Following a spate of high-profile cyber-attacks, the Federal Government has set a target for Australia to become the most cyber secure nation by 2030. However, according to Apple, Australia is one of the top four countries for cyber-attacks – behind the US, the UK and Canada.
With the government playing an increasingly proactive, and prominent role in cybersecurity, the Office of the Australian Information Commissioner (OAIC) taking a more aggressive approach, and the threat of business leaders being held personally liable in the event of a breach, now is the time for company board directors to follow suit and play a proactive role – but what does this really mean and where should they start?
What Questions Do the Board Need to Be Asking?
We are moving towards a threat and risk environment which requires greater leadership at board and leadership levels and demands a culture of continuous improvement. Now is the time for businesses in Australia, at a board level, to demand more accountability, due diligence and proactive measures to ensure organisations are secure from an IT perspective and that any security that relates to digital infrastructure is included in the safeguarding process.
Regulators expect boards to have the same level of confidence when overseeing cyber risk as with any business risk. In order to adequately understand, assess and challenge cyber and information security issues they need to ask the right questions. This includes understanding how the organisation is monitoring the changing cyber threat and regulatory landscape and the business’ ability to prevent, respond and keep pace with change. They also need to understand how the business is stress testing the right threats and how capable, confident, and ready to react the whole chain of response is, alongside how the business would communicate with stakeholders, in the event of a breach.
Boards need to be conversant with their data assets and risks and should seek out briefings from outside technical and legal experts if they are not deep experts themselves.
Ensuring Sufficient Financial Investment
Robust cybersecurity requires a greater level of investment into robust security measures. With the stakes being higher than ever, it is essential to ensure the adequate level of investment is in place.
Last year, the OAIC filed a case in the Federal Court against ASX-listed Australian Clinical Labs (ACL) for failing to protect sensitive financial and health data. The OAIC highlighted that ACL had revenue of almost $1B in FY22, but only had $350K allocated for cybersecurity and argued this level of spend is completely insufficient given ACL’s turnover and the amount of sensitive data it handles.
The case highlights that there is such a thing as “too little spend”, and that a legal risk perspective may be quantified through this in future legal actions.
Ensuring the Right People Are In Place
The digital landscape is moving at a faster pace than ever before and the board needs to continually remain ahead of the evolving landscape. Although cybersecurity has evolved beyond the remit of IT, it is critical to have an experienced and responsive CISO in place with the ability to speak to the business, translate cyber risk into material financial and business terms and impacts to make a case for adequate investment and drive the digital maturity of the business.
Research from Gartner found that by 2027, 75% of employees will acquire, modify or create technology outside the visibility of the IT department, up from 41% in 2022. This demonstrates the real need for CISOs to develop processes that enable risk-based decisions while protecting against security threats and preventing data breaches and other cybersecurity events, to ensure that areas outside of the IT department’s visibility are fully protected, at all times.
Working With Your External Legal Counsel
Traditionally, a business would look to instruct its legal counsel once they have fallen victim to a serious cyber-attack or data breach. However, given the growing threat landscape and the potential for company directors to face personal liability, Australian businesses are increasingly reducing their risk appetite for cyber risks. The board and c-suite need to undertake a more legal strategic view of how the organisation controls its cyber posture and that its cyber prevention strategies are robust and defensible. Businesses today are required to move towards a considered and strategic approach to managing its cyber legal risks.
While a great deal of the preparatory work required to reduce legal risk associated with a cybersecurity incident is covered by existing cybersecurity best practices, there are a few considerations that can be overlooked in such unfocused efforts. Ensuring that incident response processes, contractual agreements, and governance structures are tuned to limit the risk of successful legal action by increasingly litigious regulatory authorities and customers helps safeguard the ongoing success of the business, while maintaining on-call access to forensic specialists enables appropriate legal action against malicious threats.
Involving external legal counsel and working with your internal counsel in the organisational cybersecurity maturity journey, is a cornerstone component of a considered risk management approach, and the importance of such involvement will increase with time in light of the general regulatory trends Australia finds itself in.
Ultimately, the playing field around how businesses should operate around cybersecurity has dramatically changed in the past year. Leaving cybersecurity as the responsibility of the IT department or technology vendor is no longer adequate from a liability perspective. A holistic, cross-organisational approach to prevention, preparation and response is now not only expected but essential and this commands attention and decisions from the top.
A robust cybersecurity strategy is no longer reliant on buying ‘lift-and-shift’ security solutions. Instead, boards need to ensure that they are aware of the ever-evolving risks that exist, take advice to ensure they understand them and that spend is optimised across the business to maximise the best business outcomes in the event of a cyber-attack. Afterall, it’s not a question of whether your business will be targeted but whether it is capable of quickly identifying an attack and responding, at speed, to localise and mitigate the impact and reduce the potential for financial and reputational damage.