null

Cyber risk management at a board and director level is not only a top-of mind concern but also a duty of responsibility and potential liability. To support the accountability of directors for cyber security and diligence, a guide, Cyber Security Governance Principles, has been established to provide a framework for directors to fulfil their duties and obligations in governing and building an organisations cyber resilience.

The Cyber Security Governance Principles have been developed through a partnership between the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) in consultation with senior directors, experts in cyber security, regulators and government agencies, and are designed to prompt directors to:

  • be alert to cyber risks
  • maintain strong oversight of organisational cyber security risk management
  • be vigilant about the management of cyber resilience
  • be well prepared in the event of a significant cyber incident.

The starting point for boards is to set the agenda for promoting a cyber resilience culture from a top down senior management position.

Snapshot of the 5 key Cyber security governance principles

Principle 1. Set clear roles and responsibilities

Defining clear roles and responsibilities is fundamental to building effective cyber resilience.

Comprehensive and clear board reporting is critical to boards being able to assess the resilience of their organisation and should include engagement with management and updates on emerging trends.

External experts can play a role in providing advice to directors and identifying areas for improvement.

Watch outs: red flags

  • Cyber risk and cyber strategy not being included on board agendas.
  • Chair and board not reviewing skills to annually ensure that directors have a minimum understanding of cyber security risk.
  • Board reporting on cyber risk is hard to digest, uses excessive jargon and places reliance predominantly on technical solutions.
  • Limited or no external review of cyber risk controls and strategy.
  • No clear lines of management responsibility for cyber security.

Principle 2. Develop, implement and evolve a comprehensive cyber strategy

Proactively overseen by the board, a cyber strategy can enable a business to identify opportunities to build cyber resilience.

Identifying the key digital assets and data of an organisation, including who has access to these, is central to understanding and enhancing cyber security capability.

A robust cyber strategy should take into account the importance, and potential risks, associated with third party suppliers.

Watch outs: red flags

  • Lack of formal documentation of the organisation's approach to cyber security.
  • Limited understanding of the location of key digital assets and data, who has access to them and how they are protected.
  • The cyber strategy and risk controls are not subject to internal and external evaluation and periodic updates in response to evolving threats.
  • Lack of a data governance framework to guide how data is collected, held, protected and ultimately disposed of.

Principle 3. Embed cyber security in existing risk management practices

Cyber security is an operational risk within an organisation's existing approach to risk management.

While cyber risk cannot be completely eradicated, there are a number of accessible and low-cost controls that all organisations can use.

The board should regularly assess the effectiveness of cyber controls against changes in the threat environment, technology developments and the organisation's capabilities.

Watch outs: red flags

  • Cyber security risk not being reflected in existing risk management frameworks.
  • Management confidence that cyber security controls remain effective without regular external validation.
  • Over-reliance on the cyber security controls of digital service providers, such as cloud software platforms.
  • When the cyber security controls of potential vendors are not assessed in the procurement process for key goods and services.
  • Prolonged vacancies in key cyber management roles.

Principle 4. Promote a culture of cyber resilience

A business's board level cyber strategy provides a basis for building cyber resilience.

Regular, engaging and relevant training is key to promoting a cyber resilient culture and should include specific training for directors.

Incentivise and promote strong cyber security practices, including participation in phishing testing and penetration exercises.

Watch outs: red flags

  • Board and executives do not undertake cyber security education nor participate in testing.
  • Cyber security is not reflected in the role statements and KPIs of key leaders.
  • Communication from leaders does not reinforce the importance of cyber resilience to staff (cyber is seen as an issue only for frontline staff to manage).
  • There is a culture of exceptions or workarounds for board and management with respect to cyber hygiene and resilience.

Principle 5. Plan for a significant cyber security incident

Directors should proactively prepare and plan for a significant cyber incident to develop a formalised response plan.

Communications with all key stakeholders in a significant cyber incident is critical to mitigating reputational damage and enabling an effective recovery.

Simulation exercises and scenario testing are key tools for the board and senior management to understand roles and responsibilities, and in testing the cyber incident response plan.

Watch outs: red flags

  • The board and senior staff have not undertaken scenario testing or incident simulations to test the response plan.
  • Likely scenarios and consequences are undocumented and learnings from simulations are not being captured.
  • It is not clear how communications with key stakeholders should be managed in the event of an incident.
  • No post-incident review with board and management.

Refer to the Cyber Security Governance Principles guide for detailed advice and considerations around these principles and to leverage this framework to establish best practice management of cyber security governance for boards and directors.

Top 10 Questions for directors to test confidence in cyber security governance practices

Cyber Security Governance ‒ a guide for business boards and directors

The role of cyber insurance in supporting cyber threat readiness

In the event of a cyber attack a robust cyber insurance policy provides access to experts not only in negotiation but also forensic investigation, remediation measures, as well as cover for the legal and reputational costs involved.

How Gallagher can help

Gallagher cyber insurance and risk specialists provide support to businesses of all sizes and industries in facing cyber risks. In addition to cyber insurance protection Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS