Building cyber resilience – 4 critical steps for boards

The cyberattacks on Optus, Medibank and Latitude Financial are growing evidence at home of the increasing sophistication of hackers across the globe. As criminals scan cyber space for any vulnerability, it’s clear no organisation is immune and the need for protection is more important than ever. But how can organisations and particularly boards build their cyber mettle?

In a lively panel discussion for the Actuaries Institute, Taylor Fry Principal and cyber lead Win-Li Toh explored the way forward for organisations and the role actuaries have to play in shaping their cyber resilience. She was joined by Simon Mitchell, of the Australian Institute of Company Directors (AICD) and Amanda Zeller, of the Australian Securities and Investments Commission (ASIC).

The panellists covered some of the most concerning topics for boards. These ranged from the pros and cons of paying a ransom during a ransomware event to how internal cyber education fits into an information security budget, and the availability of cybersecurity professionals to service this escalating risk area.

We outline the panel’s four key messages for organisations and their boards in building their cyber resilience:

1. Organisations should start with their existing risk framework to understand cyber risk

Organisations have struggled to understand and engage with cyber risk in the same way they look at other business risks. Reasons include the technical and at times jargon-heavy nature of information security technology, as well as the less clear link between cyber risk and the balance-sheet impact (compared to more familiar types of risks). AICD’s research and engagement, as part of the development of its recently released Cyber Securities Governance Principles, identified a real advantage in using and adopting traditional governance processes to engage with and tackle cyber risk. Using the existing governance and risk management approach provides a common language, helping to bridge the gap between management’s deeper understanding of the technical details and the board’s broader supervisory role.

2. One size doesn’t fit all when it comes to comparing cyber controls

Organisations would like to know how they are measuring up when it comes to implementing cyber controls, not to mention the money they spend on cyber resilience. But finding ‘one size fits all’ metrics is challenging due to the differences in organisations’ size, complexity and data assets, as well as the regulatory landscape.

For example, the AICD considered including a metrics dashboard in its Cyber Securities Governance Principles, but decided there wasn’t a gold standard that would work for everyone. Similarly, while ASIC’s imminent cyber survey of regulated entities broadly aligns with the National Institute of Standards and Technology (NIST) framework for managing cybersecurity risk, it doesn’t strictly follow the NIST framework.

3. It’s imperative to keep on top of the fast-changing regulatory and policy landscape

In tackling cybersecurity risk, actively seeking information and staying up to date with requirements are critical. Some of the most recent policy developments with implications for organisations include:

• The Australian Government’s 2023-2030 Australian Cyber Security Strategy Discussion Paper, released in February
• The recently strengthened Security of Critical Infrastructure Act 2018
• Potential changes to the Privacy Act
• The Federal Court Judgment in the case of ASIC v RI Group Pty Ltd, which found the company breached its Australian Financial Services licence obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.

There is a fine balance between protecting consumer privacy and limiting organisations’ abilities to innovate and take advantage of the big data they collect. Even so, the panel believed the obligations on organisations would be increased if regulators do not see the cybersecurity uplift they are expecting from entities.

… it is imperative organisations build a strong cyber-aware culture, and that this is led from the top.

The panel acknowledged that growing government attention and reform in the cyber space meant organisations really needed to be proactive and build their cyber resilience now, which will put them in a good position to meet their increased obligations down the track. In addition, regardless of any policy changes, it is imperative organisations build a strong cyber-aware culture, and that this is led from the top.

4. Actuaries have a real role to play in demystifying cyber risk for boards

Cyber risk has been classified a ‘non-financial’ risk by boards, but the major breaches of the past year or so have shown there are direct financial implications beyond reputational risk, including customer remediation and class-action activity. A key role for actuaries going forward will be leading the modelling and estimation of cyber risk presented to boards, which would help make the risks clearer and more tangible to directors, and concentrate their focus.

Actuaries should also consider working closely with auditors, who are increasingly including cyber risk in notes to financial statements.

About the panellists

• Simon Mitchell is a Senior Policy Adviser in the Education & Policy Leadership team of the AICD. He focuses on cybersecurity, financial services and the not-for-profit sector, and how policy and governance developments in these areas impact AICD members. Simon led the development in 2022 of the AICD CSCRC Cyber Security Governance Principles. Previously, Simon had an extensive career in Commonwealth regulatory agencies, including the Australian Prudential Regulatory Authority, and the Australian Competition and Consumer Commission.
• Win-Li Toh is a Principal and cyber lead at Taylor Fry. She was one of the lead authors of the Actuaries Institute Green Paper Cyber Risk and the Role of Insurance, released in September 2022. Check out Win-Li’s profile to find out more about her work, experience and extensive industry contributions.
• Amanda Zeller is the Senior Manager of Supervisory and Operational Resilience at ASIC. She works with a dedicated team to deliver ASIC’s Supervisory Cyber Resilience Strategy, focusing on engaging with stakeholders, building internal capabilities, benchmarking our regulated population and driving behavioural change. She works in partnership with stakeholders, including industry and government. Amanda is also Regional Commissioner, Queensland, and represents ASIC locally in this capacity.