Site search

INSIGHT

Risky business: What regulators want you to know about managing cyber risk

By Valeska Bloch 22 February 2023

Intense focus on cyber risk management and resilience 7 min read

Following the Optus and Medibank incidents, companies have (quite rightly!) been scrambling to refresh their cyber incident response plans, run cyber simulations and update boards on their incident response arrangements.

But while companies have been laser-focussed on how they might respond to a cyberattack, regulators are doubling down on the importance of day-to-day cyber risk management and operational resilience (ie the ability to anticipate and withstand a cyberattack). And after a few years of largely principles-based regulation, they are becoming much more prescriptive about their expectations.

In the last 12 months alone, we've seen a global deluge of new and proposed regimes and enforcement action focussed on cyber risk management and operational resilience. 

The message is clear—being prepared to respond to a cyber incident is not enough. Cyber risks and the potential operational impacts should inform every major business decision and activity (from product design and development, to mergers and acquisitions, to procurements, to digital transformation). The sub-text is that no one person or team should (or can) manage cyber risks—effective cyber risk management demands a cross-functional approach.

As we gear up for another year staring down a new Critical Infrastructure Risk Management Strategy and Plan, Privacy Act overhaul and an increasingly volatile cyber-threat environment, here are four questions boards and senior management should be considering, along with some practical tips.

Jump to

  1. 1. Do we have an up-to-date, fit-for-purpose cyber risk assessment?
  2. 2. How do the identified cyber risks translate to financial exposure?
  3. 3. Do we regularly report on cyber risk metrics?
  4. 4. Have we assessed how our cyber risk management framework is operating in practice?

1. Do we have an up-to-date, fit-for-purpose cyber risk assessment?

To effectively manage cyber risks, companies need to understand their cyber risk profile.

This should involve an assessment of:

  • the cyber risks they face (threats and vulnerabilities) and how they translate to regulatory risks and other legal exposures;
  • the operational, financial and reputational impacts should those cyber risks eventuate; and
  • the effectiveness of current operational and technical controls.

The problem is that while a lot of organisations undertake cyber risk assessments, not many of these address the range of risks and potential business impacts that regulators have in mind. This is in large part because cyber risk assessments have historically been procured by Cyber or IT teams and undertaken by technical experts without input from Legal, Risk and Compliance. And while technical assessments are critical, when it comes to managing cyber risks they only tell part of the story.

Regulators are now emphasising that cyber risk assessments need to do more than contemplate technical risks and impacts.

Tips:

  • Cyber risk assessments should not just focus on technical risks and impacts but should also contemplate the broader operational impacts to the business, including legal and regulatory exposures.
  • Operational, legal and compliance teams should all be involved in the scoping of cyber risk assessments (including on the methodologies being applied). The assessment itself should be undertaken by qualified experts for the technical analysis, along with Legal for regulatory mapping.
  • Although cyber risk assessments don’t necessarily need to be undertaken externally, this may be changing. In its draft amendments to its Cybersecurity Rule, the New York Department of Financial Services requires that for larger companies, cyber risk assessments be conducted by external experts at least once every three years.
  • Cyber risk assessments should be kept up to date.
    • Enterprise-wide cyber risk assessments should be undertaken routinely (including following changes to the threat landscape, information assets and the regulatory environment) to ensure that they remain accurate and up-to-date.
    • Targeted cyber risk assessments should be undertaken for strategic decisions or business activities (eg for entry into a new jurisdiction, acquisition of a company or a new business arrangement).

2. How do the identified cyber risks translate to financial exposure?

Articulating the financial drivers and impacts of cyber risk and the extent to which certain measures will increase or decrease them is essential—and financial information is the common language that tends to best translate cyber risk information into measurements that matter to boards and the broader business.

While it's not possible to quantify and predict cybersecurity risks with certainty, it is possible to make informed estimates that enable the organisation to compare cyber risks against the other risks it faces and, by extension, make more informed decisions. These decisions include where to invest, how to assign resources, where to refine business processes and how to balance strategic priorities against immediate tactical issues.

Tips:

  • Cybersecurity risks should be framed broadly and measured in quantitative terms (as opposed to just 'high', 'medium' or 'low' possibilities).
  • Organisations can do this by:
    • considering the probability of particular events occurring (eg what is the likelihood that your organisation will be the subject of a ransomware or cyber extortion attack?);
    • adjusting that probability, having regard to the likelihood of that particular event causing a material impact on your organisation; and
    • assessing the financial costs of those events occurring.
  • Financial discussions should also cover the potential returns (not just the costs) of cybersecurity investment.
Back to top

3. Do we regularly report on cyber risk metrics?

Organisations should regularly report on:

  • the performance of the operational and technical controls they implement to address the material risks identified in their cyber risk assessments (KPIs); and
  • any early indications of either increasing cyber risk exposure or operating outside their risk tolerance (KRIs).

In addition to helping organisations decide where to spend money, allocate people and refine business processes, reporting on cyber risk metrics (including on resilience to future adverse cyber events) is increasingly becoming a regulatory requirement. For example, if introduced as drafted, APRA's proposed new operational risk management prudential standard CPS 230 will require extensive reporting to the board on the operational risk profile of the regulated entity (including on the performance of, and effectiveness of controls to manage risks associated with, material service provider arrangements). In the US, the SEC has proposed regulations that would mandate the disclosure by US public companies (including foreign private issuers) of details regarding their cyber risk management, strategy and governance arrangements in annual reports and other periodic reports.

Tips:

  • KPIs and KRIs should be chosen having regard to your latest cyber risk assessment.
  • Consider whether results should be independently verified.
  • Don't set and forget—cyber risk metrics should be reviewed, tested and adjusted as risks evolve and new information becomes available.
Back to top

4. Have we assessed how our cyber risk management framework is operating in practice?

Almost every regulatory enforcement action we've seen of late has included an allegation (if not a finding) that the relevant organisation did not have in place the frameworks, policies, procedures, processes, controls or resources necessary to manage data, cybersecurity and cyber resilience risks and enable compliance with its regulatory obligations.

But now it's clear that's not enough. That is, it is not enough to have systems, processes and frameworks in place to manage cyber risks. It's not even enough for these measures to be documented.  Nor is it enough for organisations to 'review design effectiveness'. 

Regulators (and APRA in particular) want to see organisations 'focus on operating effectiveness—how these things work in practice', and where frameworks don’t operate as intended, to assess why that is occurring. 

Interestingly (though perhaps unsurprisingly), APRA has also suggested that when it comes to investing in risk management capability and architecture, organisations need to do more listening to their Risk, Legal and Compliance functions who typically have a dimmer view of risk management across those organisations.  

Tips:

  • Your cyber risk management framework should:
    • include processes to monitor, test and report on compliance with that framework, including by independently validating that relevant controls are actually in place and operating as intended; and
    • include a training program to foster a culture of privacy and cyber awareness.
    • be routinely reviewed and updated to address identified issues, and to reflect the evolving threat and regulatory landscape and any changes to the business (including as a result of any acquisitions and divestments).

As always, if you'd like to discuss any of these in greater detail, please do reach out. We'd also love to hear from you if there's anything else (on this or a related topic ) you'd like to hear about. 

Back to top

Explore further

INSIGHT

An integrated strategy of denial: Australia's 2024 National Defence Strategy and Integrated Investment Program

18 Apr 2024

INSIGHT

Why organisations must embed mental health and wellbeing support into cyber incident response planning

20 Mar 2024

INSIGHT

AICD's guide for directors on governing through a cyber crisis

13 Mar 2024

INSIGHT

Cyberwashing: a key focus for data breach class actions

11 Dec 2023