A set of cyber security governance principles have been released by the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC).
The governance principles provide a “practical framework” for board oversight across five areas: roles and responsibilities, cyber strategy development and evaluation, incorporating cyber into risk management, building a cyber resilient culture and preparing for and responding to significant cyber incidents.
The document also lists governance red flags relating to each of the above areas and a list of “top ten” questions for directors to ask.
It also lists directors’ existing fiduciary duties under common law and the Corporations Act 2001(Cth) (Corporations Act), and cyber security specific regulatory requirements and standards.
The document also touches on organisational structure, board reporting and common board reporting metrics and external auditing, benchmraks and insurance.
Regarding cyber insurance, the document states that while it “may be necessary for certain organisations, the often high cost and restricted or tailored coverage of a particular policy means that a board should carefully consider if it is appropriate and/or value for money for their organisation.”
“There is a limited pool of providers of cyber insurance in Australia and the often-tailored nature of policies means they can be relatively high cost and may have specific conditions or exclusions of particular cyber incidents (e.g. act of war),” the cyber security principles document states.
The document encourages directors to be aware of what is covered by cyber insurance, noting that “there are no standard terms and conditions for cyber policies”.
“A board may form the view that in certain circumstances self-insurance is appropriate and choose to deploy the savings from not obtaining the policy to boosting cyber security controls.”
Take up of cyber insurance in Australia has been low, according to a recent paper about cyber insurance published by the Actuaries Institute, which attributed this in part to rate hikes, misconceptions about insurance risks, skills shortages and poor returns and risks for insurers.
The principles were determined by consultation with government, industry experts and the director community.
Minister for Cyber Security, Clare O’Neil, stated, “Building our nation’s cyber resilience is crucial. This will require a huge collective effort across government and industry, with company directors having a critical role to play”.
“These Principles provide a clear picture of cyber security best practice for organisations across the whole economy”.
AICD managing director and chief executive officer Mark Rigotti MAICD stated, “Cyber security is a crucial area for boards and we know they are looking for as much support as possible. Building cyber resilience within organisations is ultimately about building resilience across the nation as well as capacity within our teams and organisation”.
CSCRC chief executive officer Rachael Falk MAICD stated, “Companies must expect to be attacked and the worst thing any organisation can do in this current environment is to proceed with a false sense of security”.
“This is a core risk that has to be incorporated into the everyday business of running any organisation,” Falk said.
Cyber Security NSW is currently developing the NSW Government’s first Vulnerability Disclosure Policy, which will provide guidance for reporting, and include a centralised place for the submission of reports.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
