A recent guide from the AICD, Cyber Security Cooperative Research Centre and Ashurst outlines how directors can oversee a cyber crisis in their organisation.
Boards need to be confident their organisation is prepared for a cyber incident and should be ready to support management in a cyber crisis, say directors.
A new guide on governance during a cyber crisis by the AICD, Cyber Security Cooperative Research Centre and Ashurst outlines how directors can oversee a cyber crisis in their organisation. Governing Through a Cyber Crisis, Cyber Incident Response and Recovery for Australian Directors outlines what directors need to do in the four stages leading up to and encompassing a cyber incident — Readiness, Response, Recovery and Remediation.
Readiness
It is the board’s responsibility to oversee the management of cyber risk, the guide states. “Cyber risk management should be integrated into an organisation’s objectives and risk management framework — dealt with as a wider organisational risk, not just an IT risk,” it says.
An effective cyber crisis response starts with a current and comprehensive cyber incident response plan that is regularly tested and updated. Boards need to satisfy themselves that this plan is in place.
John Mullen AO, Treasury Wine Estates and Brambles chair, and incoming Qantas chair, says all the companies he is involved in have extensive cyber preparedness programs. He adds that the board is regularly updated and continually involved with drilling down and double-checking that everything possible has been planned for to minimise the impact of a cyber incident.
He says many directors — and Mullen includes himself in this group — aren’t qualified to adequately question the cyber team about their preparedness. He recommends getting the plan regularly penetration-tested by outside experts — and to include the board in the testing. “Even if you’ve got complete confidence in your own team, still do it,” he says. “Just continually test and probe.”
David Thodey AO FAICD, chair of both Xero and Ramsay Health Care, says all the boards he is involved with have taken part in cyber incident simulations alongside management, using an external facilitator who decides the scenario and throws out a few curveballs along the way. Boards and management can never over-rehearse, he says, because they always learn something new.
Response
An organisation’s cyber breach plan should have clearly delineated roles and responsibilities, so that directors don’t all jump on the phone to the CEO when a crisis strikes, says Kate Carruthers, chief data and insights officer at the University of NSW. “When the crisis hits, it’s too late to be asking, who do we need on the board to help with this?” she says. Another consideration is to decide which person in the organisation actually makes the call that an incident is in fact a crisis, and puts the crisis plan into motion. Carruthers outlines the smooth running of a cyber incident at an organisation she was involved with.
“For a start, people knew who to alert,” she says. “We already knew the comms person who was going to run with all the comms. We were able to retain an organisation called IDCARE, which could be there to talk to the individuals whose data had been breached. All of that logistical stuff was already in the plans.”
To this Thodey adds that it’s important to have clarity on delegations about which decisions management can make and which need to come to the board — and whether a board subcommittee could make a decision or if it could be left to the CEO and the chair, because of the difficulty of getting people together at short notice.
In a cyber crisis, no-one knows what’s going to happen in the next 10 minutes, or the next two hours, so being able to call the management team and board together quickly is crucial. Where Thodey has been involved in cyber crises, the board and management have had a morning and an evening call for an update. He has always made sure that he or another director was also available during the day, should there be the need to bounce something off the board.
Another important consideration in the prepared cyber plan is the practical matter of how management and directors actually communicate.
“Because when an incident happens, things happen very quickly — and even deciding whether you’re going to use email or a Slack channel or a secure social media platform is really important,” says Thodey. “You need to have a single source of truth.”
Directors say it’s important to draw on external experts during the response phase, because the experts will have been through such crises many times and will be up to date with cybercriminals’ latest tactics.
The board must be comfortable that appropriate communications have gone to customers and employees during a data breach. The board must also be satisfied that all required regulatory notifications and reports have been made, including under relevant critical infrastructure and privacy legislation.
“One of the challenges in real life is that when these things happen, usually, you don’t really know what has happened for some time,” says Mullen. “Naturally, you get customers and people clamouring, ‘Oh, we need to know immediately’. Getting the balance between communicating, but not communicating the wrong thing because you go too early, is the real finesse that the board has the responsibility for.”
Recovery
The recovery phase begins when the crisis has been contained and no longer represents an immediate risk to an organisation’s data, systems, people and customers, with systems operating at a level that enables business-as-usual (BAU) activity to resume. The role of the board in the recovery phase is to oversee and assist management to secure systems, understanding the impact and what went wrong, and returning the entity to BAU.
Communication remains a central part of the process. “As you get into recovery, and depending on the type of incident you’ve had, priority of communication to your customers, to your staff and all your stakeholders is really important,” says Thodey.
“Usually, where these things go wrong is when there’s lack of clarity or information, or there’s not proactive communication. People want to know and they need to know where to go to get the information. They want an answer and if we don’t have an answer, they need to know.”
Once the incident has been contained, the organisation will need to investigate the scope of any data breach. A full post-incident review should be sponsored by the board, with the final report, findings and recommendations considered by the board.
At large, complex organisations, it is good practice for the review to be undertaken by an independent third-party expert, the Governing Through a Cyber Crisis guide suggests.
“Sharing with other organisations is really important,” says Mullen. “We all tend to be competitive and protect our own patch. People don’t like to admit they’ve been taken for a ride or whatever. This is a battle for everybody. This is a war we’re all in and we should shelve competitive protection and share the lessons from one company to another, even in the same industry.”
Remediation
The board has a key role in the long-term remediation phase of a cyber crisis where the organisation is seeking to rebuild trust and reputation and making investments to significantly strengthen its cyber defences, the guide states. The board should expect a clear plan for each of these key activities, with regular reporting and updates. “In particular, the board should be satisfied with the speed of remediation and uplift, and the adequacy of resources to support each activity.”
Remediation plans should be customer- focused, well-resourced and swiftly implemented. The board should oversee continuing effective communication and support for employees, customers and third parties who may have been impacted or potentially harmed by the incident. Directors should also oversee remediation, compensation and complaints-handling processes.
“The board has to ask questions, ask to see the plans, ask to see the execution of the plans and see the reporting on how things went,” says Carruthers. “But at the end of the day, they really do have to trust that management is doing what they’ve said they will in response to a crisis.”
Carruthers notes that financial implications such as a declining share price, compensation costs, claims and court cases are a bigger concern than damage to a company’s reputation.
Thodey likewise believes that reputational damage can be limited because consumers understand that cyber incidents are inevitable. “Incidents create enormous disruption, but people are understanding if they perceive the affected organisation is taking it seriously and doing everything possible to restore the situation.”
To pay or not to pay
The decision whether to pay a ransom is complex and should be the responsibility of the board. This role should be clearly documented in the response plan, the cyber crisis guide states. “It’s one of those really fraught issues and it will probably depend on the kind of data you’re dealing with,” says UNSW chief data and insights officer Kate Carruthers.
For instance, if it’s individuals’ health data that can’t be reproduced then there is a reasonable case to pay the ransom.
But even if a company pays a ransom, there is no guarantee their data will be returned or the bad actors won’t sell it to others, although hackers know failing to
uphold their end of a ransom bargain undermines their business model.
“For a large corporation with financial resources, my view is absolutely don’t pay a ransom,” says Brambles chair John Mullen AO. “It just encourages it and you’ll never get rid of it. But if you’re a small business and your whole livelihood depends on it, if your house is on the line with the bank, I’m not sure anybody can tell you don’t do it, particularly when the amounts are quite small.”
The legality of making a ransomware payment is unclear, the guide states. Although there is no express prohibition on payment of ransoms in Australia, certain laws mean that in some circumstances, payment of a ransom might be illegal — such as the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
The guide recommends directors take a risk-based approach to ransom decisions.
This is Xero chair David Thodey AO FAICD’s practice. “It depends how much is being asked and the probability of that problem being solved — that is what a board needs to make a judgement about,” he says. “In principle, none of us want to pay a ransom as an ethical position. That’s sometimes in the best interest of the company.”
But not paying a ransom could affect hundreds of thousands of people, he adds.
Cyber is high-priority
At a February webinar, Christian Gergis GAICD, AICD Head of Policy, Rachael Falk MAICD, CEO Cyber Security Cooperative Research Centre, and John Macpherson, Ashurst risk advisory partner, linked robust cyber practice with emerging developments in AI and answered pressing questions from directors.
Read a summary of the webinar — Governing through a cyber crisis here.
This article first appeared under the headline 'Wrangling a cyber crisis’ in the May 2024 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content