Allens Head of Cyber Valeska Bloch sees 2022 as the year that sparked real progress on cyber risk management.
The recent Optus and Medibank cyber attacks have shaken corporate Australia in a way and at a scale that I don’t think we've seen since the GFC. But they have also spurred real action.
Companies are overhauling their cyber incident response plans and processes and getting match-fit by workshopping scenarios and running cyber simulations. Cyber risk management and incident response – historically the domain of technical experts and cyber defence teams – is becoming a cross-functional activity involving operational, legal, risk, communications and HR experts. Realising that security can never be guaranteed, organisations and regulators are expanding their focus from cybersecurity to cyber resilience – the ability to withstand major disruption and recover quickly. And perhaps most importantly, organisations are accelerating their data retention and destruction programs.
So we've come a long way but there's more to do – and when it comes to managing cyber risk, there always will be!
We need to ensure we don't just focus on how we might respond to a cyber incident but that day-to-day cyber risk management is woven into the fabric of everything we do. We need to simplify our regulatory framework so that organisations can respond rapidly. We need to ensure that the lessons from cyber incidents are shared – and we're already seeing some great examples of that. We also need to continue to take a hard look at the data we collect and keep.
The financial costs of cyber incidents can be eye-watering for organisations, but it's the non-financial costs and broader social, reputational and individual emotional impacts that can really scar. Cyber incidents can be all-consuming. The stakes are high and the fallout can feel deeply personal and intrusive for both the individuals and the companies that are impacted. I think it can be an undervalued trait in the corporate world, but it's really important to me that this work is grounded in empathy.
As we move into 2023, I think we'll see an enormous uplift in both awareness of what might happen in a cyber incident and the steps that need to be taken by organisations to manage cyber risk. Cyber incidents are on the rise, but Australian organisations' sophistication in dealing with them is improving too.
Valeska's guide to what's on the agenda for boards in 2023
Boards will be regularly requesting (and challenging) information from management to help them understand and quantify cybersecurity risks and legal exposures, set the organisation's cyber risk appetite, and understand the potential impacts of strategic decisions and business activities on its cyber risk profile on an ongoing basis.
Boards will take a more proactive role in ensuring organisations can withstand and recover quickly from high-impact cyber incidents, including by setting or approving pre-defined tolerances for disruption.
Boards (along with regulators) will interrogate statements made about cybersecurity practices and related risks – including in annual reports, attestations, reports to regulators and marketing collateral.
Boards will test whether organisations have adequate frameworks in place to ensure that they are not collecting and keeping more data than is required.
Boards will keep an eye to the evolving geopolitical situation, and the potential direct and indirect (whether spillover or opportunistic) cyber risks that may pose, particularly for organisations operating within Five Eyes jurisdictions.