On October 9, 2019, The Australian released a “special report” liftout regarding cyber security. On the front page of the report was an excellent article by James Dunn that outlined the responsibilities of the board when it comes to cyber risk management.
He points out that boards have ultimate responsibility for cyber risk and that it is often left in the hands of IT to manage. This is due to the complex and specialised nature of cyber security.
The fact that this article was situated on the front page of the report points to the need for leadership of all sizes of organisations to place this communication gap higher on the agenda.
There is no question that cyber risk is one of the top concerning risks for all organisations. The fact that cyber incidents often lead to brand and reputation damage as well as breaching customer trust, makes cyber risk one of the top risks an organisation faces.
Let’s draw a parallel with a famous Australian action that is commonly known as the Centro case (2011.) From a summary by Clayton Utz:
“ASIC argued that Centro’s directors had breached their duties under sections 180 and 344 of the Corporations Act, because its 2007 annual accounts had not complied with the Corporations Act and the accounting standards…”
Also :
“…the directors’ argument was that they could not be held to have breached their duty through failure to notice an omission that had escaped the attention of both management and the auditors.”
Clearly, this case was regarding financial risk and not cyber risk, but there is already at least one action in Australia where the directors and officers may be held responsible for a breach of privacy as a result of a cyber incident. Claiming that they didn’t know they had a risk or understand the mitigation measures in place should not be a defense. This is a parallel to directors saying that they didn’t have the financial expertise to understand accounting reports when they signed off on them.
Whilst sufficient understanding of financial risk management is a core requirement for directors, the same cannot be said for cyber risk management. This is not due to a lack of interest, quite the contrary, however there is still a culture of IT teams owning these risks.
I have seen many detailed and well written cyber risk reports that clearly explain the risks to me as I have experience in conducting cyber risk assessments and what the issues mean when they arise. They would, however, be difficult to understand for someone unacquainted with the assessment process..
IT risk assessors should be presenting reports in plain language that can be understood by leaders outside of IT. Boards and leaders should also expect to see clear regular summaries of cyber risk management controls and incidents, so that they can understand them and articulate them as required.
Bridging this gap is a key focus of the CAP’s services. Please get in touch if you have any questions.
.