The Optus cyber attack and the Cyber Security Governance Principles

Monday, 17 October 2022

By Simon Mitchell,
AICD senior policy adviser, Governance and Policy Leadership

    The Optus cyber attack is a stark reminder of the profound threat that cyber security breaches pose to Australian organisations of all sizes. The fallout from the incident demonstrates why cyber security risk is consistently the number one issue keeping directors awake at night in the AICD’s Director Sentiment Index results.

    To assist directors grapple and respond to cyber risk, the AICD and the Cyber Security Cooperative Research Centre (CSCR) have partnered to produce the Cyber Security Governance Principles. 


    The regulatory response to the Optus attack 

    While details are still emerging, the Optus cyber-attack and data breach has resulted in intense public and political scrutiny on the cyber security and data handling practices of Australian organisations.

    The Office of the Information Commissioner (OAIC) has launched an investigation into the breach and separately, the government has said it will pursue law reform to drive improvements in how Australian businesses collect, protect and dispose of the data they collect.  

    The Government, via the Attorney General, has signalled it will utilise reforms to the Privacy Act to strengthen obligations on businesses in data governance and management. This strategy has the advantage that the Privacy Act was already subject to an extensive review that was initiated by the previous Government. Our expectation is that the government may examine Privacy Act reforms in the following areas:

    •  strengthening penalties for data breaches;
    •  increasing the resources, enforcement and investigation powers of the OAIC;
    • enhancing data protection obligations, including data retention principles and ensuring business only collect necessary customer information; and
    • enhancing individual rights, including potentially the ‘right to be forgotten’ and a direct right of action or statutory tort for privacy. 

    Separate from the Privacy Act, the government may also look at new reporting or notification requirements for ransomware incidents. 

    The Optus breach appears likely to be a watershed moment for cyber security and data management practices in Australia. It demonstrates to directors that organisations of all sizes need to be building their cyber resilience and that directors personally need to uplift their understanding and set a tone from the top. This is a key message of the Cyber Security Governance Principles, outlined below. 

    Cyber Security Governance Principles 

    We are pleased to have collaborated with the Cyber Security Cooperative Research Centre to produce the Cyber Security Governance Principles (the Principles). 

    We will be publishing the Principles this coming Friday 21 October with a virtual launch of the event on LinkedIn on Monday 24 October at 1pm (details below). 

    AICD members have consistently noted that while cyber resilience is a central consideration of boards, there is ongoing uncertainty and complexity around understanding governance best practice and existing regulatory obligations. This has been a barrier to directors comprehensively and informatively engaging with management on cyber security risk. The Principles seek to assist directors overcome this barrier and promote a culture of cyber resilience through their organisations. 

    In addition to how customer data is managed, the Optus breach has revealed how organisations of all sizes need to be prepared for the unfortunate reality that they will likely experience a significant cyber security incident.

    The Principles strongly convey that directors should be engaging with management to prepare a comprehensive response plan that includes how the organisation will communicate with impacted customers and stakeholders in the event of a significant cyber or data theft incident. 

    The damage that a ransomware event can inflict on an organisation is brought to life in the Principles through a case study from John Mullen AO (Chair, Telstra) on the Toll cyber attack in 2020. 

    The Principles have been informed by extensive consultation with government, industry experts and the director community, and provide a clear governance framework for board oversight of cyber security risk.

    For our not-for-profit and SME members, we have also produced an accompanying director checklist which provides a simple set of low-cost steps a board and their organisations can take. Separately, there will also be a three-page Snapshot of the Principles. 

    LinkedIn Live Event – 24 October at 1pm 

    To mark the launch of the Principles, we are hosting a LinkedIn Live virtual event on Monday, 24 October. 

    The event will feature a panel discussion with John Mullen AO (Chair Telstra, Brambles), Melinda Conrad FAICD (Director ASX, Stockland) and Rachael Falk (CEO CSCRC) reflecting on the Principles and their observations of cyber security governance practices.

    Members can register for the event here.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.