Intense focus on cyber risk management and resilience 7 min read
Following the Optus and Medibank incidents, companies have (quite rightly!) been scrambling to refresh their cyber incident response plans, run cyber simulations and update boards on their incident response arrangements.
But while companies have been laser-focussed on how they might respond to a cyberattack, regulators are doubling down on the importance of day-to-day cyber risk management and operational resilience (ie the ability to anticipate and withstand a cyberattack). And after a few years of largely principles-based regulation, they are becoming much more prescriptive about their expectations.
In the last 12 months alone, we've seen a global deluge of new and proposed regimes and enforcement action focussed on cyber risk management and operational resilience.
The message is clear—being prepared to respond to a cyber incident is not enough. Cyber risks and the potential operational impacts should inform every major business decision and activity (from product design and development, to mergers and acquisitions, to procurements, to digital transformation). The sub-text is that no one person or team should (or can) manage cyber risks—effective cyber risk management demands a cross-functional approach.
As we gear up for another year staring down a new Critical Infrastructure Risk Management Strategy and Plan, Privacy Act overhaul and an increasingly volatile cyber-threat environment, here are four questions boards and senior management should be considering, along with some practical tips.
1. Do we have an up-to-date, fit-for-purpose cyber risk assessment?
To effectively manage cyber risks, companies need to understand their cyber risk profile.
This should involve an assessment of:
- the cyber risks they face (threats and vulnerabilities) and how they translate to regulatory risks and other legal exposures;
- the operational, financial and reputational impacts should those cyber risks eventuate; and
- the effectiveness of current operational and technical controls.
The problem is that while a lot of organisations undertake cyber risk assessments, not many of these address the range of risks and potential business impacts that regulators have in mind. This is in large part because cyber risk assessments have historically been procured by Cyber or IT teams and undertaken by technical experts without input from Legal, Risk and Compliance. And while technical assessments are critical, when it comes to managing cyber risks they only tell part of the story.
Regulators are now emphasising that cyber risk assessments need to do more than contemplate technical risks and impacts.
Tips:
|
2. How do the identified cyber risks translate to financial exposure?
Articulating the financial drivers and impacts of cyber risk and the extent to which certain measures will increase or decrease them is essential—and financial information is the common language that tends to best translate cyber risk information into measurements that matter to boards and the broader business.
While it's not possible to quantify and predict cybersecurity risks with certainty, it is possible to make informed estimates that enable the organisation to compare cyber risks against the other risks it faces and, by extension, make more informed decisions. These decisions include where to invest, how to assign resources, where to refine business processes and how to balance strategic priorities against immediate tactical issues.
Tips:
|
3. Do we regularly report on cyber risk metrics?
Organisations should regularly report on:
- the performance of the operational and technical controls they implement to address the material risks identified in their cyber risk assessments (KPIs); and
- any early indications of either increasing cyber risk exposure or operating outside their risk tolerance (KRIs).
In addition to helping organisations decide where to spend money, allocate people and refine business processes, reporting on cyber risk metrics (including on resilience to future adverse cyber events) is increasingly becoming a regulatory requirement. For example, if introduced as drafted, APRA's proposed new operational risk management prudential standard CPS 230 will require extensive reporting to the board on the operational risk profile of the regulated entity (including on the performance of, and effectiveness of controls to manage risks associated with, material service provider arrangements). In the US, the SEC has proposed regulations that would mandate the disclosure by US public companies (including foreign private issuers) of details regarding their cyber risk management, strategy and governance arrangements in annual reports and other periodic reports.
Tips:
|
4. Have we assessed how our cyber risk management framework is operating in practice?
Almost every regulatory enforcement action we've seen of late has included an allegation (if not a finding) that the relevant organisation did not have in place the frameworks, policies, procedures, processes, controls or resources necessary to manage data, cybersecurity and cyber resilience risks and enable compliance with its regulatory obligations.
But now it's clear that's not enough. That is, it is not enough to have systems, processes and frameworks in place to manage cyber risks. It's not even enough for these measures to be documented. Nor is it enough for organisations to 'review design effectiveness'.
Regulators (and APRA in particular) want to see organisations 'focus on operating effectiveness—how these things work in practice', and where frameworks don’t operate as intended, to assess why that is occurring.
Interestingly (though perhaps unsurprisingly), APRA has also suggested that when it comes to investing in risk management capability and architecture, organisations need to do more listening to their Risk, Legal and Compliance functions who typically have a dimmer view of risk management across those organisations.
Tips:
|
As always, if you'd like to discuss any of these in greater detail, please do reach out. We'd also love to hear from you if there's anything else (on this or a related topic ) you'd like to hear about.