Much has been said recently about boards becoming more aware of their organisation’s cyber risks, and what is being done to mitigate them. APRA’s CPS 234 Information Security regulation, which became enforceable on July 1st 2019, goes as far as to place responsibility for the oversight of an organisation’s information security directly in the hands of the board:
“The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.”
There is no question that boards, and executives outside of IT, are demanding accurate and relevant facts on their organisation’s information security and cyber-related risks. Cyber risk management strategies and issues must be reported to boards without obfuscation or the far-too-common “papering over the cracks.” Too many times I have seen the most important information, both good and bad, hidden in a swathe of unnecessarily technical gobbledygook.
Unfortunately, the hiding, intentional or otherwise, of important information in swathes of unnecessary information is not just limited to cyber risk. Directors are frequently overwhelmed with the amount of information provided to them in board papers, in some examples several hundreds of pages.
After many years working in various aspects of cyber risk, there is one consistent issue that I have rarely seen adequately resolved: Lack of effective communication of cyber risk issues and mitigation strategies from the IT security management “coalface” to senior management and the board.
One reason that many of my peers and I find this so frustrating is because it doesn’t help anyone. IT teams are better served when both executive leadership and the board understand the magnitude, and potentially devastating impact, of the cyber risks their organisation faces. Visibility into control capability gaps and the remediation strategies for cyber risks helps drive the prioritisation of the IT security budget.
Leaders demand to know more about their cyber risks, APRA has regulated board responsibility, and this is maybe a sign of things to come for unregulated organisations also. Under CPS 234, responsibility for ensuring that unregulated 3rd party service providers are prepared for cyber incidents lies with the regulated entity. The CPS 234 “tendrils” extending outside of regulated entities.
In their CPS 234 Practice Guide (CPG 234), APRA have helpfully provided some “examples of information that could be provided to the Board and management as part of their oversight of information security…” I have analysed the value of these examples with colleagues in cyber risk and information security as well as board directors, each with their own unique perspective of what is interesting, important, and obligatory information for management and boards to be familiar with. We believe that with some adjustments and a data collection, analysis and reporting framework, the APRA examples can provide a solid basis for concise and effective management and board cyber risk reports.
Taken at face value, the categories are straightforward: “Capabilities; Incidents; Controls and Education.” Once broken down to the source documents that are required as input to these categories, there could be a requirement to review and report on at least 40 different sets of information for a single entity. Also, as part of good governance, this information needs to be assessed as to currency and quality. Executives and boards need to know that they are reading from the most current and accurate playbook. It is easy to see how the board reports can become so large and unwieldy.
There are areas of cyber risk management that are missing from the APRA examples and should be built into the reporting framework. One example is regulatory compliance outside of APRA, which is especially important for organisations that do business in other jurisdictions with concerning privacy regulations like the EU, and more recently, California. Another example is insurance. Whilst CPS 234 is strong on incident response planning and testing, nothing is mentioned regarding the role of cyber insurance in incident response and financial resilience. Directors and officers of companies should also be aware of their potential liabilities from cyber incidents and how insurance may respond in various scenarios.
With a process of distillation and information gathering governance, it is possible to refine and expand on the examples given by APRA to provide succinct cyber and information security risk reports for management and the board when required. A customised and accessible cyber risk board reporting framework. When built on APRA’s own examples, the reporting framework is designed to withstand regulator scrutiny. An effective framework will lead to better communication of cyber risk and mitigation strategies and streamlining of the report process. This leads to better understanding of an organisation’s past, current and planned cyber risk management issues and strategies.
It is not possible to guarantee that an organisation is immune from a damaging cyber incident. Effective dissemination of information around cyber risk management brings any resilience issues to light for management and the board. Increased understanding of cyber risk management will also improve the organisation’s cyber risk culture and assist in reducing the scale of post-incident impacts, for example damage to brand and reputation.
For years now It has been hard to find an article on cyber risk that doesn’t say somewhere that IT security and resiliency are “…a business risk, not just an IT problem.” By this rationale all business leaders should have access to, and the opportunity to question, effective cyber risk management reports.
Please contact us if you would like to discuss cyber risk board reporting.