Good practices in cyber risk governance
ASIC's observations on good governance and cybersecurity practices
By John Price, Commissioner, Australian Securities & Investment Commission
This article was submitted to the Governance Institute for publication in the Governance Directions magazine in May 2016
The cyber risk landscape is rapidly evolving with significant growth in the number, sophistication and severity of global cyber-attacks. At ASIC, we view cyber-attacks not just as a systemic risk for the financial sector, but a significant concern for the economy at large.
ASIC has recently released an assessment of the cyber resilience of ASX Group and Chi-X Australia Pty Ltd. However cyber-attacks are not just a risk for financial services companies or the IT sector. Cyber –attacks can affect businesses across a wide range of sectors. It is important for all organisations to tailor a plan that reflects their different cyber risks with different potential consequences.
Our recent research highlights examples of the good cyber risk management practices we encourage all businesses to consider. Importantly, the good practices we observed in relation to cybersecurity strategies and governance were characterised by board engagement, and responsive and agile governance models. Some key aspects of these practices are outlined below.
Good practices show Boards taking ownership of the cyber security strategy and ensuring it is reviewed and assessed on a periodic basis. Measures to assess progress against the strategy include time to detection, speed of response and recovery processes.
Cyber resilience as a management tool
Boards can be encouraged to view the management of cyber resilience as a critical management tool for understanding risks and making important investment decisions on cyber risk. Cyber resilience can be seen as a tool for ‘enabling’ (not limiting) the organisation—by anticipating scenarios and building protection against risks, and taking advantage of market opportunities.
Cyber resilience fluency
While technology in business is rapidly changing, cyber risks are changing faster. Many Boards may have general technology expertise, but some may need additional advice on cybersecurity. In some circumstances, external cyber experts can be useful in reviewing and challenging the information presented internally.
Organisations can become more cyber resilient by educating boards in the language of cyber risks and the potential threats to organisations. Through an active understanding of the cyber threat landscape and the planning and testing of response scenarios, boards can be more readily able to ask risk and audit committees the relevant questions.
Good practice assurance is focused on cyber resilience in end-to-end business processes. This is undertaken with a view to confirming that critical business operations, technology applications and infrastructure, and the supporting data, are tested as a whole rather than independently of business processes and technology functions. Assurance processes should ensure that critical business processes can be re-activated if and when an incident occurs.
Given the rate of change in the cyber risk landscape, and the speed at which a business can be severely compromised (potentially within hours or days); reviews of cyber risks should be undertaken more frequently than for other risks forming part of the risk management framework.
Organisations are tailoring traditional governance processes, to ensure ‘responsive governance’. In a rapidly changing cyber risk environment, the policies and procedures of today are not necessarily valid for long periods of time, and may not remain valid between typical annual review cycles. This approach considers how adjustments can be driven by events and incidents, rather than by keeping to a fixed review period which might ignore the need for change that arises in between set periodic review points.
Alignment with the organisations overall governance framework
Cybersecurity governance should be clearly and visibly aligned to other organisation-wide governance processes and procedures. Cyber security is not just a matter for the IT team – although they will play an important role. Cyber risk should be an element of the broader risk framework. Cyber risk exposures should be recognised and assessed for impacts along with other more traditional risks.