Cyber Security Expectations for Boards

Cyber Security Expectations for Boards was a key theme when CyBiz attended the Australian Financial Review Cyber Summit earlier this week. The keynote address by Joe Longo, Chair of the Australian Securities and Investments Commission (ASIC) reinforced ASIC’s increasing focus on cybersecurity and its implications for boards of companies in Australia.

Following the four acute cyber-attacks against Australian corporations over the last 12 months – Optus, Medibank, Latitude Finance and HWL Ebsworth, which was just the tip of the iceberg, Australian businesses must increase their cyber resilience to prepare for the ever-increasing risk of cybercrime. Cybersecurity failures can have significant financial, operational, and reputational consequences for businesses, their shareholders, and customers, and ASIC is taking a proactive approach to ensure that companies adequately address and manage these risks.

“Cyber preparedness is not simply a question of having impregnable systems – that’s not possible. Instead, whilst preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident. This can only be built on thorough and comprehensive planning for significant cyber incidents and a clearly thought-out risk management strategy.”

Joe Longo, Chair of ASIC, 18 September 2023

ASIC has previously prosecuted only one Australian company for alleged failures to have adequate cyber security systems. In that instance, the defendant, a financial services provider, stored confidential and sensitive personal information and documents such as passports, driver’s licenses, tax file numbers, bank account and credit card details, which were accessed following a business email compromise, and led to several of their clients falling victim to cyber fraud. ASIC alleged that the business didn’t have adequate strategies, frameworks, policies, plans, procedures, systems, resources and controls in respect of cybersecurity and cyber resilience in place that were adequate to manage cyber security risks. ASIC has now put directors on notice that they will be held responsible for data breaches which arise from inadequate management of cyber security and failure to ensure that their organisation has undertaken comprehensive planning to prepare for significant cyber incidents.

Joe Longo also spoke about the reliance of Australian businesses on 3rd parties and the software supply chain security risk which companies face. An increasing number of Australian businesses rely on third parties for software and critical data services. If those third parties are compromised, the confidentiality of personal and business data is put at risk. The recent ASIC Cyber Pulse Survey measured cyber resilience in Australian corporations. The full results will be published later this year, however initial findings showed that one of the weakest links in cyber preparedness is third party suppliers, vendors and managed service providers, more than 50% of which had limited or no capability to adequately protect confidential information, whether it is held within the organisation or by third party suppliers.

A CyBiz blog earlier this year focused on Senior Management’s Role in Cybersecurity. Cyber Security expectations for Boards are similar in many expects, although are of course more strategic and governance orientated than operational. The key question which ASIC will ask when considering Board liability is whether a Cyber Security incident is due to something that a Board genuinely couldn’t control, and whether the Board and the organisation as a whole has taken appropriate steps to invest in Cyber Security Preparedness:

1. Understanding Cyber Risks
   Boards should have a clear understanding of the evolving cybersecurity threat landscape, including potential risks and vulnerabilities that their organisation may face.
2. Setting the Cybersecurity Strategy:
   • Formulating a Cybersecurity Strategy: Boards should be involved in developing and approving a comprehensive cybersecurity strategy that aligns with their organisation’s overall business strategy and risk appetite.
   • Risk Assessment and Management: Ensure that the organisation conducts regular and thorough assessments of cybersecurity risks and implements risk management strategies to mitigate these risks.
3. Establishing a Cybersecurity Culture:
   • Promoting a Cybersecurity Culture: Foster a culture of cybersecurity awareness and responsibility throughout the organisation. This involves educating employees, contractors, and stakeholders about cybersecurity best practices and the importance of maintaining security – and of course means that directors should be educated on cyber security matters.
4. Resource Allocation and Budgeting:
   • Allocating Resources: Ensure appropriate allocation of resources, including budget and personnel, to implement and maintain effective cybersecurity measures and capabilities.
5. Overseeing Compliance and Reporting:
   Monitoring Compliance: Oversee compliance with applicable cybersecurity laws, regulations, and industry standards. Directors in listed companies must consider continuous disclosure obligations when assessing when to notify relevant authorities and markets of a cyber incident.
   Regular Reporting: Boards should receive regular and timely reports on their organisation’s cybersecurity posture, incidents, and responses. The reporting must be comprehensive and provide meaningful insights into the effectiveness of cybersecurity measures.
6. Incident Response Planning and Testing:
   Developing Incident Response Plans: Oversee the development and testing of incident response plans, ensuring that the organisation is prepared to effectively respond to cybersecurity incidents.
   Conducting Simulated Exercises: Boards should ensure that the organisation regularly conducts simulated cybersecurity exercises to test the incident response plans and identify areas for improvement. CyBiz’s Wargame Tabletop Exercises are an effective way to ensure your organisation is prepared to respond to a serios cyber incident.
7. Third-Party Risk Management:
   Supervising Third-Party Relationships: As highlighted by Joe Longo in his address to the AFR Cyber Summit, Boards should oversee the management of third-party cybersecurity risks, ensuring that vendors and partners meet the required cybersecurity standards and practices.
8. Continuous Improvement and Adaptation:
   Regularly review the organisation’s cyber security program, policies, and practices to identify areas for improvement and adaptation in response to changing cyber threats and technological advancements.
9. Engagement and Education:
   Engagement with Cybersecurity Experts: Boards should seek guidance and expertise from third party cybersecurity professionals and consultants to stay informed about best practices and emerging threats. This was a discussion point at the AFR Cyber Summit, and it was considered best practice to engage external experts rather than rely on internal expertise amongst fellow directors.

Contact CyBiz to discuss how we can support your Board on cyber security matters and to ensure your organisation is prepared to withstand and respond to significant cyber security incidents.