Five tips for designing and implementing your program 5 min read
The single most determinative factor in how an organisation emerges from a cyberattack is how it conducts itself during the crisis. And the biggest determinant of how an organisation conducts itself during a crisis is how prepared it is. Not only does being prepared reduce the likelihood of a crisis occurring in the first place, but for those that are impossible to predict or avoid, it also reduces the time to respond and helps minimise adverse legal, regulatory and commercial consequences.
The good news is that corporate Australia is ramping up its preparation and uplift of cyber incident response plans and playbooks. But while these are important, they are virtually useless if not regularly tested and refined. And given the speed with which the threat and regulatory landscape is evolving, an annual cyber simulation will rarely be enough to get match fit. The old navy seal saying 'you don't rise to the occasion, you fall to the level of your training' is on point.
This means a structured cyber simulation program (as opposed to one-off or ad-hoc tabletop exercises) is now an essential part of cyber risk management. There's a growing body of guidance from regulators (including APRA and the OAIC) which indicates that a structured, risk-based approach to testing your ability to respond to various scenarios is now a regulatory expectation.1 Cyber insurers are also increasingly making regular cyber simulations with senior management participation a condition of coverage.
Below are five tips to keep in mind when designing and implementing your program.
The overarching objectives of any cyber simulation program should be to:
- create muscle memory around the cyber incident response process; and
- identify improvements that can be made to technical and operational controls, policies, processes and plans.
In addition to these overarching objectives, a cyber simulation program should include a list of specific criteria the organisation would like to test, which may vary from scenario to scenario. Your specific criteria should be informed by emerging cybersecurity threats and trends, identified gaps in your company's controls, regulatory requirements, enforcement activity and updates to your incident response plans and playbooks.
Your objectives and criteria should also be regularly reviewed to ensure they remain up to date and fit for purpose.
Your simulation scenarios should cover different threat types,2 including ransomware, data theft extortion, supply chain attacks, insider threats (both malicious and inadvertent), espionage and nation state attacks. They should also contemplate disruption to different business units, asset lines and systems.
Your program should also include scenarios:
- run using a variety of formats
- requiring participation by a range of stakeholders (eg senior management, the board, affiliates, business partners, critical suppliers, external breach response experts and advisors)
- conducted both at an enterprise level and at a business unit/asset level
- focussing on different components of the incident response (eg technical red teaming exercises, executive tabletop exercises and scenarios focussing specifically on the communications response), as well as some involving an end-to-end response.3
Tip! Simulations often overlook the broader operational impact on the business and engagement with other stakeholders. Ensure testing covers those backfilling roles of people on the response team, business continuity contingencies and engagement with other stakeholders such as critical suppliers and related entities (whether in Australia or overseas).
For directors to discharge their duties, the board needs to understand its role in any cyber incident—this includes understanding how the incident response team will operate, how frequently and when it will receive updates, the decisions it will need to make and the information it will need to make them.
Although not every simulation will require participation by the board, cyber simulation programs should give the board regular opportunities to discuss critical decisions like trading halts, market disclosures and whether or not to engage with a threat actor and/or pay a ransom in the context of different scenarios.
Briefings should be conducted regularly to ensure each member of the response team (and their alternate) is familiar with relevant plans, playbooks and processes, as well as their roles and responsibilities (and those of others in the response team).
When it comes to the actual simulation, there is also value in limiting the information provided in advance of the simulation itself (aside from information about timing, duration, expected participants and 'rules of play'), to better reflect a real-life incident.
Each simulation should be followed by a debrief for participants and an assessment of the response, having regard to the specific objectives identified for that scenario.
The assessment should record what worked well and areas for improvement. It should also include actionable recommendations about:
- the aspects of the response plans, playbooks and processes that need to be updated to reflect any pain points which arose during the simulation
- how the design and delivery of future cyber simulations could be improved.
The key observations and recommendations should be reported to your board, and lessons learned should be quickly incorporated into your plans, playbooks and processes.
The Federal Court’s judgment in proceedings brought by ASIC against RI Advice Group Pty Ltd in 2022 emphasised that a timely response to cyber incidents is key, and the identifying root causes and improving processes following incidents will be an area of focus for the regulator. The same thinking is likely to extend to improving processes where a simulation has identified inadequate processes or controls.
Please get in touch if you'd like to discuss the design of your cyber simulation program, or if you'd like assistance running a simulation.
See, for example: (i) The OAIC's Data breach preparation and response guide, which says that organisations need to regularly review and test their data breach response plan and contemplates testing through the running of hypothetical data breaches; (ii) APRA's prudential standard CPS 234 (Information Security) which requires that regulated entities review and test their information security response plans and also test the effectiveness of their information security controls through a systematic testing program; (iii) APRA's draft CPS 230 (Operational Risk Management) would require entities to have a systematic testing program for their business continuity plans, which includes an annual business continuity exercise tailored to the material risks of the entity. It would also require that organisations undertake scenario analysis to identify and assess the potential impact of severe operational risk events, test operational resilience and identify the need for new or amended controls and other mitigation strategies; and (iv) under the Security of Critical Infrastructure Act 2018 (Cth), certain regulated entities may be required to undertake a cyber security exercise which is designed to test the entity's ability and preparedness to respond appropriately to all types of cybersecurity incidents (Part 2C).
APRA's draft prudential standard CPS 230 (Operational Risk Management) would require that the testing program is tailored to the material risks and should include a range of severe but plausible scenarios, including disruptions to services provided by material service providers and scenarios where contingency arrangements are required.
Conducting cyber simulations at both at an enterprise level and at a business-unit/asset level is important in light of the emphasis being placed by regulators on the need to ensure that frameworks and plans are tailored to relevant business units and assets and are fit for purpose. For example, ASIC emphasised the importance of ensuring that group affiliates have implemented and operationalised appropriate and tailored controls as part of its proceedings against RI Advice Pty Ltd.