Thought Leadership Articles
Published 18 October 2023
Company directors are facing heightened accountability in the realm of cybersecurity, with governmental bodies and regulators beginning to outline stringent minimum standards for safeguarding sensitive information.
High-profile cyber-attacks, such as those suffered by Optus and Medibank in Australia, Equifax in the UK (who have been fine £11 Million for its role in “one of the largest” Cyber- security breaches in history) and IBM MOVEit (in which 4.1 million patients in Colorado, USA, had sensitive healthcare data stolen), have underscored the significant impact that security breaches can have on corporations.
At The Australian Financial Review Cyber Summit in Sydney in September, Joe Longo the Australian Securities and Investments Commission (ASIC) chairman, emphasised that directors cannot afford to ignore the risks posed by cybersecurity breaches, urging them to actively engage in the protection of data and critical infrastructure. He encouraged directors to challenge management on cybersecurity measures and demand a comprehensive understanding of the steps taken to manage risks, underlining that the days of technological ignorance among directors are long gone.
He pinpointed four essential priorities for directors in navigating the escalating cybersecurity threat landscape. These priorities include gaining a thorough understanding of the data they hold, maintaining an inventory of their IT systems, devising a plan for system upgrades, and having a well-defined response strategy in case of a breach.
Recently, ASIC indicated its willingness to take legal action against directors of breached companies if they fail to take sufficient steps to safeguard data and critical infrastructure, so it is now imperative for organisations to ensure cybersecurity compliance is front of mind.
Many companies have been turning to their governance boards to guide them in establishing effective cybersecurity strategies, but this raises the question of whether governance boards are equipped with enough deep expertise to navigate such complex business threats.
Because of the labyrinthine nature of cybersecurity and the specialised knowledge required to fully understand the impact of a cyber breach, several major corporations, including IBM, General Motors and Calix have set up cybersecurity advisory boards. Often, these boards comprise experts from various fields, including cyber security, computer science, public policy, and law, and can provide expert independent advice on the company’s cybersecurity strategy and practices.
With ASIC willingness to take legal action against directors, cybersecurity is no longer a peripheral concern relegated to the IT department. It is an ever-present reality that can pose significant strategic, operational, financial, and compliance risks to any organisation. In today’s business environment cybersecurity risks have become a critical responsibility that needs to be addressed strategically from the top.
Recently, ASIC indicated its willingness to take legal action against directors of breached companies if they fail to take sufficient steps to safeguard data and critical infrastructure, so it is now imperative for organisations to ensure cybersecurity compliance is front of mind.
A cybersecurity advisory board can play a crucial role in guiding the governance board towards effective cyber security measures. This is because cybersecurity advisory boards typically comprise of individuals with deep expertise in cybersecurity and related fields, enabling them to provide informed, independent, strategic advice on mitigating cyber risks. Their insights can guide the governance board in the decision-making processes, ensuring that the company’s cybersecurity strategies are not only robust but also aligned with its broader business objectives and ever-changing legal compliances.
Governments and regulatory bodies around the world are implementing new requirements to protect consumers and organisations from cyber threats, and non-compliance can result in hefty fines, class legal action, and reputational damage. Therefore, governance boards should ensure that cybersecurity is integrated into the company’s broader risk management framework. This means considering cyber risks in strategic decision-making processes, allocating appropriate resources for cybersecurity measures, and holding management accountable for managing cyber risks.
With so many potential pitfalls, it’s clear why governance boards need to be able to navigate this complex regulatory landscape with confidence. This is where we increasingly see advisory board structures being put in place to guide corporate businesses on cyber matters. The deep expertise of the individual advisory board members, their independent perspective, and strategic guidance can help governance boards navigate the complex cyber security landscape and build a resilient, cyber-secure organisation.
In the face of relentless threats, it’s clear that cyber security is now everyone’s business. By leveraging the insights and guidance of a cybersecurity advisory board, companies can not only protect themselves from cyber-attacks but also turn cybersecurity into a strategic advantage.
SET UP AN ADVISORY BOARD