In response to the rapidly evolving cyber threat landscape and increasing regulatory focus, the AICD and Cyber Security Cooperative Research Centre (CSCRC) have released significant updates to the Cyber Security Governance Principles.
Since its release in 2022, the AICD Cyber Security Cooperative Research Centre (CSCRC) Cyber Security Governance Principles has become the AICD’s most downloaded resource and a leading source of board-level guidance on cybersecurity in Australia. In November 2024, the AICD and CSCRC released an extensive update to the Principles to ensure it remains a key source of governance guidance on cybersecurity in Australia. Download the updated Principles here.
During an AICD webinar discussion to launch the updated Principles in December 2024, AICD Head of Policy Christian Gergis GAICD said the update reflects the growing complexity of cyber risks facing Australian organisations and gives directors expanded guidance on areas including digital supply chain security, data governance and preparing for and responding effectively to a significant cyber event. “We’re seeing an emergence of different sorts of AI-enabled cyber threats, which organisations should be aware of, but there are [still] a lot of the same threats,” said CSCRC CEO Rachael Falk MAICD.
The list includes ransomware demands, business email compromise, email-based identity fraud and software vulnerabilities. Within 24 hours of these vulnerabilities becoming public, they’re exploited by threat actors, and some organisations can take up to two years to patch them, she said.
Given that it is a matter of “when” it will happen, not “if”, Victoria Weekes FAICD, non-executive director at Bendigo and Adelaide Bank, said boards have to document a response plan, practise it and learn from the simulations. It pays to include a level of detail in the response plan. “In particular, the roles and responsibilities among the management teams, but also the board,” said Weekes. “It’s the board’s role to make sure these things are in place and to know when to get out of the way. The last thing you want is the board being one of those interested third parties constantly wanting information when the organisation is trying to come to terms with an issue.”
Remember that people are involved and all working hard. Look after them. Ensure the business has back-up teams and build those relationships so they can step up to help in a crisis.
Potential weakness
“The attackers are really clever,” said Weekes. “They will hit the weakest link, and often a third party is a weak link into an organisation. Having good oversight is essential. If you’ve been around a long time, you will have a lot of legacy systems. Systematically going through and working out what’s right for today is important.”
Data is at the heart of how damaging cyber events can be. So much damage can be done to customers, depending on what data attackers can access. “If you don’t know what data you have in your organisation, when an event happens you have great difficulties,” stressed Weekes. “Know what customer data you have, why you’re keeping it, how long you keep it for, when you review it and when you get rid of it.”
Processes around data governance should remain dynamic. Never set and forget, because something that might have been low-risk previously can suddenly become high-risk. However, trying to solve all risks at once is unrealistic, said Ventia Services Group chair David Moffatt MAICD, who advises organisations to develop a holistic and multi-year cyber improvement program.
“Prioritise risk and think about clear obligations and how management will be held accountable for where you’re up to in terms of your risk exposures and how you might mitigate those in the future,” said Moffatt.
SMEs & NFPs
The suite of Principles resources includes a checklist for SME and NFP directors. Falk said it was about having the right policies in place, having a cyber strategy, but also investing in tools and educating people on being cyber aware. The obligations of a director are the same whether you serve a big, small, listed or unlisted organisation.
“You’re still responsible for the assets of the company — and for what happens,” said Falk. “Small organisations and NFPs are often hit with ransomware and business email compromise. They pay because there is no easy way out for them. They can be completely tied up while trying to get out of a serious incident, which means they simply can’t operate. So it’s important to pay attention.”
Weekes said cybersecurity awareness training should be mandatory. “Vulnerabilities are often obvious and can be detected before they become a problem. There are fantastic online courses available for NFPs and SMEs. I’d recommend every board says, ‘We need everyone to do this and keep refreshing it’, because the game keeps changing.”
Andrew Penn AO, chair of the federal government’s Expert Advisory Board on Cyber Security Strategy, has developed a four-point framework (see below) as a practical way for boards to approach cybersecurity governance and build cybersecurity resilience. The framework is included in detail in the updated Principles.
Critical vulnerabilities
More generally, all organisations need to know what is effective and useful. “You’ve got to understand your critical vulnerabilities,” said Moffatt. “You’ve got to be able to measure against those, and you’ve got to put targets against it.”
Use practical things the board can monitor. A tally of how much money has been spent can be difficult to make sense of. “However, if you can see the exception reporting, then you can do something about it,” he said. “Those very practical measures can be a means of giving you a red flag you can then investigate.”
Data storage is another potential weakness and organisations should understand where data is stored, in what jurisdiction and who has access. “You may want a far more robust and secure solution for a particular type of data,” said Falk. “It is really important to do that due diligence around what kind of data you outsource and why, but importantly, who can get access to it.”
Having data in Australia doesn’t make it inherently safer, she continued. “The internet can be hacked. It’s more around what kind of data you’re placing where, for what purpose, and how you can discharge your obligations. Whatever you’re doing now, large or small organisations, do more. Focus on constantly improving, because the criminals are constantly improving. I’m not sure we can ever get ahead, but we have to keep up.”
This is an edited version of AICD webinar held in December 2024. Access it HERE.
In the frame: A four-point framework for cybersecurity governance and resilience by Andrew Penn AO.
- You cannot protect what you do not know you have
- Not all digital assets are equal, but they are all defendable
- The worst time to develop a crisis management plan is mid-crisis
- What is safe today may not be safe tomorrow
Find full details HERE.
Incident Response Case Study: Ventia Services Group
What began as an unprompted cursor moving on a screen quickly escalated into a full-blown cyber incident for Australian critical infrastructure partner and service provider Ventia Services Group Ltd in July 2023. From the moment the anomaly was noticed by an observant employee, it was all systems go, according to Ventia chair David Moffatt MAICD, also chair of Apollo Global Management Australia and New Zealand.
“Our CEO was overseas, I was overseas and our new CIO was in her first few days on the job,” said Moffatt. “We both returned immediately, but were in a state of flux, and it became evident we had to rally people from multiple locations to deal with this live threat. We quickly made the decision to shut down access to all our systems. This was a risk-based decision we took to prevent the attackers from getting further into our systems, and also a trust-based decision, because to shut down our systems also meant pivoting to manual. We acted quickly and decisively, and as a result, were able to keep the threat out.”
The decision was guided by Ventia’s role as a key partner and service provider to critical government functions and private sector infrastructure owners, and its organisational value to the security of these clients and the broader community was paramount.
Moffatt added that moving to a secure messaging platform and manual operating model relied not only on the courage of management, endorsed and supported by the board, but also on the trust and support of its employees. Close collaboration and alignment between the executive and the board was also pivotal to Ventia’s response, which he described as “not a two-step governance process, but an integrated process”.
He noted that from the outset, transparency with government, clients, employees and other key stakeholders was fundamental to Ventia’s incident response approach. “Transparency can’t be overstated in terms of the trust you build with all of the organisations you’re working with. The trusted relationships with our customers, and ultimately their support, was fundamental to us successfully managing the scenario. We made the call, with limited information, to be totally transparent with the world at large, to say we were under attack. We put that on our website so everybody knew... and said we would periodically update this information.”
While Ventia was able to keep threat actors out of its systems as a result of its fast response, one thing the company had underestimated was the time it took to reconnect and recover following the incident. There was also an over-reliance on too small a group of people to return operations to business as usual. The human impact of these events on employees was significant.
As a result, Ventia has taken steps to implement new recovery procedures and processes, including appropriate employee support and resourcing. It has also implemented a multi-year strategy to maintain and uplift its cybersecurity posture, which includes substantial operational and capital expenditure on cybersecurity controls
Case study excerpted from the updated Principles (November 2024).
This article first appeared under the headline ‘Keeping your cyber safe’ in the February 2025 issue of Company Director magazine.
Practice resources — supporting good governance
Examples of the AICD’s contemporary governance practice resources for members:
Cybersecurity
- Cyber Security Governance Principles — Version 2
- Principles Snapshot
- Principles Checklist for SME and NFP Directors
Latest news
Already a member?
Login to view this content