Navigating a critical cyber security incident

The AICD has published a new cyber security governance resource for members. The resource will assist directors of all sizes of organisations effectively prepare for, and govern through, a critical cyber security event.

The publication

Governing Through a Cyber Crisis: Cyber Incident Response and Recovery for Australian Directors was published on 28 February 2024 featuring an endorsement from the Minister for Home Affairs and Minister for Cyber Security, Ms Clare O’Neil MP. The resource is available here, along with a Snapshot.

The publication was developed in partnership with the Cyber Security Cooperative Research Centre (CSCRC) and leading corporate law firm Ashurst. In developing the resource, we sought the views of government agencies, cyber security experts and directors with direct experience in navigating a cyber crisis.

The publication provides practical guidance for directors of all sizes of organisations on how to prepare for, and govern during a significant cyber security incident, such as a ransomware attack or the failure of key operating systems. We have sought to make the guidance as accessible as possible, with questions for directors to ask, governance red flags, visual aids and key points breakout boxes.  

To assist readers quickly obtain valuable insights we have also published the supporting 3-page Snapshot, which includes a page of practical guidance for directors SMEs and NFPs.

The development of the publication was informed by extensive consultation with government, industry experts and the director community over the past six months. The publication is intended to be a companion piece to the AICD CSCRC Cyber Security Governance Principles which we published in October 2022.

Key takeaways

As with the Principles, we have sought to place the guidance in the resource within established governance practices and approaches to risk management and crisis management. The resource is structured around 4 ‘Rs’:

• Readiness
• Response
• Recovery
• Remediation

In readiness, the importance of a comprehensive cyber incident response plan cannot be overstated in assisting a board, and the organisation, quickly and effectively respond to an incident. The response plan should clearly cover responsibilities during a cyber incident, including the role of the board, and detail the approach to communicating with employees, customers and government agencies.

In response, the board should quickly provide agile support and oversight of management and adjust board decision making processes. For larger organisations establishing a Cyber Incident Sub-Committee can provide timely governance during the response phase. Communications with impacted stakeholders should also be consistent, timely and transparent.

In recovery, the board should have confidence that systems and data have been securely restored and there is a comprehensive post-incident review process in place. The board should also seek to understand the impact on employee well-being from the crisis and oversee steps to support employees.

In remediation, a focus of the board should be that plans to remediate or compensate customers are well resourced and swiftly implemented. The organisation should also continue to effectively communicate with employees, customers and third parties who have been harmed by the incident.

Insights from senior directors

In developing the guidance we had a number of discussions with senior directors who have experience with governance practices and processes during a critical cyber security incident. The insights from these directors are reflected throughout the resource and include:

• The human impact of the critical incident should be a central focus of the board. This encompasses ensuring that all employees are safe during the immediate response phase, understanding and empathising with the impact on customers and taking steps to oversee the well-being of employees who responded to the incident and helped the organisation recover.
• The board often benefits from having dedicated external advisors to provide an independent perspective on the incident and the steps management are taking to respond and recover.
• Overseeing how the organisation is engaging with regulators, government departments and ministers is a key role of the board and at times the chair or individual directors may have to participate in key government discussions.
• There is often board uncertainty with how to disclose information and communicate during a cyber incident due to the lack of clarity on the incident and its impact. However, transparent and honest communications is key to effective response and rebuilding the reputation of the organisation.

Member feedback

We hope the resource will be a valuable contribution to existing cyber security guidance in Australia. We welcome feedback from members on the resource via policy@aicd.com.au.