Cybersecurity governance: are directors doing enough?

Articles Written by Professor Pamela Hanrahan (Consultant)
Camera lens

The revelation this month of another major cyberattack in Australia – this time a ransomware attack on electronic prescription provider MediSecure – has many board and C-suite members re-examining their roles in cyber risk-management. 

The unavoidable truth for directors and senior executives is that cyberattacks happen constantly. They are not restricted to companies holding large amounts of third-party (such as customer or patient) personal information. Every business holds information that is valuable or protected or both, and relies on IT systems to operate. This makes anyone a target. There are many reasons why a business might be attacked by an external adversary (like a criminal or state actor) or a hostile insider. This includes where the business is targeted because its IT systems provide a gateway into another entity or system.  

Advances in connectivity, cloud computing and software as a service (SaaS) mean that no business is an island. In FY23-24, a cyberattack was reported to Australian law enforcement every six minutes. Cyber risk-management frameworks therefore accept attacks as inevitable and focus on strengthening defences, managing breaches in real time (including managing business disruption, public and regulatory disclosures, and remediation) if they occur, and building up the business’s resilience (that is, its capacity to recover operability and confidence quickly).

Primary responsibility for designing and implementing the technical ‘boots on the ground’ aspects of cybersecurity should sit either with qualified and well-resourced internal staff, or well-credentialed external providers. Most businesses use a combination, operating under the supervision of senior management. But ultimate responsibility for ensuring the business has an appropriate cyber risk-management framework sits with the board.  

In deciding what is appropriate for their business, directors and other officers must understand their legal duties, including their duty of care, and what it requires of a person in their role.

The board’s role is to understand the threat environment, set the risk appetite, ensure adequate resources are allocated to the task, and then (either directly or through a sub-committee) monitor and oversee the development, maintenance, and implementation of suitable systems and processes for cyber defence, incident response and recovery, and cyber resilience.

At a minimum – stay informed and ask questions

Individual directors each bring different levels of current IT awareness and expertise to the task. But disengagement or complacency is not an option. It is clearly foreseeable that businesses will be attacked and that a successful attack would harm the interests of the company, financially and otherwise (for example, by exposing it to regulatory action for breach of the privacy laws). So directors each have a personal duty to take reasonable care to ensure the risks are being properly managed. To do this effectively, directors must be informed and ask the right questions.

Staying informed is critical. This starts with a general awareness of cybersecurity risks and evolving economy-wide expectations for managing them. This is an area that moves quickly. At a minimum, directors should understand the Essential Eight cyber risk mitigation strategies, produced by the Australian Signals Directorate. Free guides like the Australian Institute of Company Directors (AICD) 'Cyber Security Governance Principles' (2022) and 'Governing Through a Cyber Crisis' (2024), produced with the Cyber Security Cooperative Research Centre, are also useful.   

Secondly, directors should inform themselves about cyber issues specific to the business. Be curious and ask for more background information, outside board meetings if needed. Understand what kinds of sensitive or protected data the business holds, and the key IT systems it relies on to operate. Ask how they might be vulnerable to attack, and what the consequences of a successful attack would likely be. Consider the agreed risk appetite critically, and read the risk management framework and incident response plan to understand who is responsible for what. Ask what other businesses in the sector are doing, and for benchmarking. Ask what ‘third-line’ checks are being undertaken by internal or external auditor and experts, such as privacy audits, cybersecurity training reviews, phishing simulations and incident response tests. 

Thirdly, directors should inquire about and understand the credentials and expertise of the internal and external people who lead cyber risk-management in the business. If it comes down to whether a director can rely on information or advice, they must believe on reasonable grounds that it was coming from someone reliable and competent.

This information sets the foundation for directors to ask the right questions. Cyber risk should be a regular agenda item for boards, which provides the opportunity to stay across emerging issues. Then, each director must ask herself or himself: given everything I know about the business, its operations and the external environment, does this sound right to me? Am I satisfied that we have controls that are appropriate, robust, workable and regularly reviewed?

Heightened responsibilities in SOCI entities and financial institutions

Directors of some companies covered by the Security of Critical Infrastructure Act 2018 (Cth) have heightened responsibilities. So do directors of banks, insurance companies and superannuation fund trustees regulated by APRA.

The SOCI Act covers 11 sectors: communications, financial services and markets, data storage and processing, defence, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage. SOCI entities have three positive security obligations, and SOCI entities holding assets that are deemed as Systems of National Significance have additional four enhanced cyber security obligations.

SOCI entities holding designated assets must have a written critical infrastructure risk management program (known as a CIRMP) that covers cyber and information security hazards. And importantly, the board must provide an annual report to the relevant regulator (usually the Department of Home Affairs) that states whether the program is up-to-date.

Boards of APRA-regulated entities also have heightened responsibilities for risk management, including cyber risk management, under prudential standards including CPS 220 Risk Management and CPS Information Security. These require sign-offs by the board. As accountable persons, directors have individual accountability for their part of the risk management framework under the Financial Accountability Regime jointly administered by APRA and ASIC.

Next steps

Each high-profile cybersecurity breach raises the stakes for the director community. The area is commercially and politically sensitive, particularly where there are serious flow-on effects for people outside the business.

The legal and regulatory response to cyber risk is continuing to move. The Department of Home Affairs recently completed consultation on proposed enhancements to cybersecurity laws, addressing payment of ransoms and protected incident reporting , among other issues. For listed entities, ASX is revising its continuous disclosure guidance to include examples dealing with data breaches. The revised Guidance Note 8 will take effect from 27 May 2024.

Staying on top of developments is important. Now is a good time to revisit the board’s level of comfort on cybersecurity, and get some additional guidance or an independent sense-check on current arrangements.

Important Disclaimer: The material contained in this article is comment of a general nature only and is not and nor is it intended to be advice on any specific professional matter. In that the effectiveness or accuracy of any professional advice depends upon the particular circumstances of each case, neither the firm nor any individual author accepts any responsibility whatsoever for any acts or omissions resulting from reliance upon the content of any articles. Before acting on the basis of any material contained in this publication, we recommend that you consult your professional adviser. Liability limited by a scheme approved under Professional Standards Legislation (Australia-wide except in Tasmania).

Related insights Read more insight

Corporate governance, defence in depth and the Swiss Cheese Model of incident causation

In this practical article, Partner Jonathan Cheyne from JWS’ Board Advisory & Governance group introduces the famous Swiss Cheese Model of incident causation – which is widely applied in many other...

More
Following Silicon Valley’s lead? Reforming non-compete arrangements in Australian PE/VC deals

As Australia debates reforms to non-compete clauses, the implications for venture capital (VC) and private equity (PE) firms are significant, particularly regarding business sales and funding...

More
Digital Bytes – cyber, privacy, AI & data update

While all eyes have been on the recent introduction of the privacy reform Bill to Parliament, there have been a number of other updates that continue to inform the shifting patterns of opportunity,...

More