The board's role in cyber security assurance

Cyber security breaches are a clear and present threat, no matter how large or small an organisation. Cyber security system weakness, combined with human error, make it simple for cyber criminals to penetrate IT systems, access valuable data and impact an organisation’s stakeholder trust and reputation. A simple truth is that whether you are a global business, a small business or an individual connected to the internet, you and your valuable data are at cyber risk.

It seems that every day we hear of data breaches, hacks and ransomware attacks. These must serve as a reminder to all organisations to ensure their systems are up-to-date and that appropriate controls are in place. And this also must be clearly understood throughout the organisation – from the board to management to staff. All must understand the vital role they play in stopping breaches and protecting valuable data and systems.  

Amid the barrage of policies and technical guidance, it is often forgotten that the reality of cyber breaches is surprisingly simple. In most cases, it comes down to the number ‘1’. That is the number of people a hacker needs to trick to gain access to data.

Already in 2020, we have seen high-profile attacks on Toll Holdings, Lion Drinks and Beverages and BlueScope Steel. The Federal Government sent out a clarion call to organisations, businesses and individuals on 19 June - in its Statement on malicious cyber activity against Australian networks – warning of a spike in cyber-attacks by threat actors and the need for everyone to be prepared. In addition, the government has announced record cyber security spending.

What are threat actors and what do they want?

Threat actors in cyberspace can be groups, individuals or nation states who undertake unauthorised activity on digital networks for their own gain. Some well-known examples are hackers, terrorists and cyber criminals. Various typologies of threat actors have been developed, which classify actors according to their cyber capabilities, levels of sophistication and motivation. Of these, ‘sophisticated state-based actors’ frequently demonstrate the highest level of scope, skills and resources.

Although financial gain or access to intellectual property may be primary drivers for some threat actors, other actors such as hacktivists, seek to upset the status quo or draw attention to various social causes.

Vast troves of personal data held by government agencies and companies are also motivating factors. Equifax, the global consumer reporting agency, holds sensitive data on 820 million consumers. In 2017, the agency suffered a massive cyber breach which was later attributed to Chinese state-sponsored hackers.

Strategic disruption to critical infrastructure and supply chains remains a substantive catalyst for threat actors,* with potentially catastrophic effects for economies and society alike. The pivotal stance taken by Federal Government to ban high-risk vendors from Australia's burgeoning 5G network indicates the gravity and scale of potential risks involved.

Why cyber security should be a top priority for directors

Directors should treat their organisation’s online assets with the same level of care and attention that they pay to their organisation’s real-world assets. Both are inextricably linked.

Boards must use the same oversight that has applied to financial reporting and governance issues and apply it to how their organisation is effectively managing valuable data. Often that data is held across multiple connected repositories, with multiple vendors in multiple jurisdictions and boards must be satisfied that data assets are stored and protected appropriately.

Boards need to be aware of the risks to their data assets, ensure appropriate frameworks are in place and to foster a culture throughout their organisation that cyber security really does matter. If directors consistently and visibly demonstrate that cyber security matters, it will have a trickle-down effect and it will be a priority for the whole organisation. 

It is timely to note that Australian directors increasingly bear personal exposure to cyber risk liability. Directors should familiarise themselves with the requisite legislation and the risks unique to their business. The key pieces of legislation that impact directors and their cyber security responsibilities are the Privacy Act 1988 (Cth) and the Corporations Act 2001 (Cth).

Privacy Act 1988

In 2018, changes to the Privacy Act 1988 came into effect, amending it to include the Notifiable Data Breaches  (NDB) scheme. The scheme applies to any organisation or agency covered by the Privacy Act 1988.

Under the scheme, an eligible data breach occurs when:

• there is unauthorised access to or unauthorised disclosure of personal information;
• a reasonable person would conclude it is likely to result in serious harm to any of the individuals whose personal information was involved in the data breach; and
• the entity has not been able to prevent the likelihood of serious harm through remedial action.

If an entity suspects that an eligible data breach has occurred, they must undertake an assessment into the relevant circumstances. And if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach, they must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

Under the scheme, the Information Commissioner has a number of enforcement powers. These include:

• accept an enforceable undertaking (s 33E) and bring proceedings to enforce an enforceable undertaking (s 33F);
• make a determination (s 52) and bring proceedings to enforce a determination (ss 55A and 62);
• seek an injunction to prevent ongoing activity or a recurrence (s 98);
• apply to court for a civil penalty order for a breach of a civil penalty provision (s 80W), which includes a serious or repeated interference with privacy (s 13G).

Another amendment to the Act has been the introduction of the Treasury Laws Amendment (Consumer Data Right) Act 2019. The Consumer Data Right (CDR) provides consumers with improved access to and control over their data and will be phased in sector-by-sector, beginning with the banking sector before being rolled out across other sectors including energy and telecommunications.

Implementation of the CDR is the joint responsibility of the Australian Competition and Consumer Commission (ACCC), which will accredit providers and enforce the rules of the CDR, and the OAIC.

The ACCC/OAIC Compliance and Enforcement Policy for the Consumer Data Right establishes how the ACCC and OAIC will respond to breaches of the CDR regulatory framework. Enforcement measures include court enforceable undertakings and court proceedings.

Corporations Act 2001

Under s180 of the Corporations Act 2001 (Act), directors have an obligation under civil law to exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they:

• were a director or officer of a corporation in the corporation's circumstances; and
• occupied the office held by, and had the same responsibilities within the corporation as, the director or officer.

Accordingly, if care and diligence is not exercised in relation to a company's cyber security posture and protection of key assets (which could include data), they could be found in breach of the Act.

Furthermore, the Australian Security and Investment Commission’s (ASIC) Cyber resilience: Health Check report states “If you are a board of a listed entity, among other things, the [ASX Corporate Governance Council’s] Corporate Governance Principles [and Recommendations] recommend that you should establish a sound risk management framework and periodically review the effectiveness of that framework.”

The report goes on to state that organisations should consider whether cyber risks form part of a prospectus, periodic disclosure of cyber risks, disclosure of material business risks and, for listed entities, continuous disclosure of market-sensitive information.

Ask cyber security assurance questions

One of the key challenges for all non-executive directors is knowing what good looks like in cyber security and testing that in board papers. It is important for directors to ask questions and probe the practices used by management to ensure that the company’s cyber security posture is set up to effectively manage cyber risk.

Cyber security can appear technical and complex but just like other aspects of any company, asking questions and understanding the business is key.

Key questions boards should be asking about their organisation’s cyber security include:

• Who would our organisational data be valuable to? Who would want to steal it and what data would cause our organisation damage should we lose access to this data?
• Who can access organisational data and who has ‘super user’ administrative privileges, both inside and outside the organisation? Do we regularly check who has access and restrict it to those that only need it to do their job?
• Where is our data stored? Onshore, offshore or in a cloud? Is there a service provider and have they shared information with third parties?
• Who is protecting our data and how is it being protected?
• How well is data being protected? What security systems currently exist, where they are, and how they can be contacted in the event of a breach?

Directors should encourage independent assessment of organisational cyber security protections.

Importantly, compliance and desktop audits do not equal security. All too often management can get distracted with ensuring the organisation is compliant with a particular standard and hold the belief that a compliance tick equals effective security. Not all cyber security frameworks are the same. Similarly, a cyber update dashboard in board papers with all green traffic lights does not necessarily mean an organisation has good operational security. It is vital that operational security is checked and validated so the dashboard matches the actual security settings.

The Australian Cyber Security Centre’s (ACSC) Essential Eight provides a baseline for organisational cyber security implementation, which strengthens systems and encourages maturation.

Hacking back

Active defence, hacking back, or retaliatory hacking, is illegal in Australia. While it may seem like a viable option to an organisation under cyber-attack, it should not be part of any cyber security strategy.

In 2018, former Australian Signals Directorate Director-General Mike Burgess, said “an obligation to protecting corporate assets does not extend to breaking the law”. Burgess instead recommended that organisations seek to identify and manage their cyber risks effectively. 

As part of the Prime Minister’s cyber security warning on 19 June 2020,  the Defence Minister offered protection advice to all Australian organisations who might be concerned about their vulnerability to sophisticated cyber compromise, including becoming an ACSC partner to ensure access to the latest cyber threat advice.

What next?

There is no silver bullet when it comes to cyber security. Risk can never be completely avoided but it can be mitigated.

That is why boards must educate themselves, set aside the dashboards in board meetings and ask questions of the management team. Assume nothing.

It is important that boards carry out at least one cyber security-based crisis management incident per year. Nothing can prepare a board better than having to work together on an exercise that involves theft of critical data and the media bearing down for answers in an ever hungry 24-hour news cycle.

Regular penetration testing, ‘ethical hacking’ to identify system vulnerabilities, is also essential.

Staff should be taken through cyber security policies regularly, as a matter of company practice. Such policies should not be seen as ‘tick and flick’ documents and should be put into practice.

Above all, directors should understand the potential risks to their organisation and how these issues can be effectively addressed. Make sure your organisation and board are educated and prepared. This is not just good practice – it is good business.

*J P Carlin, 2016, “Detect, Disrupt, Deter: A Whole-of-Government Approach to National Security Cyber Threats”, Harvard National Security Journal, Vol 7, p 398, https://harvardnsj.org/wp-content/uploads/sites/13/2016/06/Carlin-FINAL.pdf, (accessed 22 July 2020).