KORDIA
Australia's Cyber Security Act
New legislation aims to bolster the security and resilience of Australia's cyber environment and critical infrastructure.
Cyber risk is like any other business risk and requires board level attention and responsibility. Since the 2021 edition of the Cyber risk practice guide was published, many boards have significantly stepped up their focus on cybersecurity and gained real-life experience preparing and responding to cyber attacks. However, there is obviously more focus needed. In the 2022 IoD/ASB Director Sentiment Survey, just 54% of directors reported their boards regularly discuss cyber risk and are confident their organisations have the capacity to respond to a cyberattack or incident.
It’s important that directors don’t dismiss cybersecurity issues as something that only affects other people – no matter the size of your organisation.
The 2023 edition of the Cyber risk: a practical guide retains five core principles to help boards understand and approach cybersecurity in their organisations. Updates to the guide includes privacy guidance following the 2023 Lattitude Finance event and dealing with cyberhate and misinformation. It also presents new questions for directors to ask management around their cybersecurity policies and settings.
There are five core principles for boards in their oversight of cyber risks.
Directors should approach cybersecurity as an enterprise-wide risk issue, not just an IT issue.
Ensure that an enterprise-wide cyber risk management framework is established.
Cybersecurity needs regular and adequate time on the agenda. Boards should also continue to build their cyber competency and ensure they have access to external expertise.
It is essential that directors understand their legal responsibilities and the implications of cyber risk relevant to their organisation.
Board and management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
For further understanding on why boards need to prioritise cybersecurity and the risks of holding on to private data.