INSIGHT

AICD's guide for directors on governing through a cyber crisis

By Valeska Bloch, Lauren Holz, Harry Chapman
Boards & NEDS Cyber Data & Privacy

Steps to get your board prepared 10 min read

On 28 February 2024, the Australian Institute of Company Directors (AICD) published Governing through a cyber crisis: cyber incident response and recovery for Australian directors (the guide).

The full guide is an essential read for directors, in-house counsel and senior management.

The AICD has already produced a handy snapshot of the guide, so we haven’t summarised it ourselves (we also think it is worth reading it in full, if you can).

Instead, this Insight highlights some of the more interesting and nuanced points, and provides our observations, commentary and suggested next steps.

About the guide 

The guide should be read alongside the Cyber Security Governance Principles (see the snapshot here) published by the AICD and the Cyber Security Cooperative Research Centre in October 2022, which focussed on cyber risk management and resilience (as opposed to cyber incident readiness and response, which is the focus of the new guide).

The guide is a living document that the AICD says will be updated periodically. It is not binding and has no regulatory force, but it is thoughtful, practical and comprehensive and we expect it to set expectations (both in the market and amongst regulators) as to how directors should govern through a cyber crisis.

The guide outlines key points and questions, red flags and further detail in respect of each of the key phases of a cyber crisis—readiness, response, recovery and remediation. It also provides additional information on the board’s role in dealing with cyber extortion.


Observations

1. Cyber readiness

The guide emphasises that boards should be confident their organisations are cyber-ready, not that there are no gaps in cyber readiness. In fact, any suggestion by management that there are no such gaps could itself be a red flag for the board to probe further.

Note: in all of the recent cyber incident class action claims (in relation to the Optus and Medibank incidents) the fact that a major data breach has occurred is said to support an inference that the defendant's data-handling and cyber security systems and controls were inadequate in some way.

However, the occurrence of a data breach incident (whether or not caused by a third-party threat actor) does not in and of itself mean an organisation's privacy or data protections are non-compliant with applicable law, particularly in circumstances where the threat landscape is evolving and increasingly sophisticated.

As the OAIC itself found in its investigation report in September 2011 into the Sony PlayStation Network/Qriocity data breach (which considered the predecessor to APP 11.1, NPP 4.1): 'A targeted attack does not necessarily mean that the organisation has failed to take 'reasonable steps'.'1 Although this investigation is now dated, we view this position as unchanged.

For further detail on data breach class actions, see: Takeaways from the Optus and Medibank data breach class actions.

2. Evolving threat landscape

The guide emphasises the dynamic nature of cyber readiness and recommends:

  • ongoing consideration of emerging risk scenarios (including as part of training and simulations);
  • incorporating lessons from real incidents into response plans and training; and
  • regular testing and continuous improvement of response plans.

3. Active board involvement and board process

The guide lists areas that may require more active involvement by boards. The guide also comments on board processes during a crisis and the importance of balancing the need for reporting to the board to enable appropriate oversight of the incident response, alongside the understanding that management will be under significant pressure and focussed on responding to the incident. The guide suggests that although board papers should be prepared and presented on key actions being undertaken, emerging and current risks, and progress on critical issues, extensive board papers wont always be necessary and verbal briefings and updates via email may be adequate.

Areas for more active board involvement include:
  • Supporting and overseeing management’s key decision-making and responses.
  • Oversight over engagement with key stakeholders, including government, key shareholders, customers and critical third parties (particularly, but not exclusively, for SME organisations).
  • Supporting the management team’s communications and media strategy.
  • Approving out of cycle/extraordinary budget items.
  • Making decisions regarding ransom demands.
  • Ensuring the organisation is taking actions to limit the risk of harm to any impacted individuals.
  • Noting the increasing risk posed by supply chain attacks, engaging with the leadership team to ensure adequate measures are in place to manage and continually reassess cyber risk in the organisation's supply chain (including subcontractors)

    Note: management of supply chain risk is an increasing focus for a range of regulators, including the OAIC and APRA. It is also a key feature of APRA's new Prudential Standard CPS 230 (Operational Risk Management)—see our CPS 230 Practical Implementation Guide.
  • Assessing and supporting the executive to identify and manage 'downstream' risks to the organisation, including litigation, investigation and reputational risks.
  • Helping organisations navigate business continuity issues.
  • Testing with management whether the preservation of evidence is being prioritised if future litigation or regulatory proceedings are anticipated.

In addition to undertaking regular training, the guide also recommends that boards subscribe to the latest advisories from the Trusted Information Sector Network (administered by the Department of Home Affairs) and the ASD's Cyber Security Partnership Program. Given the technical nature of some of this advisory content, this may be a useful prompt to check in with management as to how key government advisory content is digested and actioned—particularly those with a national security impact (eg specific advisories and governmental engagement regarding nation state threat actor risk).

4. Employee welfare and apportionment of accountability

Acknowledging that 'fatigue suffered by those responding to a cyber incident has a measurable impact on performance and recovery', the guide recommends that boards satisfy themselves that management has taken appropriate measures to understand and mitigate psychosocial risks associated with fatigue stress experienced by employees and frontline staff during an incident response, as well as unacceptable behaviours from impacted customers and the public.

5. No scapegoating

The AICD also considers it a red flag for organisations to blame failures on one or two individuals and instead emphasises that accountability be apportioned fairly. This is because organisations as a whole are responsible for cybersecurity and cyber awareness, so the failure of one employee can often indicate a failure of the organisation.

6. Customer remediation and compensation

The guide emphasises the importance of an effective remediation, compensation and complaints-handling process in actively contributing to restoring customer trust, meeting regulator expectations and mitigating future litigation risks. It suggests the board should approve (or delegate the approval of) customer-remediation and compensation plans.

Note: this is also an increasing focus for the Cyber Security Response Coordination Unit (CSRCU). The CSRCU is (amongst other things) assisting Australian corporates to navigate and coordinate engagement with the multitude of agencies required to assist in replacing or putting holds on government-issued identity documents or other identifiers that may have been compromised in a cyber incident. Cyber incident response plans should contemplate this process, as well as other support that may need to be provided to affected individuals, such as counselling, credit monitoring, reimbursement etc.

7. Specific guidance for larger organisations

The guide contains a range of guidance specifically targeted at larger organisations.

Guidance for larger organisations includes:
  • Larger organisations should consider establishing a cyber incident sub-committee of the board that can provide effective and agile governance during a cyber incident response.
  • Larger organisations should consider establishing a remediation and post-incident review team in parallel to the response team.
  • Security control testing should be undertaken by independent cyber experts with a mandate to objectively challenge the design and appropriateness of controls, identify gaps and highlight areas requiring investment and uplift. Control testing reports should be made available to the board.
  • It's good practice to establish a standing crisis management team (CMT) responsible for developing and executing the response and recovery from any crisis incident. The CMT should include:
    • the CEO as the primary decision-maker
    • a CMT leader who guides the team through response processes and protocols
    • functional leaders with responsibility for separate workstreams
    • subject matter experts or specialists.
  • Response plans should involve a hierarchy of integrated operational and executive-level response plans.

    Note: the AICD has also included guidance on what a comprehensive cyber response plan should include. Amongst other things, it recommends including business continuity and disaster recovery considerations—eg appropriate and specific backup / workaround arrangements to restore data and systems, including in a 'worst-case' scenario where there is a long-term outage or multiple systems are impacted simultaneously.
  • The importance of regularly running both whole-of-business and team/roles-based training and cyber simulations.
  • In the event of a cyber incident, larger organisations should plan to engage external legal support; crisis management expertise; a third-party forensic investigator, IT consultants or incident responders with cyber capabilities; a public relations consultant to manage the media and communications; and—in the event of a ransomware incident—a ransom negotiator and cyber risk consultant.

8. Communications and reputation management

The guide places significant focus on consistent, timely and transparent communications as a way to mitigate third-party impact and also minimise reputational damage to the business. In particular, the guide notes that major cyber incidents can prompt emotional responses from impacted customers and members of the public, and recommends that any communications are sensitive to this. It also emphasises that any statements made should be stress-tested for accuracy, particularly given the facts are likely to be rapidly evolving in the early stages of an incident.

Note: response plans should include an integrated communications plan with clear principles agreed at the outset to guide messaging, and ideally copies of template communications that can be adapted appropriately.

9. Regular cyber simulations

The guide suggests that good practice is to run simulation testing at least twice a year, using different scenarios, supported with focused desktop training sessions throughout the year. Critical infrastructure entities, or those at higher risk due to the nature of their industry, operations or the data they hold, should look to run simulations on a quarterly basis. For more on cyber simulation programs, read Why every company should have a structured cyber simulation program.

10. Customer remediation and compensation

The guide emphasises the importance of an effective remediation, compensation and complaints-handling process in actively contributing to restoring customers' trust, meeting regulator expectations and mitigating future litigation risks. It suggests the board should approve (or delegate approval of) customer remediation and compensation plans. Specific, targeted recommendations for impacted customers are advised, as is communicating empathetically with affected stakeholders.

Note: the CSRCU is playing an increasingly active role in helping to coordinate the approach across multiple government agencies where government identity documents are compromised. We recommend involving the CSRCU prior to finalising a customer remediation program to ensure the proposed program is in line with evolving agency practice.

11. Legal input

The guide acknowledges that 'timely and comprehensive legal advice will often be critical to a board and organisation effectively responding to a cyber crisis', and expressly identifies a range of areas in which boards require legal input. It also flags the need to ensure early consideration is given to the trigger points for engaging external support (whether legal support or other inputs to inform legal advice, such as forensic services).

Areas for legal input include:
  • Mandatory disclosure (including continuous disclosure) obligations and trading halts.
  • Compliance with regulatory requirements.
  • Contractual requirements to make notifications (including on the required content and timeframes of those notifications).
  • Retention of evidence.
  • Engagement of third parties.
  • Preserving legal professional privilege.
  • The legality of paying a ransom and the risks of legal enforcement action.
  • The legal risks and exposure resulting from the incident.
  • What lessons can be openly shared with key stakeholders.
  • Sharing advice with third parties, including the ACSC and the National Cyber Security Coordinator.
  • Insurance policy coverage.
  • Harm reduction decisions and actions in the event of a breach of personal information.

12. Data governance

The guide reinforces that a comprehensive data governance framework is one of the fundamental building blocks of an effective cyber risk governance program. For example, clear mapping of data assets will assist the board in a cyber incident to quickly assess the sensitivity of any affected data. The guide's specific reference to data governance reflects a renewed, broader focus on data governance as a critical component of cyber risk management and underscores the importance of keeping existing data governance frameworks regularly updated.

13. Allocation of, and access to, necessary funds

The guide specifically suggests boards should consider whether sufficient resources and funds are available to the business to remediate cyber incidents 'at the appropriate scale and pace'.

14. Prioritisation of contractual requirements, including notifications

In addition to notifications to affected individuals and applicable regulators, the guide calls out the potentially significant contractual implications associated with a cyber incident. Taking into account that there may be a wide range of disparate contractual obligations triggered in the event of a cyber incident, it suggests boards consider whether the business has prioritised the various relevant obligations in order of urgency. It also recommends factoring timeframes for necessary contractual notifications into the overall list of notifications, which should be included in incident response plans.

What should you do next? 

  1. Consider the adequacy of your cyber incident response plans and your update schedule – ask whether they:
    • include a methodology for conducting compromised data assessments?
    • contemplate the mental health and wellbeing support that may be required for staff impacted by the incident?
    • include a customer remediation plan?
    • include a detailed communications plan?
    • include triggers to ensure legal and other external experts are being brought in, and expert advice is being sought at the right time?
    • have sufficiently flexible triggers for updates to the plan to allow for continuous improvement, having regard to the evolving threat landscape and lessons learnt from recent incidents?
  2. Check back in on your data governance framework. Many of these have faltered over the past few years with the increased focus on cyber controls, despite the two being inextricably linked (after all, cyber incidents often shine a light on deficient data handling practices). In addition to confirming ongoing compliance with the framework, organisations may need to refresh policies and processes.
  3. Revisit your cyber simulation and training program. Are simulations being run frequently enough? Are learnings incorporated into your response plans?
  4. Maintain a register of contractual requirements (eg notification requirements) that may be triggered in a cyber incident.
  5. Confirm whether IT security reviews (including security control testing) are being undertaken by independent cyber experts with a mandate to objectively challenge the design and appropriateness of controls, identify gaps and highlight areas requiring investment and uplift.

For more on board considerations, download our guide: (Almost) Everything you need to know about cyber risks, resilience and responsibilities.

For those interested in the backstory to the guide…

Guidance for directors navigating cyber risks has been on the agenda for some time.

In August 2022, the Cyber Security Industry Advisory Committee issued its second annual report on Australia's 2020 Cyber Security Strategy. In that report, the Committee noted that clarifying the responsibilities and duties of boards and their directors in relation to cybersecurity through voluntary governance standards for cyber best practice was a critical and urgent next step.

Then, early in 2023, the Government released its first discussion paper on its proposed new 2023-2030 Cyber Strategy and commenced a comprehensive consultation process. One of the more controversial issues canvassed during the process was the introduction of legislation that would impose prescriptive requirements on directors in relation to cyber risk management.

This proposal was strongly and successfully (and, in our view, quite rightly) resisted across industry on the basis that directors' duties and other risk management requirements already do the job—they just need to be appropriately applied and enforced. Plus, the last thing corporate Australia needs is another duplicative regulatory regime.

But the consultation on this proposal also helpfully unearthed widespread acknowledgement that organisations were crying out for practical guidance in an area that had been lacking much of it (with the exception of a few short ASIC and APRA guides).

This latest AICD guide is, in many ways, the product of that demand.

Footnotes

  1. For more detail on this issue, please refer to the Allens InsightTakeaways from the Optus and Medibank data breach class actions (7 June 2023).