Skip to main content

Directors must increase oversight of an organisation’s cyber resilience: Here’s how they can do it.


By Benjamin Di Marco and Joe DePaul | June 4, 2019

The growth in cyberattacks leaves organisations a choice: be a victim or muster the resiliency to emerge stronger if disaster strikes. An organisation's cyber resilience must also be a key focus for directors and senior management, given the Australian Security and Investment Commissions stated goals of improving the cyber resilience of all entities operating within its remit, and its expectation that organisations must have an appropriate framework to identify and manage data and security risks. Similar views have also been expressed by the Institute of Directors in New Zealand.

Cyber resilience has many facets and incorporates tools and processes to help ensure an entity can respond to an incident, repair the vulnerabilities and apply the lessons to strategies for the future. From a governance point of view this requires that directors and senior management have informed oversight of risk involves and that the board is satisfied that cyber exposures are adequately addressed by the risk management framework and appropriately managed across the organisation. These responsibilities cannot be outsourced and directors and senior managers must understand their obligations in the context of the Centro Australian High Court decision.

Cause for concern

Developing a better culture of resiliency is particularly urgent given some alarming international findings. One-in-three companies has experienced a serious cyber incident that included disrupted operations, impaired financials and damaged reputations, according to a recent study from the Economic Intelligence Unit (EIU), sponsored by Willis Towers Watson. The stark reality was identified by a group of 452 board members, C-suite executives and directors with responsibility for cyber resilience at large companies.

Most participants also expect another event over the next 12 months, and stated that they lack confidence in their ability to source talent and develop a cyber-savvy workforce. Executives cite the magnitude of the reputational and financial risk as the most important factors for board oversight. A recent local example demonstrating these exposures in the LandMark White data breach which triggered the departure of the organisation's chief executive officer and some directors, enlivened ASX continuous disclosure obligations, led to the suspension of the company's shares from trading, and resulted in a 20% slide in its share price.

Board action is imperative

Board members can better handle this increasingly important issue by understanding their organisation's cyber-risk exposure. They must recognise how their fiduciary duties can tie to their organisations' level of cyber resiliency and how the organisation manages a crisis event arising from a data breach.

In particular, board member should be thinking about and discussing stronger governance of cyber management.

Stronger governance over cyber-defence programs gives new purpose to existing director's duties and requires:

  • Understanding the connection between a data breach and potential financial harm to a company: directors and senior management should drive how the company understands and assesses the key legal and financial implications of cyber risk and how they apply to the company's specific circumstances to encourage an enterprise approach to risk management.
  • Complying with the duty of care owed under both common law and statute: in the event of a cyber-incident, boards and senior management should ensure a proper decision process is follow and that the incident is properly triaged. A thorough review post incident of what went wrong and how that can be corrected to prevent future occurrences should occur. This could include educating employees and vendors to increase the organisation's cyber hygiene and safety awareness.
  • Directing the organisation's culture and fostering behaviours that are consistent with the corporation's stated purposes and legal obligations: this requires close examination of the attitudes of staff within the company. The importance of understanding and complying with cyber guidelines must be impressed upon employees. Employees should also feel invested in company guidelines and educated on how their actions can cause data risk exposures.
  • Applying independent scrutiny to data security and information technology internal reports provided to the board: information security must be examined in a manner that addressed both technical and enterprise business risk. Important issues to be investigated include assessing the safeguards in place against malicious intrusions, benchmarking cyber maturity against industry peers, assessing recovery capabilities, the approaches used to protect critical information assets, and the extent of testing and ongoing monitoring.

To meet these duties boards should attack the issue from an organisation wide perspective using tools and systems focused on three key areas:

  • People
  • Risk transfer
  • Technology

Willis Towers Watson provides analytics solutions and guidance focusing on each of these areas, and is able to help companies step through and manage the key principles explored above.

An opportunity

If an organisation is proactive after a cyberattack occurs, an opportunity arises. Board members are presented with new information about what worked and didn't in a cyberattack prevention plan. And they're given the chance to strengthen risk culture, consider new preventive technology that could reduce privacy breaches and business interruption risks and promote employees behaviours that will reduce future risk.

Such a "reboot" can help convert any immediate incident loss into an investment in the future and build a framework to develop measurable ROI and evaluate future incident response and resilience.

Focus and Context

Ultimately a director's examination of cyber risk will be most effective where focus is placed on the true drivers of potential financial and reputational harm. Whether these harms follows an organisation's breach is not determined by the short-term misfortunes of a cyber event, but rather by the extent of resiliency exhibited following the incident and how adversity is handled during the crisis. In this context cyber resiliency should be a guiding light for navigating director's duties.

By improving cyber resiliency directors will place their organisations in a strong position to navigate the turbulent information security environment and safeguard the company from loss.

Contact Us
Related content tags, list of links Article Australia New Zealand