Australia's cyber security strategy

The AICD is providing policy and director views as Australia’s national cyber strategy is developed, writes Louise Petschler GAICD. A new resource for NFP directors has also been added to the AICD’s contemporary governance toolkits for members. 

Cyber governance is top of mind for directors, as organisations battle increasing and evolving cyber threats and attacks.

AICD’s latest Director Sentiment Index survey shows that cyber crime ranks as the standout issue “keeping directors awake at night”. More than half of the Australian directors surveyed reported that the risk of cyberattacks is directly influencing their board’s risk appetite, taking precedence over inflationary pressures.

As we reported in April, the federal Minister for Cyber Security and Home Affairs Clare O’Neil has appointed an expert advisory board to oversee a refreshed national cyber strategy for the nation. The panel — comprising Air Marshal (ret’d) Mel Hupfeld AO DSC, Andrew Penn AO, former Telstra CEO, and Rachael Falk MAICD, CEO of the Cyber Security Cooperative Research Centre — has been charged with developing a strategy to make Australia “the world’s most cyber-secure nation” by 2030.

AICD has provided a detailed submission to the consultation on the strategy’s development. 

The AICD was pleased to host the minister and the expert advisory board at a director roundtable in our Melbourne office in late April to discuss cyber issues. They were joined by directors from across the listed, financial services and not-for-profit sectors, sharing perspectives and views.

Our submission covers key consultation issues relating to cyber governance. These include whether company directors should have a new and specific duty to address cybersecurity risks (in addition to current duties); whether ransomware payments by organisations should be made illegal; and the options for strengthening cybersecurity legislation and regulatory regimes.

The AICD has carefully considered the question of adding specific cyber duties to Australian directors. Our view remains that Australia’s comprehensive legal framework (obliging directors to effectively oversee cyber risk and resilience), along with separate regulatory and reputational incentives, already provides a strong regulatory framework to focus directors on cybersecurity. Australia’s general directors’ duties of care, diligence and acting in the best interests of the organisation provide a sound legal framework for high standards of cyber governance.

To support policy development, the AICD also commissioned a review by King & Wood Mallesons on cybersecurity regulatory approaches across comparable jurisdictions (available on our website). The KWM review showed that regulatory regimes in Canada, the UK, US and EU have not added specific cyber duties to general duties of care, diligence and skill. The review also highlights increasing class action activity against directors for alleged breaches of oversight of cybersecurity.

Importantly, comparable jurisdictions also have a range of mechanisms to facilitate real-time intelligence sharing and support organisations facing cyber threats and incidents.

Strong support for a united “team Australia” approach — one that both supports Australian organisations and boosts our national resilience — was a key theme of the roundtable.

The roundtable also acknowledged the role of the joint AICD/Cyber Security Cooperative Research Centre’s Cyber Security Governance Principles in guiding boards of all organisations on good practice. 

The AICD also offers a short course, The Board’s Role in Cyber, in a four-week virtual format to help experienced board directors prepare robust strategies on cyber resilience. 

Regulatory Priorities 

The AICD advocates for fair, fit-for-purpose and modern regulations that support diligent directors in governing for growth. Our FY23 reform priorities include:

• Coordinated cyber policies that reflect the complex risk environment facing boards 
• Balanced policy setting that support high- quality market disclosures 
• NFP regulation that promotes accountability and financial sustainability
• ESG reporting standards that are appropriately targeted and lift current practice.

New Climate Governance Resources for NFP Directors

Through the Climate Governance Initiative (CGI), the AICD and its partners have a range of resources available to help boards and directors in their oversight of climate change risk and governance. Our latest resource, developed with CGI Partner PwC, aims to support NFP directors with practical advice and case studies on climate governance.

The guide includes tools to take action to address climate change, such as reducing energy consumption or transitioning to renewable energy sources. It also discusses engagement with stakeholders and highlights the risks and opportunities of addressing climate change.

Climate Governance Guide for NFP Directors

Key questions

• Identify your climate compliance obligations: Have we considered whether climate change is a material and foreseeable risk to our organisation?
• Consider stakeholder views on climate: Do we need to consider stakeholder perspectives on climate and what information will assist the board to consider those interests?
• Understand and improve your organisation’s carbon footprint: Should we introduce targets to reduce our own carbon footprint emissions?
• Assess climate risks and develop mitigation measures: Which climate- related risks present a material exposure to  our strategy or operations — and over what relevant time frames?
• Consider climate opportunities: What are the biggest costs to our organisation? Are there climate-related opportunities that can potentially reduce these in the long term?

Climate change governance presents a range of challenges for NFP organisations. These include risks specific to the operations of each NFP, as well as broader issues such as potentially increased demands on services, grant funding conditions and stakeholder expectations.

Previous AICD surveys of director attitudes on climate governance show that a majority of NFP directors are seeking to engage more on climate governance. However, many boards are unsure of where to start amidst competing priorities, limited resources and a lack of expertise in sustainability.

The AICD’s Climate Governance Initiative (CGI) hub provides a range of guides, resources and free webinars for directors on climate governance. This is part of the AICD commitment to support members on issues of contemporary governance practice.

Directors can also sign up for the monthly CGI newsletter via email (policy@ aicd.com.au).

In August, we will host our second national Climate Governance Forum. To register, visit bit.ly/CGIAustralia

This article first appeared under the headline ‘Cyber Governance Update’ in the June 2023 issue of Company Director magazine.