The new guidance Governing Through a Cyber Crisis, developed by AICD in partnership with the Cyber Security Cooperative Research Centre (CSCRC) and Ashurst, provides a roadmap for Australian directors to navigate critical cyber incidents.
At a virtual event recorded live in Sydney on 23 February 2024, Christian Gergis GAICD, AICD Head of Policy, was joined by Rachael Falk MAICD, CEO of the Cyber Security Cooperative Research Centre and John Macpherson, Partner, risk advisory services at Ashurst, for a panel discussion on the new guidance. This is an edited version of the conversation.
One of the key recommendations in the publication is the need to have a really robust and tested cyber incident response plan — one that has not just been dropped in from above, but is a product of close collaboration within different parts of the business, with senior executives working hand-in-glove with the board, says Gergis.
The guide highlights the role of the board in the four Rs: Readiness, response, recovery and remediation.
“Organisations need to be really clear about roles and responsibilities around how information escalates, who makes key decisions,” says Macpherson. “Having that conversation between the board and management well in advance is essential.”
But it is not only a technical response plan that’s required. There must be executive planning and readiness around customer remediation and customer complaints, regulatory response to a data breach and how an organisation might use third-party experts to assist before, during and after a cyber threat event.
This planning needs to be updated constantly and responsive to changes in the organisation, to shifts in the threat environment, shifts in legislation and regulatory patterns.
Practise your plan
Training to your plans and simulating them is essential, says Macpherson, adding that he has, “never worked with an organisation that sits in the middle of a crisis and reads its crisis management plan”.
“That is counterintuitive to how we operate in a crisis,” he says. “Come up with a program of different sorts of exercises and then the scenarios themselves. You’ve got to test the hard things, the worst-case scenarios, and there can sometimes be a reluctance to dive into that. But it’s far better to have rehearsed a worst case and only then experience the most likely or best case, than not to be prepared for some of the really awful things that can happen.”
The operational risks can be unimaginable. Depending on where the business operates and what it does, management might be dealing with several regulators, as well as customers, media, government, other stakeholders, staff, the board chair and directors. Putting a company face to the messaging early in the crisis is important, along with communicating on all channels, including social media and the company website.
“It doesn't matter if it’s not the CEO, but there has to be a face of the company really early on, and ensure you’re communicating in an open and transparent way about what’s going on,” says Falk.
“Knowing how the organisation needs to use board members in that communication and stakeholder outreach, having a discussion about that and a plan for what that role is in advance is important,” says Macpherson.
“Otherwise, we tend to see management teams and boards going in multiple different directions and you need that coordinated effort and stakeholder management.”
Boards can be called into question when a crisis occurs, so they should be able to satisfy themselves they understand the situation.
“You may find it is a more comfortable setting for board members to ask those questions of the experts without having management in the room,” says Falk.
“It’s important to have an open conversation because the incident response team and, similarly, the Australian Signals Directorate, will be seeing things on a much broader pattern than the company themselves.”
Be prepared
According to Falk, organisations of every size and purpose need to seek out information and invest in tools to help manage the risk, but also train the people in the organisation rather than simply “expecting the tech to do its magic thing”.
Constantly having the conversation around what the ever-changing threats are is important so company employees know what to be aware of to help reduce risk.
“It’s not just a tech conversation, it’s a people conversation,” says Falk.
Whether the company might pay a ransom is a discussion that has to be had before it occurs, not after, says Falk.
Chances are the payment would be going to someone high on the list of terrorist financing and certainly cybercrime and criminal enterprise. The information will have been copied, even if the hacker returns the data.
The board needs to understand the legal and privacy implications, and while there might be a temptation to pay, there are alternative ways of mitigating the risk of harm to customers who may have been impacted.
“That’s the crux of the board decision,” says Macpherson. “How do we act in the best interest of the company, considering our reputation, our views, our shareholders? What we need to do for our customers?
"Threat actors are good at making you feel there’s only one option — to pay. They are good at making you panic and trying to get you to make a decision quickly, because that’s when they get paid the most. That’s real. It’s emotional to go through.
"For the board, try if you can to slow things down, slow decision-making down so it is deliberative. Think what the alternatives are and how best you can mitigate risks to the organisation.”
Cyber insurance
The panel agreed that a sensible board would be advised to at least explore cyber insurance options, to see what’s available and what is covered, as well as understanding what’s excluded.
“It is a big decision and policies can be quite expensive,” says Macpherson. “Some organisations that take out insurance think that’s the job done. We’ve mitigated our cyber risk because we have an insurance policy.
"But a cyber-readiness response is a lot more than an insurance policy. Think about insurance as just a tool to mitigate risk. You should always do your due diligence and know exactly what you get and recover — and what you don’t get. Do the sums around your costs to make it a financial decision, as well.”
There is value in going through the exercise of exploring insurance options, even if cover is not ultimately purchased, as in doing so, potential vulnerabilities can be revealed.
AI innovation
AI will be a game changer for threat actors, notes Falk, allowing them to become more innovative in how they approach cybercrime.
“It will allow them to potentially unleash attacks and scams on a scale and reach we’ve not seen before,” she says.
“On the more positive side, AI will mean that more automation — or tools that are already automated — can be automated at speed, allowing for greater insights for organisations to get much greater visibility around their threat intelligence or who’s been on the network.
"It’s something law enforcement is grappling with, something we will all need to grapple with. The challenge will be determining what is real, what is fake, what is not affected — and we’re only at the start of that journey.”
According to Gergis, you can never be too prepared.
“Prepare for different scenarios, prepare for different management teams to be available to deal with the crisis,” he says.
“Use the lessons you learn from simulations and refresh your incident response plan. Also, refresh the governance framework you have for your response plan.
"Obviously, these are highly stressful, highly fluid situations. Think about the full range of stakeholders impacted by the incident, but also bear in mind that as much as you might think you’re the victim, there are often many others who will feel they are the most impacted."
“Think about how to look after the customers’ needs. In the report, the guidance is to err on the side of being generous. We all accept these are complicated questions, but don’t be thinking about it for the first time when a ransom attack faces your organisation.”
Some of the most popular questions from the live event included:
How do boards focus on the right things in a crisis without swamping management with high information demands? What should be top of mind for chairs on this?
“One of the things we’ve seen become very popular — and it’s been used for a number of the significant attacks — is for two or three board members who can give advice, listen, be a conduit from the management team to the rest of the board, so you don’t have to have a series of board meetings in the middle of a crisis that you need to prepare papers for, which takes time away from your response,” says Falk. “We discuss that in the guidance and it can be a useful mechanism to consider. It doesn’t mean that other board members, not on the subcommittee, don’t have a responsibility and duty.” She adds that another point is to focus on customers. “It is surprising how quickly an organisation can be very inward-looking and forget about customers. It’s also listening to what’s happening outside. Reflecting on media, not overreacting to what can be a very harsh media environment, sometimes listening to other stakeholders and giving that perspective around where you might need to point in a different direction.”
How should boards ensure their external service providers have robust cybersecurity operating regimes in place to protect the business?
Organisations need to take a risk-based approach to the cybersecurity operating regimes of their third-party providers, says Macpherson. “You may not be able to do a detailed audit of all of your third parties, so you’ve got to know which ones are more important on a prioritisation of risk. That’s not always which is your biggest provider or the one you pay the most. It might be third parties that hold your most sensitive data, or that you use to transfer data, so they may be quite small in your third-party ecosystem. Do an audit, do your due diligence looking at the technology, their processes — but also things like their training, testing, and the frequency of that. There’s a whole series of things to be looking at.”
What key cybersecurity metrics or indicators should boards focus on to effectively oversee and measure the cyber health and resilience of their organisation?
“It depends on what your organisation is and what you’re in the business of,” says Falk. “A financial services organisation will have different risk profiles than a medical organisation or a telco. It depends on where your valuable data is and what kind of an operation you run. If your operations are all in the cloud, or if you have some legacy systems, it’ll be very different.
“I’d caution against using simplistic traffic light systems and boards getting comfortable with that, because boards and management just look for the colour — green or amber. It’s about the quality of what you’re assessing, what the risk is to the organisation and what will cause you most damage.
"You should certainly have metrics around if we lost this data or a supplier compromised this data will it allow a third party to get in? What will cause us the most pain as an organisation? Put some metrics around that.
”Don’t be tempted to rely only on audit and compliance reports that get packaged up in board papers," says Falk, "because while you might pass a compliance assessment, it doesn't make your entire business ecosystem secure."
“It’s the difference between an audit and being compliant and being secure,” says Macpherson.
Is the audit program looking at all parts of the systems? How is that program evolving and changing? The board needs to create a culture to encourage asking questions about cyber and making sure that everyone is comfortable to ask questions about anything they don’t know or understand, because it can be very serious and technical.
Lead from the top and ensure the tone and culture make it clear that cyber is a high priority for the organisation.
"It can be challenging to motivate all senior managers to acknowledge that cyber risk is in the business unit,” says Falk.
“When they started putting it in the performance bonus arrangements for senior management, it suddenly took on more focus than it had previously. That’s a lever that can be used because you can bet your bottom dollar, if it matters to the CEO and the board, then it should matter to everyone else. It’s amazing how that lever works.”
How should an organisation prepare for a black swan event such as a state-sponsored cyber attack across multiple entities at similar times, perhaps in the same industry, infrastructure or energy market environment?
Falk says early involvement with the Australian Signals Directorate is key, as they will work alongside those affected entities to try to determine what has happened and how to best stop it.
“Because the Australian Signals Directorate is both poacher and gamekeeper, it would have a pretty good idea on how to combat potentially what’s coming — far more than most companies would,” says Falk.
“If the nation state is determined, it will get in and be able to do certain things. Also, the Australian Signals Directorate will reach out to entities, or to particular sectors, to warn them if it thinks there is a problem. Companies are not on their own in that really dark time. They are actually working very closely with government and the National Cyber Security Coordinator to try to stop it — and stop it from going further.”
Latest news
Already a member?
Login to view this content