Increased use of technology is a key source of competitive advantage, but it is also a key driver of cyber risk. An organisation that hesitates to protect its information assets will likely fall behind its competitors. However, those organisations that find better ways to manage cyber risk can power performance and increase competitiveness through digital transformation.
The technology platforms that create business opportunities are also creating business vulnerability.
Responding effectively to technology vulnerabilities is critical, but technology solutions alone are unlikely to be sufficient to effectively address the challenges of operating in a hyperconnected digital economy. Organisations must take a whole-of-business approach that addresses cybersecurity and cyber resilience from the top down and imbeds a cyber resilient culture within the organisation.
Responsibilities for Boards
In its Cyber Resilience Report (Report 429: Cyber Resilience – Health Check), ASIC clarified that the obligation on company directors and officers to discharge their duties with care and diligence extends to cyber security and cyber resiliency. ASIC considers that effective corporate governance involves active engagement by directors individually and as a board in managing cyber risks. Directors’ duties now include an obligation to ensure appropriate commitment to cyber resilience in an organisation’s corporate governance regime. Directors face personal liability for failing to foster appropriate cyber resilience within their organisation.
While the business impacts and risks associated with cyber-incidents continue to grow, it can be difficult for directors and the board to know where to start in discharging their cyber resilience duties. ASIC has indicated that it expects directors to specifically consider:
- How cyber risks impacts on director’s duties and annual director report disclosure requirements;
- Whether they have appropriate board-level oversight of cyber risks and cyber resilience; and
- Whether a consideration of cyber risks has been incorporated into the organisation’s governance and risk management practices, controls and measures for managing those risks.
Appropriate Board Commitment to Cyber Resilience
Leadership plays a vital role in securing organisational resilience generally and in the context of an organisation’s ability to effectively deal with cyber challenges. Leaders need a mindset that goes beyond technology and cybersecurity measures to build a more effective cyber resilience strategy. So, how does the board create an organisational mindset to effectively meet cyber challenges and maintain appropriate oversight on cyber resilience?
The World Economic Forum recently released its best practice principles below to guide directors on how to effectively integrate cyber resilience into business strategies in a manner that will allow their organisations to innovate and grow securely and sustainably in the digital economy.
Cyber Resilience Best Practice Board Principles – World Economic Forum
1. Responsibility for Cyber Resilience
The ultimate responsibility and oversight of cyber risk and resilience is with the board of directors. They must commission the design of an appropriate Board Cyber Resilience Framework that will assist them to conduct their own cyber risk assessment.
2. Build Board Knowledge
Board members should receive cyber resilience training upon joining the board and should be regularly updated on the threat environment and the trends in cybersecurity. Independent external experts should be consulted to advise and assist the board as requested.
3. Accountability Officer
The board must ensure that there is one corporate officer accountable for reporting on the organisation’s cyber resiliency, including the organisation’s capabilities to manage cyber resilience and its progress in implementing cyber resilience goals. The board should ensure that the Accountability Officer has regular board access, sufficient authority, command of the subject matter, and the necessary experience and resources to discharge this duty.
It is essential for the board to ensure that cyber resilience and cyber risk assessments are integrated with its organisation’s overall business strategy, risk-management, budgeting and resource allocation.
5. Risk Appetite
The board should annually define and quantify its organisational risk tolerance relative to cyber security and resilience. The board is responsible for ensuring that the annual risk tolerance assessment is consistent with the organisation’s strategy and risk appetite. The board should ensure that it is informed of current and future risk exposure as well as regulatory requirements and industry/societal benchmarks for risk appetite.
6. Risk Assessment and Reporting
The board must hold management accountable for reporting an understandable and quantified assessment of cyber risks, threats and events as a standing agenda item during board meetings. The board should assess and validate these reports against its own strategic risk assessment using its Board Cyber Resilience Framework.
7. Resilience Plans
It is essential for the board to ensure that management supports the Accountable Officer for cyber resilience by the creation, implementation, testing and ongoing improvement of cyber resilience plans.
The board should encourage management to collaborate with stakeholders as relevant and appropriate to ensure systemic cyber resilience.
The board should undertake a formal, independent cyber resilience review annually.
The board should undertake periodic reviews to assess its performance in the implementation of its cyber resilience framework and related board obligations and seek independent advice to ensure continuous improvement.