AICD and CSCRC release refreshed Cyber Security Governance Principles

    Current

    In response to the rapidly evolving cyber threat landscape and increasing regulatory focus, the Australian Institute of Company Directors (AICD) and Cyber Security Cooperative Research Centre (CSCRC) have released significant updates to the Cyber Security Governance Principles.


    Since their release in October 2022, the Principles have become the AICD’s most downloaded resources and the leading source of board-level guidance on cyber security in Australia. The enhancements reflect the growing complexity of cyber risks facing Australian organisations and provide directors with expanded guidance on critical areas including digital supply chain security, data governance and comprehensively preparing for and responding effectively to a significant cyber event.

    The suite of Principles resources include a Snapshot of the publication and a checklist for SME and NFP directors.

    The updated Principles will be launched with a complimentary webinar on 11 December (see details below).

    Key updates

    The updates have been based on extensive consultation with directors, cyber security experts and Australian Government regulators and departments.

    Digital supply chain

    The updated Principles acknowledge that modern organisations operate within complex digital ecosystems where third-party relationships can create significant cyber risk exposure.

    The CrowdStrike incident earlier in 2024, while not strictly a cyber security event, has demonstrated how interconnected and vulnerable supply chains can be to unexpected events. Directors are also increasingly expected by regulators to have visibility over their organisation’s digital supply chains and understand the cyber risk controls in place in respect of key suppliers.

    The Principles stress that organisations of all sizes are able to take practical steps to reduce digital supply chain risks, including mapping key suppliers and understanding supplier cyber security controls. Organisations can also build a level of redundancy in digital supply chains, for example through supplier diversification and maintaining key system backups.

    Data governance

    With operational and individual data increasingly the lifeblood of modern organisations, the revised Principles emphasise the critical importance of robust data governance. Boards should take a proactive role in overseeing their organisation's data management practices, focusing on:

    • Understanding what key data is collected, where it is stored and who has access to it;
    • Clear policies for data retention, disposal, and access management;
    • Implementation of data protection measures aligned with security classification levels; and
    • Oversight of data sharing arrangements with third parties.  

    Cyber incident response and recovery

    The update refines the guidance on how a board can prepare for a significant cyber incident and then respond effectively and compassionately when an incident does occur.

    These changes were informed by the AICD, CSCRC and Ashurst joint publication Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors.

    A key message is that an organisation in responding to a critical cyber incident should play close attention to the human impact of the cyber crisis, both on employees and customers. A board that is alive and responsive to how people are being impacted stands to be better placed to rebuild the organisation’s reputation.

    New case studies

    We are delighted that the Principles feature new case studies by former Telstra CEO Andy Penn and Ventia Services Group Chair David Moffatt. Also included is a foreword by the Federal Government’s Special Envoy for Cyber Security and Digital Resilience Dr Andrew Charlton.

    Mr Moffatt’s case study reflects on his experience as Chair of Ventia Services Group when it experienced a significant cyber security incident in 2023. Mr Moffatt stresses the importance of shutting down the Ventia system when the breach was first detected as a mechanism to limit damage. He also notes that a key lesson was the human impact such an event can have on a small number of employees.

    Pending new regulations

    The update also reflects pending Commonwealth legislation that will introduce a standalone Cyber Security Act and amendments to critical infrastructure obligations. The changes have bipartisan support and are likely to pass Parliament shortly. The reforms will include a mandatory ransomware payment reporting requirement for businesses above a certain revenue threshold, a Cyber Incident Review Board and greater protections on business information shared with the Australian Signals Directorate and National Cyber Security Coordinator during a critical cyber incident.

    Webinar launch

    On 11 December (12pm – 1pm AEDT) the AICD is hosting a webinar to launch the Principles. The webinar will feature a panel discussion that will bring to life the changes to the Principles and reflect on how boards of all sizes of organisations can build cyber residence.

    Members of the panel are:

    • David Moffatt MAICD, Chair of Ventia Services Group and Apollo Global Management Australia & New Zealand;
    • Victoria Weekes FAICD, Director of Bendigo and Adelaide Bank and Alcidion Group;
    • Rachael Falk GAICD, CEO CSCRC and former member of Expert Advisory Board developing the 2023-2030 Australian Cyber Security Strategy; and
    • Christian Gergis GAICD, Head of Policy AICD.

    The webinar is complimentary and you can register here.

    As cyber security continues to be a critical governance issue, these updated Principles provide timely and practical guidance for directors navigating the complex landscape of digital risk.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.