A guide for boards and senior management 5 min read
Organisations today are both blessed and cursed with extraordinary amounts of data.
On the one hand, this presents exciting opportunities to personalise offerings, automate processes and extract other benefits from this incredibly valuable asset class. On the other, organisations are facing unprecedented regulatory reform and regulator scrutiny; demands for greater transparency of data handling from consumers and investors; and heightened financial, operational and reputational threats.
The responsibility for information security and data governance starts and ends with the board and senior management.
- a handbook to help navigate duties and liabilities relating to information security and data risk;
- the questions directors should be asking to inform themselves about the cyber risks faced by their organisation.
When it comes to data and cyber resilience, organisations and their boards face a number of challenges.
- Volume, pace and complexity of regulatory reform – it is becoming increasingly difficult to navigate the growing patchwork of data regulatory regimes. Not only do organisations need to contend with the volume and pace of new data regulatory developments, they also have to apply existing regimes in Australia, many of which were not originally intended to address cybersecurity. This creates significant compliance challenges.
- Increased regulator scrutiny – and yet, compliance is essential, as regulators (which in Australia include the OAIC, ACCC, ASIC, APRA and FIRB) are increasingly scrutinising data handling and cybersecurity practices, and using their expanding enforcement arsenal to hold organisations to account in unprecedented ways.
- Heightened threat landscape – all sectors are under attack, not just from regulators but also from cyber criminals and nation-state actors. We are still seeing escalation in the frequency, scale, sophistication and severity of cybersecurity incidents, and the financial services sector has been disproportionately affected. Cybersecurity incidents are costing the Australian economy an estimated $29 billion annually.
- The commercial imperative – individuals now expect greater transparency about, and control over, their data. Effective data governance is an essential part of building and sustaining stakeholder and consumer trust.
Regulators are alive to these challenges but they also expect organisations – and their boards – to manage them. These days, having an effective, comprehensive whole-of-business cyber and data strategy and framework in place is the only way to maximise the value of data and cyber resilience, comply with changing regimes, and avoid personal and organisational liability.
The financial imperative
Organisations can incur a wide variety of costs for failing to manage cyber risk:
- regulatory costs (eg fines)
- lost revenue and business interruption
- reputational harm and loss of trust
- consumer settlement funds and other settlements (including class actions)
- legal fees
- credit protection/ID monitoring services
- remediation costs
- possibility of loss of AFSL
Cisco's 2021 Privacy Benchmark Study and the Harvard Business Review's research into the importance of organisational transparency and control in relation to data handling reveal some clear dollar-value benefits of maintaining appropriate and effective systems. Organisations with high transparency and control have been buffered from stock-price damage during data breaches (either their own or rivals’).
*these are just the fines. The additional costs, such as legal fees and loss of trust, tend to compound the overall financial damage.
- Directors will be held to account for cybersecurity failures – Directors may be personally liable, and face disqualification and/or reputational damage, for cybersecurity failures that result in regulatory breaches (direct and ancillary). Directors' acts or omissions may also contribute to the liability of organisations, particularly in circumstances where regulators (including ASIC, APRA and the OAIC) have repeatedly emphasised the criticality of board-level oversight of cyber and data risk issues.
- Boards should help define their company's cyber risk appetite – and ensure they are briefed on cyber risk assessments undertaken by the company. This will help ensure that any actions taken are in line with the interests of the company.
- Regulators expect that organisations will:
- have adequate cybersecurity and resilience risk management systems, controls, documentation and resources (financial, technological and human), to ensure they are not exposing the company (or individuals and other customers to whom financial services are supplied) to an unacceptable level of risk;
- ensure there is adequate awareness of these measures within the company; and
- test these measures on a regular basis, to ensure they are effective and remain fit for purpose.
- Directors need to consider readiness for, and response to, cyberattacks – Compliance with directors duties will require directors to: (a) understand cyber risks and the operational, financial and reputational impact on the company if those risks eventuate; (b) consider what systems and processes should be put in place to ensure the company is prepared to address these cyber risks on an ongoing basis; and (c) determine how the organisation should respond in the heat of a crisis to protect the interests of the company.
- Organisations are facing greater scrutiny of cybersecurity disclosures – we expect to see regulators increasingly take enforcement action for delayed, misleading and deficient notifications, and inadequate notification policies and procedures that sit behind them.
- Directors should consider whether specific cybersecurity expertise is required – and/or cybersecurity awareness needs to be uplifted across the board, given the increasing focus on the composition and cyber maturity of boards.
- Cyber resilience and data governance should form part of an organisation’s ESG agenda – greater awareness of the social impact of cyberattacks and unethical data-handling practices is fuelling consumer and regulator demands for sound cyber and data governance and greater transparency.
- Boards should ensure their company has a regularly tested ransomware response plan in place. The plan should include a process for briefing the board and clear authorities for critical ransomware decisions. Ransomware is now the fastest-growing and one of the most damaging types of cybercrime, and the financial services sector has been disproportionately affected.