually the Department of Home Affairs) that states whether program is up-to-date.
Boards of APRA-regulated entities also have heightened responsibilities for risk management, including cyber risk management, under prudential standards, including CPS 220 Risk Management and CPS 234 Information Security. These standards require board signoff. As accountable persons, directors have individual accountability for their part of the risk management framework under the Financial Accountability Regime jointly administered by APRA and ASIC.
Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School
Next steps for directors
Each high-profile cybersecurity breach raises the stakes for the director community. The area is commercially and politically sensitive, particularly where there are serious flow-on effects for people outside the business.
The legal and regulatory response to cyber risk is continuing to move. The Department of Home Affairs recently completed consultation on proposed enhancements to cybersecurity laws addressing payment of ransoms and protected incident reporting among other issues. For listed entities, ASX is revising its continuous disclosure guidance to include examples dealing with data breaches. The revised Guidance Note 8 will take effect from 27 May 2024.
It is important to stay on top of developments. Now is a good time to revisit the board’s level of comfort with cybersecurity and get some additional guidance or an independent sense-check on current arrangements.
Dr Pamela Hanrahan is an Emerita Professor of the UNSW Business School and a Consultant at Johnson Winter Slattery. This article is reproduced with the permission of Johnson Winter Slattery.