Cyber Security & Directors' Duties - Elevated Risks

In the wake of the Log4J vulnerability cyber-attack that started in December 2021, the cyber security response and vulnerability management of corporates and other players in Australia (and globally) has been at what would be described as “unprecedented levels”, in terms of the depth, spread and continued nature of the response required.?

In terms of director’s duties - as Australian Directors know full well - cyber security risk is a critical issue that Boards need to ensure their hands are adequately around, and their organisation is appropriately monitoring and mitigating.?Some high level observations on this are:

·????????risk heat map – I would expect that most, if not all, corporates in Australia (and globally) will have cyber security on their organisation’s risk watchlist as a result of the escalated threat levels globally;

·????????regular cadence of Board or Board Risk Committee reporting – there needs to be an escalated maturity of the reporting that Boards receive on this threat / risk issue, and their organisation’s defences.

?Regarding the latter, an important element in evidencing that this Director’s duty has been discharged will be for the Board to ensure that they are receiving appropriate reporting on cyber security metrics and trends / insights, and at an appropriate cadence.?

?Ensuring that this reporting is provided and appropriately documented is an important element of Directors ensuring that they do discharge their duties, and that they have evidence of doing so.?Clearly, having an accurate record of any critical elements in the Minutes is a continuation of this.

Directors need to have information, and to be able to evidence that this information is being received (and in an appropriate timeframe and continued cadence), in order to prove that they discharging their duties of prudent oversight and diligence.?

In terms of what reporting Directors should receive – there should be information that is provided that gives both qualitative and quantitative insights.?It is useful if the Board can consult and provide feedback on a dashboard of cyber security metrics that Management will report against – this dashboard should include both lead and lag indicators, and should focus on cyber security outcomes as well as operational measures.

The importance of cyber security for all Directors is well established as a critical duty... however, I note that the Chairman of Australia’s corporate regulator, ASIC, Joe Longo, reminded corporates at the Parliamentary Joint Committee on Corporations and Financial Services on 11 February 2022 that cyber-resilience must remain a key focus of the “highest order” in 2022 - see below note from ASIC this month.

?ASIC calls out that the cyber resilience of firms operating in Australia’s financial markets continues to be resilient … however, against a rapidly changing cyber threat environment, their improvement in cyber resilience has been small. Clearly, an inference of this is that more should, and must, be done ... and , it is this job of Directors to oversee that this happens (in a fit for purpose way for their organisation).

Clearly there is, and remains to be, more vigilance required from Australian corporates, and Boards of Directors, in terms of this increasing global risk.?

Parliamentary Joint Committee on Corporations and Financial Services - Opening statement - 11 February 2022 | ASIC - Australian Securities and Investments Commission

There are many resources available on this topic, but a good starting point is ASIC's good practice guide on cyber resilience:

Cyber resilience good practices | ASIC - Australian Securities and Investments Commission

#directors #directorsandofficers #governance #directorsduties #cyberrisks #cyber #cybersecurity #asic #boardreporting #oversight