In this digital age, cyber-security is an important area of risk for boards. But directors need to ask management the right questions in order to track exposure to risk in this area. Here Leon Fouche, BDO National Leader, Cyber Security outlines what directors need to know.
1. What is the role of the Board in cyber security?
The role of the Board is to identify and prioritise cyber risk at a macro level. This includes asking themselves the following questions (adopted from Telstra’s Five Knowns for cyber security):
- Do we know what our critical information assets or ‘crown jewels’ are and where are they located?
- Do we know who has access to these critical assets, who is responsible for protecting them and how well they are protected?
- Do we know what our compliance obligations are and the implications if we are in breach of our obligations?
- Do we know how to respond to a cyber security incident?
2. What are the consequences of a major cyber failure for the organisation and for us as board members?
A successful cyber attack can cause major damage to your organisation if you are not well prepared. It can affect your bottom line, as well as your organisation's standing and consumer trust. Board members are the caretakers of the organisation and are ultimately accountable for ensuring effective cyber risk management practices are implemented. As a board member, you can also be personally liable for any risk or issue related to cyber security that has an adverse impact on the organisation if not managed appropriately. Boards should ask themselves if they have a good understanding of the organisation’s cyber risks and have done everything possible to manage cyber risks.
3. How does the Board ensure its members gain sufficient information about cyber risk?
Boards should request regular briefings (at least twice a year) on cyber trends and risks within their industry and how these may impact their organisation. These briefings could be done internally by the cyber security, risk or IT team within the organisation, or by an external provider such as the organisation’s IT service providers or technology vendors who should have access to a wealth of industry trends on cyber security. These briefings should cover the following:
- Case studies of recent cyber events or attacks within your organisation’s industry sector
- Emerging cyber threats and trends within the industry sector your organisation operates in and mitigations for managing these
- Status updates on your organisation’s cyber risks and any issues impacting managing these.
4. Should our audit committee look after cyber security?
This is dependent on the organisational maturity and experience of the audit committee members. If the audit committee’s structure looks at operational risk across the business, then it should include cyber security. Where an audit committee’s focus is more on financial and compliance risk, a sub-committee focussing on cyber security might be a better option for the organisation.
5. Do we have a framework for managing cyber risk?
Cyber risk management frameworks are often dependent on industry type or perceived risk within the organisation and should be an extension to the existing enterprise risk management framework. There are a number of cyber/information security risk management frameworks which organisations can adopt. NIST (National Institute of Standards and Technology) is one such framework gaining popularity in Australia. This framework, also referred to as a Cyber Resilience Framework, consists of a set of best practices, standards and recommendations that help an organisation improve its cyber security measures.
6. What should be included in our cyber security program?
The Board's role is not to define the cyber security strategy, but to ensure a cyber security strategy and program are developed to manage the organisation’s cyber risk to an acceptable level as set by the Board. The following are some important questions the Board should ask when reviewing its cyber security program:
- Do we have well-defined ownership, roles and responsibilities for cyber security?
- Do we have a process in place for ongoing management of cyber risks, which includes performing regular cyber risk assessments and ongoing cyber risk monitoring?
- Do we provide appropriate training to staff and management on cyber risk and security?
- Do we regularly review and update our cyber security strategy and program to ensure it is relevant to address the latest industry cyber trends?
- Do we have sufficient funding allocated to manage our cyber security program?
7. What level of cyber liability insurance is necessary and what should it cover?
In today’s interconnected digital world, the likelihood of cyber attacks is high and it will become increasingly difficult to stop attacks. It is therefore important for organisations to start looking at strategies to manage and minimise the impact of a cyber attack. More organisations are starting to buy cyber insurance as part of their cyber risk management strategy to mitigate the impact of cyber risk should it eventuate.
The Board should consider the following points when considering cyber insurance:
- Have we done a thorough risk assessment to understand the cyber risks we would like to insure? Understanding your cyber risks will allow the organisation to get a more tailored cyber insurance policy.
- Have we validated that our cyber insurance policy provides the required cover for our cyber risks? Validating each cyber risk for your organisation (e.g. phishing attacks, ransomware, data breaches, etc.) with your insurance provider will ensure you have the required cover in place for your cyber risks.
- Do we have risk mitigation strategies in place to manage the impact of a cyber incident and have we tested these to ensure they are effective? Insurance companies provide discounts for cyber insurance cover to organisations who implement effective crisis management plans (e.g. disaster recovery and cyber incident response plans).