The AICD and Cyber Security Cooperative Research Centre (CSCRC) have commenced a review of the Cyber Security Governance Principles first published in 2022. The review will update the Principles to ensure they remain the key source of governance guidance on cyber security in Australia and reflect a dynamic threat and regulatory landscape.
Evolving threats and regulatory landscape
The AICD and CSCRC published the Cyber Security Governance Principles (the Principles) in October 2022 soon after significant cyber incidents at Optus and Medibank. Those incidents were a watershed in how Australian businesses and boards oversee cyber security risk. The Principles have been the AICD’s most downloaded resource and based on strong feedback have assisted boards of all sizes and types of organisations to grapple with cyber security risk. They have also been recognised by the UK Government as an important source of guidance, following earlier endorsement from the then Minister for Home Affairs and Cyber Security, Clare O’Neil MP.
The AICD and CSCRC are committed to ensuring the Principles remain a key source of relevant governance guidance for Australian directors. We are aiming to incorporate leading thinking on how boards are building cyber resilience at their businesses.
Since publication, the cyber threat landscape has continued to evolve with ever more sophisticated cyber criminals, greater reliance on digital technologies and data and rapid uptake of emerging technologies, notably artificial intelligence. Separately, significant cyber security and privacy reform is on the horizon, which will dramatically change the regulatory frameworks relevant to how boards oversee cyber security risk and data governance. The Principles update will seek to reflect these changes.
Cyber supply chain risks
We intend to strengthen existing guidance in the Principles on how a board can oversee reliance on third party suppliers to provide digital and IT services and capability that are central to many Australian businesses’ operations.
Outsourcing digital and IT functions can bring economic, innovation and cyber security benefits. However, it can result in discrete risks, including overreliance on a particular provider(s). The CrowdStrike global outage was a stark illustration of how many businesses have a cyber supply chain where digital goods and services that are essential to the operation of the business can be imperilled by an external cyber failure or event.
There is also an increased focus by regulators on how cyber supply chain risks are being managed and separately overseen by boards. Notably boards of critical asset owners must now attest annually to the risk management practices of the business, including the management of supply chain risks, under the Security of Critical Infrastructure Act 2018. The Australian Prudential Regulation Authority has introduced a new prudential standard focused on operational resilience.
Critical cyber incidents
In February 2024 the AICD, CSCRC and professional services firm Ashurst collaborated on the publication Governing Through a Cyber Crisis - Cyber Incident Response and Recovery for Australian Directors.
Since the publication of the Principles in 2022 there have been further high profile cyber incidents and greater attention on the decision-making of the organisations and boards during those incidents. The Cyber Crisis resource has filled a gap in pragmatic guidance for boards to help them prepare, respond and recover from a critical cyber incident.
In developing that resource, we gained critical insights that we plan to reflect in the update of the Principles. For instance, the board should in responding to a critical incident pay close attention to the human impact of the cyber crisis, both on employees and customers.
A board that is alive and responsive to how people are being impacted stands to be better placed to rebuild the organisation’s reputation. This may entail more transparent, timely and empathetic communications, remediating impacted customers (e.g. replacing documents) and putting in place steps to recognise the commitment of employees.
Input from members
To assist us in this update we welcome feedback from members on their use of the Principles and areas for potential improvement. Feedback is welcome via policy@aicd.com.au. We would like to hear from members on these particular questions…
- What guidance in the current Principles is out of date or not consistent with current cyber security governance and risk management practice and trends?
- Have you encountered any conflicts between the Principles and other cyber security frameworks, guidance or regulations?
- Are there any case studies or best practices related to cyber security governance in Australia that you would be willing to share?
- How can we improve existing targeted guidance for directors of not-for-profits and small businesses?
Latest news
Already a member?
Login to view this content