Board responsibility in a cyber-attack
With the disturbing increase in cyber-attacks only set to continue, company boards are shifting their attention to how best to guide their company in being prepared for a cyber incident, and identifying what their role is during a cyber-attack.
Pleasingly, we are seeing a significant uptick in boards being more proactive in cyber preparedness, investing time, resources, and money into this important work.
Whilst the preparation falls under the remit of the CEO and leadership team, boards still have a crucial role in preparing the company.
ASIC outlines the key responsibilities of a board to prepare and respond to a cyber-attack here.
These fundamental guidelines are a good starting point, however they only provide high-level guidance.
Working with major corporations across a variety of industries, we are finding that there is a lack of clear understanding of the board's role in a cyber incident.
These are a few probing questions we believe boards should be asking their executive teams:
1. What data are we holding, is it necessary and how sensitive is it? Why are we holding the data if it is no longer required?
2. Has the IT system been tested by an independent who will give honest advice?
3. Has the crisis team been trained and tested in a cyber incident?
4. Has an independent tested the crisis team to validate the business and ensure the executive team is prepared for a cyber incident?
Having an independent validate your preparedness or identify gaps through testing is far better than waiting for a cyber-attack to happen (and yes, it will happen) and discovering you were not prepared. We often see internal teams convinced they are ready, only to fail when they are tested by an external provider.
There's no question that cyber incidents are becoming more common, and the court of public opinion is softening in their historically scathing review of organisations' mismanagement of cyber-attacks. However, given the ongoing focus of cyber in the media, there is still a high expectation that you should be ready. With the almost certain probability it will happen to all businesses in some format, there is little to no excuse to not be prepared.
A small investment in some testing will provide confidence your organisation is well-positioned for a cyber-attack, or identify gaps that can be addressed before the real event.
If you would like to know more about board preparation for a cyber-attack, please contact us at email@example.com or call Allan Briggs on 0417 160 120.