Serious data breaches at Optus and Medibank Private have thrown the spotlight onto cyber security. In October, the AICD and Cyber Security Cooperative Research Centre (CSCRC) launched the Cyber Security Governance Principles.
The past few weeks involving data breaches at Optus and Medibank Private indicate that it's not a matter of if, but potentially a matter of when a cyberattack will occur, says Rachael Falk, CEO of the Cyber Security Cooperative Research Centre (CSCRC).
“A cyber strategy is incredibly important for knowing what your cyber posture is today, where it should be in the future and where your vulnerabilities lie. It involves identifying key digital assets — where they are, who has access to them, and who is protecting them,” she said during a panel discussion at the launch of the Principles.
Cyber is an emerging risk for directors today and it's moving incredibly quickly, added fellow panellist Melinda Conrad, FAICD, a director of ASX, Ampol Australia and Stockland Corporation — and a member of the AICD Corporate Governance Committee. “Regardless of the size or nature of your business, knowing where to start can be quite daunting.”
Along with a detailed 50-page document on the Cyber Security Principles, there is a two-page summary for directors of SMEs and not-for-profits, plus a three-page summary of the entire guide. Governance red flags are signposted throughout.
John Mullen AM, the current chair of Telstra and former chair of Toll Group, provides a case study in the Principles. During the launch, he shared his experiences when Toll was hit by two major cyber attacks in 2020. “I carry the scars of the Toll experience, which certainly taught us a lot,” he says.
“I don't think we necessarily had the best cyber protection in the world, but it certainly was up there with most companies. The first lesson we learned is that pretty well everybody is vulnerable. It would be hubris to think otherwise.”
Mullen added that dealing with the day-to-day impact was so challenging, there could be no such as thing being over-prepared. “We couldn't track and trace shipments from which customers were invoiced. Our entire inbound revenue stopped, but the costs of 40,000 employees kept running. As a director, my focus switched quickly to a solvency discussion.”
Toll had teams working around the clock, speaking to banks, shareholders and other stakeholders. The company ultimately resolved the breach and continued as a business.
Cyber crime and data theft is consistently cited as the number one issue keeping Australian directors awake at night, according to AICD’s most recent Director Sentiment Index survey. And yet the guidance and support available for boards to manage cyber threats were until recently in short supply.
“We developed the Principles because we identified a gap in the market,” says AICD Head of Policy Christian Gergis GAICD. “There was a lot of guidance for management teams and technical experts around managing cyber risks. However, there were very few resources pitched to the board level in terms of how boards can get more confident that their organisation is as resilient as it could be.”
The five cyber governance principles are:
- Set clear roles and responsibilities
- Develop, implement and evaluate a comprehensive cyber strategy
- Embed cybersecurity in existing risk management practices
- Promote a culture of cyber resilience
- Plan for a significant cybersecurity incident
Already a member?
Login to view this content