Decent global cyber attacks and data breaches, impacting organisations as large and prominent as the NHS in the UK, Sony and Yahoo, are a timely reminder that cybersecurity must remain a priority for directors and boards.
In the cases of Sony and Yahoo, where the personal data of millions of customers were hacked, the impact has been considerable. Cyber breaches of this kind don’t just affect the short-term bottom line; they reduce customer trust and damage the brand and reputation of organisations in the long term. This should sound warning bells for directors.
While directors should, of course, seek to mitigate the risk of cyber attacks occurring, the growing view is that such attacks may be inevitable. Governance leaders – which includes boards and senior executives – are obliged to prepare themselves and their organisations to respond to such attacks, as well as their fall out.
Cybersecurity is firmly on Australia’s national policy agenda with Alastair MacGibbon’s May 2016 appointment as Special Adviser to the Prime Minister on Cyber Security to provide national leadership and advocacy on cybersecurity policy and the implementation of the Government’s Cyber Security Strategy.
Further, managing cybersecurity risk moved from “should-do” to “must-do” when the Privacy Amendment (Notifiable Data Breaches) Act 2017 was passed through parliament earlier this year.
This Act outlined that organisations are required to have appropriate response plans in place and are to notify affected individuals and the Office of the Australian Information Commisioner of data breaches that are likely to result in serious harm.
This puts the onus squarely on strategic leaders of organisations to develop a level of cyber literacy that will enable them to make sound decisions about the vulnerability of an organisation to cyber risk and how to protect an organistation against a cyber incident.
Of course it can be confronting for directors, senior executives and boards, many of whom are very experienced, to come to terms with this emerging risk. At the Australian Governance Summit in March, many commentators reflected on the rapid pace of digital change, increased cyber threats and technical jargon as limiting their ability to appropriately fulfill their duties. But, as directors, ignorance is no excuse. We are required to make ourselves aware of the issues, understand the risks and implement appropriate protections.
To this end, I was pleased to announce earlier this year that the Australian Institute of Company Directors (AICD) had entered a Memorandum of Understanding (MoU) with the CSIRO’s Data61 agency to improve the digital and cyber literacy of directors and boards across Australia.
Our goal is to facilitate a better understanding of cybersecurity by boards, appropriate risk management, the required investment and the opportunities for innovation that come with it.
And there is obviously demand for this type of information from members. In one of our first education initiatives with Data61, we hosted an introductory webinar for our members on the topic of cybersecurity which was either attended live or downloaded by more than 1,000 members, making it the most popular webinar in AICD history.
Over the coming months, Data61 and AICD will develop a comprehensive cybersecurity education and training program to enable directors and their organisations to grow and innovate with confidence.
Staying true to our mission, it will focus on corporate governance and the role of the board.
Data61’s collaboration with the AICD is an important step in ensuring that directors are fully equipped to deal with any matters their boards are likely to encounter.