Brave New World – How cyber resilient is your business?
Cathy Armour, Commissioner
This article was submitted to the Governance Institute for publication in the Governance Directions magazine in March 2017
Cyber risk is a hot topic in governance for good reason. As the digital footprint of companies, consumers and investors expands so too does their vulnerability to cyber threats. The interconnectivity of our information technology systems with those of our suppliers, customers and other counterparties amplifies this risk. Proactive management of cyber risk is a must for good risk management.
The number, sophistication and complexity of cyber attacks have increased markedly over recent years. Cyber risk is not an abstract notion or just an IT issue. Mature organisations accept the fact that they have been, or will be, infiltrated and focus on their detection capabilities and their resilience and responsiveness to cyber attacks. A cyber resilience strategy is the responsibility of boards and senior management.
Boards and senior management of all companies should have a good understanding of their company's cyber resilience. If not, it is time to assess your company's cyber resilience. There are well established frameworks for this assessment and external cyber experts can assist with this process.Once a board understands what is necessary to improve the company's overall cyber resilience it is well positioned to oversee the development of procedures to minimise significant cyber risk. Cyber risk is a fundamental part of a company's broader risk framework; it is not appropriate to delegate consideration of this risk solely to the IT department or to rely on one member of the board with information security expertise.
And it doesn't stop there. With rapidly evolving technology, cyber risks are changing at a staggering pace. Cyber security must be a continuing initiative, not an afterthought. Engagement with cyber risk must instead be agile and proactive, and instigated at the highest levels.
ASIC sees cyber risk as one of the key challenges for our financial services and markets. ASIC's 3-year corporate plan outlines how ASIC will address this risk. One initiative sponsored by ASIC and the ASX is a Health Check of the ASX 100 companies. This Health Check is a voluntary survey which benchmarks cyber readiness of these companies. A report on the high-level findings will provide an interesting perspective on cyber resilience across some of Australia's largest companies.
However, cyber risk is not limited to the ASX 100, just as it is not limited to companies in the financial services or IT sectors.
When considering your company's cyber risk management framework, you may want to ask the following questions .
- Are cyber risks an integral part of the company's risk management framework?
Exposures to cyber risks should be recognised and assessed for impact as part of the risk management framework.
- How often does the board review its cyber resilience procedures?
Annual compliance reviews and a set of static procedures may not be sufficient. 'On-demand' responses to attacks, regular reviews and/or automated cyber vulnerability testing may be required.
- What risk is posed by cyber threats to the company's business?
The level and nature of risk should be properly understood taking into account the nature of your business. This will allow the board to set a suitable risk tolerance for cyber risk in the risk management framework.
- Does the board need further expertise to understand the risk?
Not all directors need to be cyber security experts, but they do all need to have an understanding of the risk and their company's readiness to defend against and recover from cyber attacks.
- How can cyber risk be monitored and what escalation triggers should be adopted?
This may depend on the nature of a particular company and the nature of the risk. But there should be a framework for reporting on cyber attacks and threats from a variety of sources to the board and/or senior management for appropriate action.
- What is the people strategy around cyber security?
The board and management should satisfy itself that it has sufficient resources to address cyber risk. This is not limited to IT resources - training for employees should be considered particularly as cyber attacks may occur as a result of action by a single employee.
- What is in place to protect critical information assets?
The board and management should ensure that their critical information assets (including third party partners and service providers) are secure.
- What needs to occur in the event of a breach?
Critically, boards need to ask how their company is placed to respond quickly to a cyber attack and ensure minimal damage. This includes processes for communicating effectively externally to customers, suppliers and other counterparties (including the regulator) about the incident.
Asking these questions will help to ensure your company is cyber resilient.