Putting cyber governance principles to work

The AICD and cyber security cooperative research centre have collaborated to produce a practical guide on effective board oversight of cyber governance.

Cybersecurity is consistently cited as the number-one issue that is keeping Australian directors awake at night, according to the AICD’s Director Sentiment Index surveys. This is unsurprising, given the expanding scale and value of many organisations’ digital assets and the rising prevalence and sophistication of cyberattacks.

A cyberattack was reported every eight minutes to the Australian Cyber Security Centre (ACSC) in the 2020–21 financial year, representing a 13 per cent increase on the previous year.

One of the biggest cyberattacks in Australian history occurred in September, when up to 10 million Optus customers may have had their data stolen or compromised. The ACSC says there is every reason to expect attacks of a similar scale and severity will continue to occur, despite organisations’ best efforts.

To help directors proactively guard against the threat, the AICD and the Cyber Security Cooperative Research Centre (CSCRC) have developed a practical framework for directors to build organisational cyber resilience. The five cybersecurity governance principles each represent an aspect of cybersecurity that requires board-level attention and oversight.

The principles draw on established risk governance frameworks as well as expertise from regulators, cybersecurity experts, senior directors and government agencies.

“It is very readable,” says John Green FAICD, an adviser on the publication, and a director of Challenger and CSCRC. “It’s in super-simple English and any jargon is explained. It identifies things that big companies may need to do and what smaller companies and not-for-profits should do, because the risks and available resources are quite different.”

Case studies and practical tips for directors are sprinkled throughout, along with governance red flags to watch out for. There is a two-page summary for directors of SMEs and NFPs, and a three-page snapshot of the entire guide. It is a “living” document that will be updated regularly as necessary.

Consistent market feedback is that directors are highly motivated to deal with the issue of cybersecurity, but up until now, have lacked the practical resources to do so.

Principle 1

Set clear roles and responsibilities

The board needs to identify specific individuals within the organisation who are responsible for the various components of cybersecurity management, including the role of external parties. For example, even when an organisation is deferring to external legal counsel or an insurer, the board must be consulted throughout.

Having a plan in place around how the board will work with management and external consultants in the event of a significant incident can significantly reduce the potential for miscommunication during a critical time.

Hiring external experts is far preferable to limiting a cybersecurity strategy to in-house knowledge, says Green. However, knowing how to select external parties and work with them effectively is critical.

“The key thing is getting the right expert for the right problem, and finding experts who have the experience you need rather than people who might be learning on the job with you,” he says.

“You want people who’ve been in the wars. I would be asking them at the end of any discussion, ‘If you were sitting in my shoes as a director, what would you be doing right now that we are not doing, or what questions would you be asking that we haven’t asked?’ They’re pretty open questions that can sometimes get you surprising and useful answers.”

The board must also explicitly set out their own responsibilities in preventing and responding to a cybersecurity incident. “Without clear roles set out prior to an incident, confusion ensues,” says CSCRC head Rachael Falk MAICD. “Defining clear roles is a foundational component of building effective cyber resilience.”

Principle 2

Develop, implement and evolve a comprehensive cyber strategy

A key part of a comprehensive cyber strategy is identifying an organisation’s key digital assets and data and who is responsible for them. The strategy will also identify potential risks associated with third party suppliers. The guidance makes clear that a cyber strategy is a forward-looking tool to building cyber resilience, and part of that involves identifying existing weaknesses. A regular stocktake of the data that organisations hold is also cited as crucial.

One of the major issues with cybersecurity is that the risk is asymmetric, says Green. This means that those with a malicious intent must be kept away from an organisation’s data all the time — one crack in the system at a single point in time still constitutes a major risk. A cyber strategy must therefore acknowledge all the potential weaknesses.

“The risk of a cyberattack is probably much greater than most people assume,” he says. “For example, if one person in your organisation doesn’t update the software on their computer, they’re potentially exposing the organisation to a risk. How do you deal with that, and how do you improve and get them to improve?”

Green notes that this is particularly challenging for smaller organisations, because larger organisations typically have access to automated solutions to cover many potential areas of risk.

“When developing a strategy, it can be helpful to think about what your worst nightmare might be in a cybersecurity sense, and then set up a mock attack in real time,” he says. “See what your response should be — both from management and the board. How would you deal with it on a timely basis?”

Principle 3

Embed cybersecurity in existing risk management practices

Cyber risk is an operational risk that fits within an organisation’s existing approach to risk management. It should be embedded rather than separated off to one side. However, it is not a static risk, points out Melinda Conrad FAICD, who provided a case study for the Principles.

“The cyber threat environment is dynamic and constantly evolving, often at a much faster pace than other operational risks an organisation faces,” says Conrad, who is director of ASX, Ampol Australia, Stockland, Penten and the Centre for Independent Studies. “It is for this reason that oversight of cyber risk warrants an elevated focus by the board, and directors should be continuously looking for ways to uplift their skills and knowledge and identify where external help may be needed.”

The guide recommends applying the tools that are utilised for other risk settings to cyber risks, along with oversight by the risk committee in large organisations. Demystifying the topic is also key, with directors needing to ask for management reports that are easily decipherable and not filled with technical jargon.

Principle 4

Promote a culture of cyber resilience

The behavioural element of cyber risk is a crucial component of cyber resilience, and it starts with the board. Regular and relevant training is essential, including specific training for directors, and simulation and penetration exercises. It can mean the difference between a staff member spotting a phishing email and reporting it, or falling for it and compromising sensitive data.

“A truly cyber-resilient culture begins with the board and flows through the organisation,” says Falk. “In short, culture is everything in an organisation. When the board and the CEO actively promote culture, it is incredibly powerful.”

The benefits of the right cyber governance and incentives are twofold — the workforce understands how to respect cybersecurity to protect customer data, and if something goes wrong, there’s a culture of reporting.

Principle 5

Plan for a significant cybersecurity incident

Even with the best defences, the sheer scale of cybercrime today means it is more of a question of when, not if a cyberattack will occur. This applies to organisations of all sizes and in all industries. “No-one is immune to a cybersecurity event,” says Falk. “If you’re running a system that’s connected to the internet, then your organisation shares this collective risk and challenge.”

Proactive preparation is vital to being able to contain the ramifications of data being compromised. There are immediate issues to be addressed, as well as communicating in a timely and effective manner with employees, customers and regulators. This principle underscores that a transparent approach to communications is critical in mitigating reputational damage and allowing for an effective recovery.

“Know well ahead of time who your communications advisers, incident responders and external legal counsel are going to be,” says Falk. “There’s a saying that you should never exchange business cards in a crisis. Always have this in place beforehand so that you’re not doing the key elements of mitigating during the actual incident as it’s unfolding.”

It also cannot be a set-and-forget exercise. Plans need to be regularly revisited and refreshed, because threats are continuously evolving and directors and key personnel likely to change over time.

Many organisations prepare for a cyber incident by having third-party providers test and practise their systems with simulation exercises. This can help assess whether the processes in place under the response plan are appropriate, and provide the opportunity to fine-tune them. Such rehearsals also allow directors to become familiar with their oversight responsibilities and identify areas for improvement.

It is vital for directors to obtain independent oversight on a regular basis, says former chair of Toll Group and current Telstra chair John Mullen AO, who appears as a case study in the Principles.

“It needs to be regular,” he says. “You don’t say, ‘We’re not going to do an audit this year, we did that last year’. You wouldn’t do that with finances. You need to systematise [cyber] as well.”

Building cyber resilience

Promoting and incentivising a culture of cyber resilience across an organisation, starting with senior management and the board, is fundamental, says AICD MD and CEO Mark Rigotti MAICD. Many significant cyber incidents are the result of human error. Addressing this, including through regular mandatory training, is key to building cyber resilience.

Progress towards cybersecurity

It’s important for government and industry to take the lessons of Optus and other serious cyber incidents and use them to strengthen our collective hand. Combating this common enemy requires us to collaborate and we can all learn from each other.

We don’t want to create a situation where cyber resilience is used as a form of competitive advantage with people guarding their insights. Rather, there is an opportunity to cooperate and build resilience. We see our Principles as an important contribution to building this collective wisdom.

Cyber upskilling for directors

It may not be necessary or desirable for an organisation to appoint a specific director to the board with cyber skills — the director skill set must be a broad one. However, as with other risks, all directors have collective accountability and should be considering how they can improve their knowledge of cybersecurity, including undertaking training and participating in simulation exercises.

Our work on the Principles, has found that external experts can play a key role in assisting a board in its oversight function, particularly in providing assurance on cyber risk controls and assistance in the event of a significant cyber incident. But it’s not realistic to have a cyber expert on every board and it’s more important to lift the collective capability of director community.

Lessons from the Optus data breach

The Optus data theft serves as a reminder to all directors and businesses of the significant threats posed by cybersecurity incidents — not just the financial costs associated with remediation and recovery, but also reputational damage. More importantly, customers have now been exposed to identity theft and personal fraud risks. Organisations are the custodians of their customers’ data and need to make its protection the highest priority.

We heard consistently that planning for a significant cyber incident is critical, and should involve both management and board, and encompass how the business will communicate with impacted customers, employees and stakeholders.

Even the best-prepared organisations can be breached, so they need a holistic plan to prepare for, respond to and learn from a significant incident. Our Principles provide this framework.

Developing the cyber governance principles

The development of the Principles over the past six months has been based on significant research and extensive consultation with senior directors, government,

key regulators and cybersecurity experts. A consistent message from our senior directors was that leaders of organisations of all sizes need to be alive to the significant risks of cybersecurity and the potential for an incident to cripple a business’ operations and reputation.

Directors are conscious of the need to set the tone from the top in promoting a cyber- resilient culture and probing and challenging management on risk controls. They’re aware that complacency is the enemy and are focused on building greater resilience within their organisations.

Under attack

In September, Optus revealed it had been the subject of a massive data breach, with nearly 10 million customer accounts exposed. As one of the largest cyberattacks in Australian history, this could prompt a review of consumer data privacy laws. Experts weigh in on the lessons in crisis communications it provides.

The fallout for Optus following the massive cyberattack in September has been swift and severe. In early October, the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority announced coordinated investigations of the data breach.

If Optus has found to have breached the Privacy Act, the OAIC has the authority to order Optus pay compensation to customers.

While cyberattacks can be successfully waged despite the most concerted efforts by organisations to protect themselves, it is worth noting from a communications perspective that missteps were made from the outset.

“The optics of coming out quickly with news of the breach was important,” says John Green FAICD, a director of Challenger and the Cyber Security Cooperative Research Centre (CSCRC). “However, the issue about coming out quickly is that you can’t possibly know everything at that point, other than that someone has access to a lot of important customer data”

When Optus CEO Kelly Bayer Rosmarin GAICD issued the first public news of the cyberattack, she attributed it to the work of “sophisticated criminals.” A few days later, this was challenged by Minister for Cyber Security Clare O’Neil, who described it as a “basic” attempt. She added that had the “window been left open” in many other jurisdictions, a breach of a similar size would warrant fines amounting to hundreds of millions of dollars.

Be customer-centric

A preferable approach would have been more customer-centric from the start, says Liza-Jayne Loch MAICD, CEO of reputation management agency Alpha Consult. “Never come out in a crisis with absolute statements. Instead, inform your customer base by saying something like,

‘This has happened. We’re very sorry. We don’t yet know how, and we’re investigating it with all the resources we can muster, both internal and external. As more information comes to light, we will update you.’”

“Cyber breaches are like climate-induced natural disasters in that they are not only increasingly likely and frequent, they’re inevitable,” says Loch. “The language used in that first release was a bit like a bank putting out a statement after a robbery that said, ‘We’re very upset and disappointed to discover the money kept in our safe has been stolen.’”

The friction with the government may also potentially have been avoided if Optus had engaged with it at greater speed. “In the wake of a cyberattack, speak to your key stakeholders before the media does, so they have time to prepare their responses and understand what’s going on,” says Loch.

Companies facing a cyberattack should prepare a webpage with FAQs, along with social media posts, a hotline and an email service for customer queries. Optus possibly placed overemphasis on customers seeking out information on its website, rather than providing personalised information directly to them and supplying information across the various channels they might use.

“The website should be reinforcement, not the primary communication channel,” says Loch, adding that there was also a lack of transparency regarding the stolen data. There was confusion over the categories of information accessed by the cybercriminals and which customers were affected and contacted.

Stigma is counterproductive

CSCRC CEO Rachael Falk has been critical of the “data gluttony” that Optus and other corporates demonstrate by accumulating masses of personal data without a demonstrable business case or adequate measures to protect privacy. However, she also believes that the stigma and shame that appears to go hand-in-hand with cyberattacks serves no useful purpose and only dissuades companies from reporting such attacks. It is mandatory for attacks on critical infrastructure services to be reported and ransomware in particular is under-reported in Australia.

“There shouldn’t be any stigma or shame around reporting,” says Falk. “Reporting is vital so that stakeholders have an opportunity to potentially seek preventative measures and so that expert assistance can be provided from government bodies such as the Australian Cyber Security Centre as quickly as possible.”

Companies concealing a breach can do more brand damage if the facts are later uncovered.

Green also stresses that some of the mudslinging directed at Optus and other companies that have been attacked places those at the helm under additional stress.

“Any organisation, large or small, can be the victim of a cyberattack — the risks are much higher than many people think. It doesn’t necessarily mean the organisation, its CEO or board are incompetent. By taking the stigma out of being attacked, we’ll encourage early disclosure, resolute defence work and strong cooperation with relevant government bodies.”

Green adds that while it is easy for third parties to grandstand in these situations, many people discount the high-pressure nature of a crisis, when decisions have to be made more quickly than usual and there isn’t necessarily time to consider all the countervailing issues.

“Judgement calls will be made, and sometimes they may turn out to be the wrong calls. We need to create a more respectful, thoughtful environment, which accepts that judgements made in good faith can end up being wrong.”