The board’s role in monitoring cyber risks: AICD’s guidance on ‘Governing through a Cyber Crisis’

Blog

6 min. read

|

With the rapid advancement of technology, cyber attacks are becoming more prevalent and increasingly more sophisticated. Formerly confined to the plotlines of Hollywood films, cyber attacks are now regularly carried out on businesses, governments, and individuals around the world with the purpose of disrupting critical infrastructure and exploiting vulnerabilities for financial gain.

On average, a cybercrime is reported to the Australian Signals Directorate once every six minutes,1 and the Australian Government expects the rate of such attacks to increase. The development of AI and other technological tools has coincided with an industrialisation of cybercrime,2 creating the perfect conditions for the proliferation of these online attacks.

Recent high-profile cyber attacks have targeted companies operating across a broad spectrum of industries including telecommunications, health insurance and legal services.3 Not even the government is immune,4 and the cost of cybercrime on Australian businesses is growing every year.5

Snapshot from the Australian Signals Directorate Cyber Threat Report6

It is clear from the ubiquity of these cyber-attacks that this new threat cannot be ignored, and governments around the world are adopting increasingly stringent regulations for the management of cyber security risks.7

In 2023, the Australian Government released its Cyber Security Strategy 2023-2030 (Strategy)8 which highlighted the importance of safeguarding online platforms and services in Australia’s digital economy. According to the Strategy, cybercrime is one of the most significant threats impacting modern Australians and represents an attack on our national sovereignty. Reducing cybercrime is a top priority for the Government and will be critical for Australia’s productivity and future prosperity.

While Australia possesses robust intelligence and defence cyber capabilities to safeguard the nation from global threats, the security of the economy cannot be maintained unless private entities are also adequately equipped to manage a cyber crisis. The Australian Government considers that cyber risks could be “mitigated by better corporate governance from the board down.

This sentiment was echoed by ASIC Chair Joe Longo when addressing the Australian Financial Review Cyber Summit on the topic of cyber preparedness in September 2023. As discussed by HopgoodGanim’s Luke Dawson and Briar Francisin a recent article on this topic, boards must plan for the vulnerabilities inherent in their entity’s existing systems and avoid over-reliance on third-party providers.

However, there are concerns that companies are not investing sufficient time and resources into establishing appropriate cyber security systems and controls.

Responsibility of the Board

Boards must now take an active approach to evaluating cyber security processes, or risk potential enforcement action by ASIC for a failure to act with reasonable care and diligence.9 The success of a company’s response to a cyber crisis depends heavily on the board’s ability to provide proper oversight and support for decisions made by key management personnel throughout the crisis.10

Directors should be careful to give proper attention to the discharge of this duty. It is not enough to simply take steps to manage cyber security risk; rather, those steps must be appropriate to manage the cyber security risk faced by the company in the given circumstances.

In recent years, each of ASIC, the ACCC, the Reserve Bank of Australia, and APRA have vocalised concerns about the threats posed by weak cyber defences, and the need for companies to assess and mitigate cyber security risks.

In the recent case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd,11 the Federal Court held that, despite the steps taken (albeit belatedly) by the board to manage cyber security risk, the company failed to put appropriate documentation and controls in place to manage the threats to the company’s cyber security, and that the company had therefore breached the risk management obligations of its financial services licence.

In this climate, cyber risks management and cyber security should be at the top of the agenda for boards across the country.

What is ‘appropriate’ risk management will vary across companies. HopgoodGanim Lawyers can assist in conducting a review of your company’s operations and existing processes to determine whether they are fit for purpose having regard to your specific risks profile. These types of ‘Cyber Health Checks’ are critical to ensuring the board discharges its duty to shareholders and should be conducted on an ongoing basis.

How to manage a Cyber Crisis

To assist boards and directors in navigating these responsibilities, the Australian Institute of Company Directors (AICD) has recently released detailed guidance on how to effectively respond to, and recover from, a cyber security incident (Cyber Crisis Guidance).12

The Cyber Crisis Guidance, which was developed in collaboration with the Cyber Security Cooperative Research Centre, builds on the framework set out in the 2022 Cyber Security Governance Principles13 and focuses on four key areas: Readiness, Response, Recovery and Remediation.


Similarly to the old military adage, the Cyber Crisis Guidance advocates proper planning, preparation and testing to ensure the board, its senior leaders and incident responders understand their respective roles and perform well together under the pressure of a cyber event.

Next steps for boards and senior leaders

Cybercrime is not going away. A failure to take proper care in monitoring and responding to cyber risks can have serious implications for directors, particularly where sensitive data is stolen or where an entity suffers significant financial loss.

Boards must brace themselves for this brave new world, or risk falling victim to these attacks and suffer the consequences.

Links to the AICD’s Cyber Crisis Guidance full document, as well as a snapshot, can be found here.

For more information and to ensure your company is protected, reach out to HopgoodGanim’s corporate governance and cyber security experts.


1Australian Government, Australian Signals Directorate, ‘ASD Cyber Threat Report 2022-2023’, 14 November 2023, 2-5.
2 For a discussion of the current cyber extortion business model, see James McIntosh, ‘The Case for a Prohibition on the Making of Cyber Ransom Payments’ (2024) 40 C&SLJ 158.
3 The breaches of Optus, Medibank and HWL Ebsworth in 2022 and 2023 (respectively) were well documented.
4 ASD Cyber Threat Report 2022-2023 (n 1), 8.
5 Ibid, 2.
6 Ibid, 2-5.
7 Such as the General Data Protection Regulation in the European Union or the California Consumer Privacy Act in the United States.
8 Australian Government, Australian Cyber Security Strategy, 2023-2030.
9 See, for example, ASIC Report 429: Cyber resilience: Health check at pages 43 and 49.
10 Australian Institute of Company Directors, Governing Through a Cyber Crisis: Cyber Incident Response and Recovery for Australian Directors, 28 February 2024, pages 14 to 15.
11 Australian Securities and Investments Commission v RI Advice Group Pty Ltd (2022) 1608 ACSR 204; [2022] FCA 496.
12 Governing Through a Cyber Crisis (n 10).
13 Australian Institute of Company Directors, Cyber Security Governance Principles, 21 October 2022.

|By Steven Hunwicks & Rebecca Rutland

Stay up to date with our latest News & Insights

Which areas are you interested in?

Areas
By clicking "Subscribe" you agree to receive electronic communications from HopgoodGanim, as indicated above. Your personal information will be processed and stored in accordance with HopgoodGanim's Privacy Policy.