Article:

7 questions directors need to ask about cyber

26 August 2019

Original content provided by BDO Australia


In this digital age, cyber-security is an important area of risk for boards. But directors need to ask management the right questions in order to track exposure to risk in this area. Here Leon Fouche, BDO National Leader, Cyber Security outlines what directors need to know.

1. What is the role of the Board in cyber security?

The role of the Board is to identify and cyber risk at a macro level. This includes asking themselves the following questions from Telstra’s Five Knowns for cyber security):

  • Do we know what our critical information assets or ‘crown jewels’ are and where are they located?
  • Do we know who has access to these critical assets, who is responsible for protecting them and how well they are protected?
  • Do we know what our compliance obligations are and the implications if we are in breach of our obligations?
  • Do we know how to respond to a cyber security incident?

2. What are the consequences of a major cyber failure for the and for us as board members?

A successful cyber attack can cause major damage to your if you are not well prepared. It can affect your bottom line, as well as your standing and consumer trust. Board members are the caretakers of the and are ultimately accountable for ensuring effective cyber risk management practices are implemented. As a board member, you can also be personally liable for any risk or issue related to cyber security that has an adverse impact on the if not managed appropriately. Boards should ask themselves if they have a good understanding of the cyber risks and have done everything possible to manage cyber risks.

3. How does the Board ensure its members gain sufficient information about cyber risk?

Boards should request regular briefings (at least twice a year) on cyber trends and risks within their industry and how these may impact their . These briefings could be done internally by the cyber security, risk or IT team within the , or by an external as the IT service providers or technology vendors who should have access to a wealth of industry trends cyber security. These briefings should cover the following:

  • Case studies of recent cyber events or attacks within your industry sector
  • Emerging cyber threats and trends within the industry sector your operates in and mitigations for managing these
  • Status updates on your cyber risks and any issues impacting managing these.

4. Should our audit committee look after cyber security?

This is dependent on the maturity and experience of the audit committee members. If the audit structure looks at operational risk across the business, then it should include cyber security. Where an audit committee’s focus is more on financial and compliance risk, a sub-committee focussing on cyber security might be a better option for the .

5. Do we have a framework for managing cyber risk?

Cyber risk management frameworks are often dependent on industry type or perceived risk within the and should be an extension to the existing enterprise risk management framework. There are a number of cyber/information security risk management frameworks which can adopt. NIST (National Institute of Standards and Technology) is one such framework gaining popularity in Australia. This framework, also referred to as a Cyber Resilience Framework, consists of a set of best practices, standards and recommendations that help an improve its cyber security measures.

6. What should be included in our cyber security program?

The Board's role is not to define the cyber security strategy, but to ensure a cyber security strategy and program are developed to manage the cyber risk to an acceptable level as set by the Board. The following are some important questions the Board should ask when reviewing its cyber security program:

  • Do we have well-defined ownership, roles and responsibilities for cyber security?
  • Do we have a process in place for ongoing management of cyber risks, which includes performing regular cyber risk assessments and ongoing cyber risk monitoring?
  • Do we provide appropriate training to staff and management on cyber risk and security?
  • Do we regularly review and update our cyber security strategy and program to ensure it is relevant to address the latest industry cyber trends?
  • Do we have sufficient funding allocated to manage our cyber security program?

7. What level of cyber liability insurance is necessary and what should it cover?

In today’s interconnected digital world, the likelihood of cyber attacks is high and it will become increasingly difficult to stop attacks. It is therefore important for to start looking at strategies to manage and the impact of a cyber attack. More are starting to buy cyber insurance as part of their cyber risk management strategy to mitigate the impact of cyber risk should it eventuate.

The Board should consider the following points when considering cyber insurance:

  • Have we done a thorough risk assessment to understand the cyber risks we would like to insure? Understanding your cyber risks will allow the to get a more tailored cyber insurance policy.
  • Have we validated that our cyber insurance policy provides the required cover for our cyber risks? Validating each cyber risk for your (e.g. attacks, , data breaches, etc.) with your insurance provider will ensure you have the required cover in place for your cyber risks.
  • Do we have risk mitigation strategies in place to manage the impact of a cyber incident and we tested these to ensure they are effective? Insurance companies provide discounts for cyber insurance cover to who implement effective crisis management plans (e.g. recovery and cyber incident response plans).