ASIC guidance… questions you should ask your board about cyber risk
Risk management framework
Question 1: Are cyber risks an integral part of the organisation’s risk management framework?
The board should ensure that cyber risk is an element of the broader risk framework and that exposures are recognised, assessed for impacts based on clearly defined metrics such as response time, cost and legal or compliance implications, and planned for to attract investment commensurate to a risk-based assessment.
Question 2: How often is the cyber resilience program reviewed at the board level?
Given the rate of change in the cyber risk landscape, and the speed at which a business can be severely compromised (potentially within hours or days); the board should consider whether periodic reviews (that are more frequent than for other risks forming part of the risk management framework) should be adopted.
Identifying cyber risk
Question 3: What risk is posed by cyber threats to the organisation’s business?
Different businesses will be exposed to different cyber risks and different potential consequences. It is important for the board to reflect on risks relevant to the particular business of the organisation. Without understanding the nature of the risk and its consequences it is difficult for a board to set a suitable risk tolerance for the risk and to ensure that cyber risks are adequately dealt with by the organisation’s risk management framework.
Question 4: Does the board need further expertise to understand the risk?
Although boards may not require general technology expertise, for many companies it may be advisable to have one or more directors who have a strategic understanding of technology and its associated risks, or who have a background in cybersecurity.
In some circumstances, the board should consider the use of external cyber experts to review and challenge the information presented by senior management.
Monitoring cyber risk
Question 5: How can cyber risk be monitored and what escalation triggers should be adopted?
Trying to identify a cyber risk may pose particular challenges. Organisations at the forefront of good practice are using intelligence-driven solutions to deal with this challenge.
For some organisations malicious cyber activities may be devastating to the organisation’s business operations, therefore, it is important to consider what might lead to the provision of more detailed information on the risk to senior management and the board.
Question 6: What is the people strategy around cybersecurity?
Despite significant advances in cybersecurity technology; products, lack of staff awareness of safe cyber practices, social engineering or negligent behaviours remain a major source of cyber issues.
Boards should satisfy themselves that there is sufficient investment in staff awareness training given its prominence as a source of risk—and because a collective effort against cyber threats will better serve an organisation.
Question 7: What is in place to protect critical information assets?
The board should be satisfied that critical information assets of the organisation are appropriately secure. There should be transparency surrounding the location of all critical assets (including third-party partners and service providers), how they are protected and how protection is being assured.
Question 8: What needs to occur in the event of a breach?
Boards should ask themselves:
If and when a problem arises, what processes are in place for communicating effectively, internally and externally, and managing the situation?
Has there been a sufficient level of scenario planning and testing to ensure that response plans are valid and up to date, including with third-party suppliers and dependants?
Boards may need to ensure that security and customer trust are central considerations as companies strive to deliver innovative products and services through technology.