Cyber Security

Governance
Principles
October 2022
CYBER SECURITY GOVERNANCE PRINCIPLES

Table of Contents

Foreword4 Principle 2: Develop, implement and

evolve a comprehensive cyber strategy 22
Snapshot of the Principles 6
Assessing and enhancing
Terminology9 internal capability 22
Key third party suppliers 25
Introduction10
Case Study 2: Third party supplier risk 27
Threat environment 11
Principle 3: Embed cyber security in
Threat to NFPs and SMEs 11 existing risk management practices 28
Existing obligations and regulatory Cyber-risk appetite  28
requirements12
Developing and overseeing controls 29
Cyber security specific regulatory Measuring and evaluating
requirements and standards 13 internal controls 32
Principle 1: Set clear roles and Case Study 3: Constantly evolving risk
responsibilities  14 management practices 33

Role of the board 14 Principle 4: Promote a culture of

Whole of organisation 17 cyber resilience34
Board reporting 17 Creating a cyber security mindset
from the top down 34
Role of external experts 18
Skills and training 36
The role of insurance 20
Collaboration 38
Case Study 1: Spirit Super 21
Case Study 4: Resilience testing is
key to promoting a culture of
cyber resilience 39

2
Principle 5: Plan for a significant Appendix C: Industry requirements
cyber security incident 40 and standards52
Preparation  40 Consumer Data Right (CDR)  53
Communications  44 My Health Records Act 2012 53
Case Study 5: Major cyber attack on Australian Energy Sector Cyber
Toll Group 47 Security Framework 53

Appendix A: Cyber extortion Appendix D: SME and

-Ransomware and data theft 48 NFP Director Checklist 54
Ransomware and data theft 48 Appendix E: Glossary 56
Board decision-making  49
Acknowledgements  58
Appendix B: Resources 50 About the AICD  58
1. Government and industry resources 50 About the CSCRC 58
2. International standards frameworks 51 Disclaimer  59
3.  AICD resources 51 Copyright  59
4.  Research and reports  51

3
CYBER SECURITY GOVERNANCE PRINCIPLES

Foreword

“Directors have a critical

role to play and must seek
to lift their own cyber
literacy levels, recognising
that this is a key risk that
can never be eliminated but
can be effectively managed.”
—   Hon Clare O’Neil MP
Minister for Home Affairs and Minister for Cyber Security 

4
 Foreword

As Australians entrust their most sensitive data

to organisations, there is a legitimate expectation
that it will be protected. Keeping Australians’
data safe requires strong collaboration between
government, business and industry. Australia
must work as one team to build up the defences
we need to protect our society and economy. It
is the responsibility of all organisations across
Australia to make stronger cyber security
practices a priority and make the necessary
investments where needed. There is much that
even small business and not-for-profits can do
to ensure that the data they use and store is
securely protected.
I am therefore delighted to see the Australian
Institute of Company Directors (AICD) and the
Cyber Security Cooperative Research Centre
(CSCRC) partnering to publish a set of Cyber
Security Governance Principles. These Principles
provide a clear and practical framework for
organisations to build stronger cyber resilience.
Directors have a critical role to play and must
seek to lift their own cyber literacy levels,
recognising that this is a key risk that can never
be eliminated but can be effectively managed.
I commend the Principles to Australian
organisations of all sizes and reinforce the
Australian Government’s commitment to work
hand in glove with business and industry to
develop world class cyber security practices.
Hon Clare O’Neil MP
Minister for Home Affairs and Minister
for Cyber Security

5
CYBER SECURITY GOVERNANCE PRINCIPLES

Snapshot of
the Principles

1. Set clear Defining clear roles and responsibilities

is a foundational component of building
GOVERNANCE RED FLAGS:

roles and effective cyber resilience 1. Cyber risk and cyber strategy not
featuring periodically on board
responsibilities Comprehensive and clear board agendas
reporting, including engagement with 2. Chair and board not annually
management and updates on emerging reviewing skills to ensure that
trends, is a key mechanism by which directors have a minimum
a board can assess the resilience of understanding of cyber security risk
the organisation
3. Board reporting on cyber risk
External experts can play a role in is hard to digest and features
providing advice and assurance excessive jargon with a reliance on
to directors and identify areas technical solutions
for improvement 4. Limited or no external review or
assurance of cyber risk controls and
strategy
5. No clear lines of management
responsibility for cyber security

2. Develop, A cyber strategy, proactively overseen

by the board, can be a business enabler
GOVERNANCE RED FLAGS:

implement by identifying opportunities for the 1. Lack of formal documentation of

organisation to build cyber resilience the organisation’s approach to
and evolve a cyber security
comprehensive 2. Limited understanding of location of
cyber strategy Identifying the key digital assets and key digital assets and data, who has
access and how they are protected
data of an organisation, including
who has access to these assets, is 3. The cyber strategy and risk controls
core to understanding and enhancing are not subject to internal and
cyber capability external evaluation and periodic
refinement relative to evolving threats
4. Lack of data governance framework
A robust cyber strategy will account to guide how data is collected, held,
for the importance, and potential risks, protected and ultimately destroyed
associated with key third party suppliers

6
 Snapshot of the Principles

3. Embed cyber Cyber risk is an operational risk that

fits within an organisation’s existing
GOVERNANCE RED FLAGS:

security in approach to risk management 1. Cyber risk not reflected in existing risk
management frameworks
existing risk While cyber risk cannot be reduced to 2. High management confidence that
management zero there are a number of accessible cyber risk controls are effective
and low-cost controls that all
practices organisations can utilise
without regular external validation
3. Over reliance on the cyber security
The board should regularly assess controls of key service providers, such
the effectiveness of cyber controls as cloud software providers
to account for a changing threat 4. Cyber security controls of potential
environment, technology developments vendors are not assessed in the
and the organisation’s capabilities procurement process for key goods
and services
5. Prolonged vacancies in key cyber
management roles

4. Promote a A cyber strategy, proactively overseen

by the board, can be a business enabler
GOVERNANCE RED FLAGS:

culture of cyber by identifying opportunities for the 1. Board and executives do not
organisation to build cyber resilience undertake cyber security education
resilience nor participate in testing
Regular, engaging and relevant training 2. Cyber security is not reflected in
is a key tool to promote a cyber resilient the role statements and KPIs of
culture, including specific training key leaders
for directors
3. Communication from leaders does
Incentivise and promote strong not reinforce the importance of
cyber security practices, including cyber resilience to staff (cyber is seen
participating in phishing testing and as an issue only for frontline staff
penetration exercises to manage)
4. There is a culture of ‘exceptions’
or workarounds for board and
management with respect to cyber
hygiene and resilience

5. Plan for a Directors should proactively prepare and

plan for a significant cyber incident
GOVERNANCE RED FLAGS:

significant 1. The board and senior staff have

Simulation exercises and scenario not undertaken scenario testing
cyber security testing are key tools for the board and or incident simulations to test the
incident senior management to understand roles Response Plan
and responsibilities 2. Likely scenarios and consequences
are undocumented with lessons from
A clear and transparent approach simulations not being captured
to communications with all key
stakeholders in a significant cyber 3. It is not clear how communications
incident is critical in mitigating with key stakeholders will be
reputational damage and allowing for managed in the event of an incident
an effective recovery 4. No post incident review with board
and management

7
CYBER SECURITY GOVERNANCE PRINCIPLES

Top 10 Director Questions

Roles and 1. Does the board understand cyber risks well enough to
oversee and challenge?
responsibilities
2. Who has primary responsibility for cyber security in our
management team?

Cyber strategy 3. Who has internal responsibility for the management and
protection of our key digital assets and data?

4. Where, and with whom, are our key digital assets and
data located?

Cyber risk 5. Is cyber risk specifically identified in the organisation’s risk

management framework?
management
6. How regularly does management present to the board or risk
committee on the effectiveness of cyber risk controls?

Cyber resilient 7. Is cyber security training mandatory across the organisation

and is it differentiated by area or role?
culture
8. How is the effectiveness of training measured?

Cyber incident 9. Do we have a Cyber Incident Response Plan, including a

comprehensive communications strategy, informed by
planning simulation exercises and testing?

10. Can we access external support if necessary to assist with a

8 significant cyber security incident?
 Terminology

Terminology

The technical language associated with cyber security need not be a

barrier to directors governing cyber security risk. While directors should
seek to educate themselves on relevant terms and concepts, they
should also insist that management and external experts communicate
in a clear way that demystifies the topic. The terminology of cyber
security, consistent with the threat itself, evolves at a rapid pace. The
Australian Cyber Security Centre (ACSC) has comprehensive resources
on terminology and key terms that will assist directors in keeping on top
of the language of cyber security.
These Principles utilise a common set of terminology to assist directors in overcoming this barrier. This
terminology is set out in the following diagram. An extensive glossary is also provided at Appendix E.

Cyber Security • An overarching term that captures the steps, measures and processes
used to protect and defend the confidentiality, integrity, availability
of data in an organisation’s systems as well as protecting the
systems themselves

Cyber Resilience • An organisation’s posture or ability to defend, adapt respond and

recover from cyber threats and cyber incidents while maintaining
continuous business operations
• Cyber resilience includes the cyber culture of an organisation and how
directors and employees take individual steps to build cyber resilience

Cyber Risk • The potential loss or harm to an organisation from a cyber incident. The
loss covers technical systems and infrastructure, use of technology or
reputation of an organsation

Cyber Threat • Any attack or event, or potential attack or event, that may harm an
organisation’s information systems and infrastructure
• Cyber threat includes attempts by external parties to breach an
organisation’s cyber defences

Cyber Incident • An unauthorised cyber security event, or a series of such events, that
has the potential to compromise an organisation’s business operations
• Cyber incidents cover the spectrum of events from accidental data
losses, such as an employee misplacing a USB, to criminal attacks, issue
motivated groups and state sponsored actors

Digital • Steps or processes taken by organisations to generate and store data via
internet facing systems
• Data generated via internet facing systems is increasingly seen as one of
the key assets (and risks) for many organisations

9
CYBER SECURITY GOVERNANCE PRINCIPLES

Introduction

Cyber threats are part of every organisation’s risk landscape, particularly

as businesses place more of their key assets and systems in internet
facing systems, with all organisations susceptible to attack. The cyber
threat environment is incredibly dynamic and boards needing to remain
responsive to the threat and the cyber resilience of the organisations
they govern.
Cyber incidents can have a significant and at
These Principles are a ‘living document’
times existential impact on an organisation, but which will be periodically reviewed to
their cause can be surprisingly simple. So simple in reflect the evolving threat and regulatory
fact that it can be a singular security blind-spot, landscape.
one individual hacker gaining access to data or an
employee misplacing a USB. Cyber security The Principles do not constitute legal advice
system weakness combined with human error and are produced as guidance only.
often make it relatively easy for cyber threat The AICD and CSCRC recommend
actors to penetrate IT systems, access valuable organisations seek independent advice
data and severely impact an organisation’s regarding legal, regulatory and technical
stakeholder trust and reputation. At its most cyber security matters.
significant, a cyber incident has the potential to We are interested in hearing from
cripple an organisation’s operations. This is users of the Principles about their
highlighted in the Toll Case Study in Principle 5. experiences and invites feedback by email
It is unsurprising Australian directors consistently to [email protected]
identify cyber security and data theft as the
number one issue keeping them awake at night in
Director Sentiment Index surveys.

10
 Introduction

These Principles provide a practical framework to Strategic disruption to critical infrastructure

help directors, governance professionals and their and supply chains remains a prominent target
organisations proactively tackle oversight and for threat actors, and a particular vulnerability
management of cyber risk. The purpose of the for organisations, with potentially catastrophic
Principles is to illustrate what constitutes better effects for the Australian economy and society
practice oversight at the board level. alike. According to the ACSC, a quarter of
reported cyber incidents in 2020-21 were
The development of the Principles has been
associated with Australia’s critical infrastructure
based on extensive consultation and feedback
or essential services. The health care, food
from senior directors, experts in cyber security,
distribution, financial services and energy sectors
regulators and government agencies.
are key targets domestically and internationally.
These Principles serve as a reminder to directors
to be highly alert to cyber risk, have strong Threat to NFPs and SMEs
oversight of organisational cyber security risk
management, to challenge management on While small and medium enterprises (SMEs) and
cyber resilience and be well prepared in the event not-for-profits (NFPs) comprise more than 90 per
of a significant cyber incident. cent of Australian businesses by number, many
struggle when it comes to cyber security. This is
Promoting a cyber resilience culture is key and this the result of a multitude of factors, including cost,
starts with the board setting the appropriate tone resourcing and the perceived complexity of
from the top. the topic.
However, as the economy becomes further
Threat environment digitised, cyber security needs to be a prime
Threat actors in cyber security can be individuals, consideration for smaller organisations which are
issues motivated groups, criminal syndicates key targets for cyber criminals due to their often-
and state-sponsored actors who undertake low cyber resilience. SMEs and NFPs, for instance,
unauthorised activity on networks, generally for are frequently a target of low-cost malware or
financial or strategic gain. Various typologies of ransomware bots that scan the internet and
threat actors have been developed, which classify networks identifying security gaps or weaknesses.
actors according to their cyber capabilities,
levels of sophistication and motivation. Of these, For a smaller organisation a cyber-attack can
‘sophisticated state-based actors’ frequently be crippling, impacting IT systems, websites,
demonstrate the highest level of scope, skills customer data and payment systems, severely
and resources. However, in recent years the impeding business continuity.
tools created or used by state-based threat
actors have also been increasingly available to  UIDANCE FOR DIRECTORS OF SMEs
G
cyber-criminal syndicates. AND NFPs
The theft of organisational data, including via • In each of the principles there is a box
ransomware, has emerged as a key cyber threat. highlighting practical cyber security steps
Criminal groups steal an organisation’s valuable steps for a director of a SME and NFP
data and frequently render systems inoperable by
encrypting the key data. They then extort their • These steps are collated in a checklist at
victims, demanding payment for the unlocking of Appendix D
systems and return of data. Ransomware and
data theft is discussed in further detail in
Appendix A.

AUSTRALIAN TRENDS (2020/21)

• More than 67,500 cybercrime reports – one
every eight minutes
• Losses from cybercrime exceeded $33 billion
• Almost 500 reported ransomware attacks
• 25 per cent of cyber incidents targeted
Australia’s critical infrastructure

Source: ACSC Annual Cyber Threat

Report 2020-21
11
CYBER SECURITY GOVERNANCE PRINCIPLES

Existing obligations and

regulatory requirements
Governing for cyber risks and building an organisation’s cyber resilience
forms part of directors’ existing fiduciary duties owed to the company
under both common law and the Corporations Act 2001(Cth)
(Corporations Act).  

Duty to act Directors have a duty to act with care and diligence to guard
against key business risks. This includes ensuring appropriate
with care and systems are in place to bolster cyber resilience, as well as
prevent and respond to cyber incidents.
diligence

Duty to act Directors must exercise their powers and discharge their duties
in good faith in the best interests of the company, and for a
in good faith proper purpose. In making decisions on cyber security on behalf
of the company, directors must consider the impact of those
and in the best decisions on shareholders/members and stakeholders including
interests of the employees, customers, suppliers and the broader community.

corporation 

Reliance on Just because a director does not have specialist knowledge

about cyber security does not mean that the director’s
information and standard of care is reduced. 
advice provided While in some circumstances, directors may rely on information
or the advice of others, or delegate certain cyber matters to a
by others  board committee or management roles, this does not absolve
directors of their accountability for decision-making.

Other statutory Directors of entities that hold an Australian Financial Services

License (AFSL) are also subject to general and specific obligations
obligations under Corporations Act. A recent decision of the Federal Court of
Australia, ASIC v RI Advice, confirmed this includes having in place
risk management systems and controls to manage business risks.
APRA regulated entities are also subject to extensive prudential
obligations relevant to cyber security risk.

Duty to advise For companies listed on the Australian Securities Exchange

(ASX), directors must advise the market immediately if the
the market where company becomes aware of any information would have a
material effect (positive or negative) on the company’s share
there is an effect price. In the cyber context, this might apply in the event of
on a company’s customer data loss as a result of a significant cyber incident.
This type of event may also expose a company and/or its
share price  directors to the risk of a class action.
12
 Existing obligations and regulatory requirements

Cyber security specific regulatory ACSC STRATEGIES TO MITIGATE CYBER

SECURITY INCIDENTS (INCL ESSENTIAL EIGHT)
requirements and standards
Australian organisations are subject to a range The ACSC, a part of the Australian Signals
of regulatory requirements and standards that directorate, has published 37 Strategies to
are relevant to the governance of cyber risk Mitigate Cyber Security Incidents. The strategies
and management of data. Depending on the can be implemented by organisations of all sizes
industry these obligations can be overlapping as part of regular cyber hygiene practices and
and complex. Below is a high-level summary of are divided across three primary objectives –
key cyber regulatory frameworks. A summary of preventing attacks, limiting attack impact and
certain industry specific obligations is provided data availability. A component of these strategies
at Appendix C, including Australian Prudential is the Essential Eight Maturity Model, which is
Regulation Authority (APRA) prudential often referenced or referred to as a baseline
requirements relevant to the governance and benchmark or maturity model for Australian
management of cyber security risk. organisations to meet.

PRIVACY ACT 
ASIC V RI ADVICE GROUP PTY LTD
The Privacy Act 1988 (the Privacy Act)) - with
its focus on how organisations collect, manage In 2021, the Australian Securities and
and dispose of personal information is a key Investments Commission (ASIC) commenced
legislative framework relevant to the governance its first enforcement action against AFSL
of cyber security. holder, RI Advice Group Pty Ltd (RI Advice),
for breaches arising from a failure to have
Two key regimes under the Privacy Act 1988 (the
adequate cyber security policies, systems and
Privacy Act) that directors should be aware of are:
resources.
1. Notifiable Data Breaches (NDB) scheme –
A number of weaknesses were identified in
requiring an organisation to notify affected
the management of cyber risks across the
individuals and the Office of the Australian
RI Advice network, including a) outdated
Information Commissioner (OAIC) as soon as
antivirus software; b) no filtering or
practicable of a material data breach
quarantining of emails; c) no backup systems
Australian Privacy Principle 11 – Security of in place or backups being performed; and
Personal Information (APP 11) – requiring an d) poor password practices (e.g. sharing of
organisation to take active measures to ensure passwords between employees and use of
the security of personal information it holds default passwords).

CRITICAL INFRASTRUCTURE  In May 2022, the matter settled between

ASIC and RI Advice and the Federal Court
The Security of Critical Infrastructure Act
noting in its judgment that that RI Advice
2018 (Cth) (SOCI Act) applies to owners of
had contravened its AFSL obligations under
critical assets in 11 key industry sectors and 22
the Corporations Act. The Court’s reasoning
distinct asset classes, imposing significant cyber
highlighted that while it is not possible to
risk management and reporting obligations –
reduce cyber risk to zero, RI Advice was
including a requirement for directors to annually
expected, not only to have identified the cyber
attest that the organisation’s risk management
risks and implemented measures to address
practices are up to date. Additionally, the SOCI
them, but to ensure that its systems remained
Act provides the government with the ability to
fit for purpose over time to keep pace with
exercise significant directions and/or intervention
the escalating risk.
powers where an asset owner is unwilling or
unable to respond effectively to an incident. ASIC in commentary on the case noted
that it serves as a timely reminder for
Smaller organisations may be indirectly impacted
company directors about cybersecurity risk
by the SOCI obligations by virtue of being in the
oversight, including that an organisation’s
supply chain of a SOCI entity.
risk management framework adequately
addresses cyber security risk, and that
controls are implemented to protect key
assets and enhance cyber resilience.

13
CYBER SECURITY GOVERNANCE PRINCIPLES

Principle 1:
Set clear roles and
responsibilities

Role of the board

KEY POINTS From the board’s perspective, clearly defined
roles and responsibilities assist directors in having
1. Defining clear roles and responsibilities
effective oversight of cyber risk.
is a foundational component of building
effective cyber resilience Irrespective of how large or resourced an
organisation may be, the fast paced and
2. Comprehensive and clear board reporting,
evolving nature of the cyber threat landscape will
including engagement with management
always present uncertainty for an organisation’s
and updates on emerging trends, is a key
operating environment, including staff and
mechanism by which a board can assess
supply chains. As a result, directors need to
the resilience of the organisation
become accustomed to accepting a certain level
3. External experts can play a role in providing of ambiguity surrounding their organisation’s
advice and assurance to directors on the cyber resilience. However, directors should
cyber resilience of an organisation and gain some comfort in understanding how their
identify areas for improvement organisation is prepared to respond in the event
of a cyber incident.
While it is not the role of the board to directly
manage cyber risk, it is the board that has
ultimate accountability for how risks are governed
and addressed. This includes being satisfied there
are appropriate processes and delegations in
place that provide directors with comprehensive
oversight of the actions of management.
The governance structures and allocation of roles
and responsibilities when it comes to governing
cyber security will vary by the size and nature of
the organisation.

14
 Principle 1: Set clear roles and responsibilities

At large organisations, the board may assign of director training and upskilling on cyber is
closer oversight of cyber security governance to a discussed at Principle 4. That said, directors
sub-committee of the board, such as the risk should remember that the simplest questions are
committee, audit committee or a technology often the ones that are never asked, and should
committee. However, the evolving nature of cyber not be afraid to raise these with management.
security, and the potential severity and velocity of Equally important is the board seeking assistance
the risk, may warrant cyber security being from third party experts, including external
discussed regularly at full board meetings. For assurance and testing (detailed below).
example, as a standing item on IT infrastructure,
Ultimately, one of the key roles directors can
digital initiatives or a component of risk or
play in fostering a cyber resilient culture within
strategy. Board and committee charters should
the organisation and modelling effective cyber
be reviewed regularly to confirm that roles and
practices (discussed at Principle 4). Every
responsibilities are clear, especially with respect to
director should take responsibility to enhance
evolving risks such as cyber security.
their own skills and knowledge on cyber security.
Key to effective oversight of cyber risk is the board
receiving regular reporting and engagement with  OX 1.1 SMEs AND NFPs - ROLES AND
B
management (discussed further below). RESPONSIBILITIES
The delegation of cyber risk management or • Document where possible who has
strategy to board committees, and ultimately responsibility for cyber security
management, should be detailed not only in
the charter or governing documents of the • Appoint a cyber champion to promote
respective committee, but also the organisation’s cyber resilience and respond to questions
overarching cyber strategy or policy. • Consider whether a director, or group of
To support the board’s role in oversight and allow directors, should have a more active role in
constructive challenge of management, directors oversight of cyber security
should be equipped with appropriate skills and • Collect data where possible on the
understanding of cyber risk. The importance effectiveness of cyber risk practices

15
CYBER SECURITY GOVERNANCE PRINCIPLES

ROLE OF MANAGEMENT At larger organisations, responsibilities are

There is no strict rule on where responsibility cascaded from management through the
for cyber security leadership should sit at the organisation to particular individuals. In these
management level. Ideally, management circumstances, individual cyber responsibilities
responsibility for cyber security must ultimately should be documented in position descriptions or
lie with the person who best understands role statements. Depending on the nature of the
cyber security, the threat landscape and business it may be appropriate for each senior
the organisation’s strategy and approach to executive to have cyber security as a component
mitigating risk. of their responsibilities related to their business
unit or division. To ensure that responsibilities
At large organisations, it may be appropriate remain current, there should be established
for either the Chief Information Officer processes to update responsibilities, including
(CIO), Chief Technology Officer (CTO), Chief reflecting changes in the organisational structure
Information Security Officer (CISO) or Chief Risk or new information technology investment.
Officer (CRO) to have responsibility for cyber
security. In some cases, it may be appropriate Internal audit may also have a role in providing
for responsibility to be shared across key assurance on the effectiveness of cyber security
management personnel, for example the CRO controls.
and CIO. At smaller organisations, the Chief Where appropriate, key performance measures
Executive Officer (CEO) may play a more hands- and components of variable remuneration
on role. Regardless of the accountable executive may be linked to cyber resilience measures.
and business unit delegation, cyber security Where this is the case, the board has a key
should be considered a shared enterprise risk with role to play in setting appropriate incentives
responsibility across the full executive team. and a transparent framework for monitoring
management’s progress.

Large
organisations SMEs

Board Board

AD-HOC/
FORMALISED
INFORMAL
REPORTING
REPORTING
Board Committee CEO/Managing
(Risk / Audit /
Technology Committee) External experts Director
and assurance

Executive
Key managers,
responsibility
staff
(CIO/CTO/CRO/CISO) Key cyber and
digital service
providers

Whole of
Key staff
organisation

Whole of
organisation

16
 Principle 1: Set clear roles and responsibilities

SHARED RESPONSIBILITIES Whole of organisation

A challenge at many organisations is that core Fundamentally, all staff members and key
cyber security roles and responsibilities may not partners have responsibility in enhancing the
be located in one business area or team. For cyber resilience of the organisation. This requires
example, while the IT team may be responsible a whole of organisation approach to being
for maintaining IT equipment and software, a vigilant to cyber threats, undertaking training
customer facing team may have responsibility for and education as well as ensuring there is a cyber
how customer information is collected, stored and incident response plan and that key defences,
shared. Where responsibility is blurred or unclear such as software updates and password security,
it can result in a lack of ownership, ineffective are up-to-date.
oversight, and a weakening of the defences of the
organisation to a cyber security incident. Building and promoting a culture of cyber
resilience across an organisation is covered in
The use of maps or other visual aids, as well detail in Principle 4.
as scenario testing or workshops on key cyber
issues, may assist staff better understand where
responsibility for cyber sits across an organisation.
Board reporting
Additionally, an informal working group of key Robust board reporting on cyber security is a key
staff that meet regularly to discuss cyber risks tool by which directors will obtain insight into
and developments may be an effective on- how controls, processes and the organisation’s
going mechanism to ensure coordination across staff are contributing to the organisation’s cyber
different teams. resilience. Reports should be regularly presented
by management and discussed at the board and/
For most small organisations, formalised or board committee.
documentation of responsibilities for cyber
security may not be necessary (exceptions would Reporting should align with the organisation’s
include organisations in certain industries, such as cyber strategy or policy and capture metrics
health care or financial services). However, it is that go beyond key measurable data points
nonetheless essential that individuals within the (e.g. anti-virus incidents). Reports to the
organisation have a clear understanding of what board should provide rich information about
is expected of them in terms of their contribution the internal and external threat environment,
to organisational cyber resilience. (e.g. risk management outcomes and broader
cyber threats or developments relevant to that
organisation). Trend data provides particular
 OX 1.2 QUESTIONS FOR DIRECTORS
B
insight to directors.
TO ASK
At larger organisations, information may be
1. Do we understand cyber risks well enough presented as a dashboard or heatmap that allows
to oversee and challenge? a holistic picture of the organisation’s cyber
2. Who has primary responsibility for cyber posture and risk profile.
security in our management team? Directors should expect that board reporting is
3. Do we need a board committee to formally presented without complex technical language
oversee cyber security governance? that may act as a barrier to assessing cyber risk
and engaging with management.
4. What happens to cyber security risk
responsibilities and management when key
staff leave?
5. Are we insured for cyber risks, and do we
understand our coverage and gaps?

17
CYBER SECURITY GOVERNANCE PRINCIPLES

Trend data,
BOX 1.3 COMMON BOARD
Role of external experts
where
available, REPORTING METRICS Given the board imperative to monitor and stay
is key across evolving cyber risks and key capabilities,
to insightful
board • cyber incident detection, prevention and there can be a key role for independent external
reporting. response, including incident trend analysis experts to provide an outside perspective. In
the event of a cyber incident, external experts
• cyber strategy performance, key initiatives
can be a valuable source of assistance for an
and progress to date
organisation’s immediate response and recovery.
• staff related incidents, such as staff
That said, organisations should be cautious about
accessing or misusing data in breach
being too reliant on external experts given the
of policies
materiality of the risk to many organisations.
• internal audit activities, including outcomes Management capability uplift is critical,
of vulnerability and threat assessments alongside education of directors to support their
• external party assessment, including oversight function.1
penetration testing results and
benchmarking against peers and
international standards
• staff cyber training rates and completion
• phishing exercise results
• assessment of the broader threat
environment, informed by vendor alerts,
ACSC alerts and intelligence shared
by other organisations, and response
to threats

1. Please see the AICD Director Tool: Directors’ right to seek external professional advice (available here), for further
18 information on a director obtaining external advice.
 Principle 1: Set clear roles and responsibilities

EXTERNAL AUDIT AND BENCHMARKING: Factors that can be assessed within external
COMPLIANCE DOES NOT EQUAL SECURITY cyber audit and benchmarking include:
Independent experts can provide assessments • Regulatory and standards compliance: Does
of an organisation’s risk management controls, the organisation meet its domestic legal and
and how they measure up across international regulatory requirements? Is data or information
standards frameworks (e.g. National Institute covered under privacy provisions stored
of Standards and Technology, International appropriately? How does the organisation align
Standards Organisation). This information or compare to key standards frameworks?
provides the board with an understanding of the
organisation’s cyber risk maturity, which is an • Data stocktake and access: What is the
important input for developing the organisation’s key data that the organisation collects and
cyber risk strategy and cyber risk controls. It can stores? Who, and what partners, have access
also provide directors with a useful benchmark to this data? Is data or information stored
against the organisation’s industry peers. appropriately, including consistent with
regulatory obligations? Does the organisation
However, while compliance to a particular regularly undertake a thorough data stocktake
industry standard is important, it should not be and question whether all information needs to
misunderstood as placing an organisation in continue being held? Is there an overarching
a sound position to defend attacks or respond data governance strategy that covers from
to a cyber incident. Compliance to an industry creation to destruction?
standard is just one part of a cyber strategy.
• Technical compliance: What software systems
For some organisations it may be appropriate are used and how are they kept up to date? Is
for an assessment of cyber resilience, including there a process for safely disposing of legacy
the performance of the cyber strategy, to be a systems and all data? Are there authentication
component of the periodic audit program. systems in place? What controls ensure third
parties cannot access internal systems without
appropriate security measures? Are there logs
BOX 1.4 GOVERNANCE RED FLAGS for key systems so there is a record of who has
accessed what data?
1. Cyber security not featuring periodically on
board agendas • Continuous improvement: Do core security
measures align with best practice? Are there
2. The board not annually reviewing skills to
systems in place to deal with the contemporary
ensure that directors have an appropriate
threat landscape?
understanding of cyber risk
• Awareness of threats: What alerts or
3. Board reporting on cyber risk is hard to
monitoring is in place to flag threats and
digest and features excessive jargon with a
breaches or respond to critical patching alerts?
reliance on technical solutions
Are staff trained to respond appropriately and
4. Limited or no external review or assurance in a timely way?
of cyber risk controls and strategy
• Governance and strategy: What are the
5. No clear lines of management responsibility systems and processes in place to manage
for cyber security and mitigate risk, or respond to threats or real
events? How do individual responsibilities fall
to each team? What approvals would they
require, and to whom would they report?
• Overall risk assessments: How does the level
of resilience across the organisation compare
against industry peers in the context of
alignment with standards and testing results?
How does this resilience and risk posture align
with the risk appetite and cyber strategy of
the organisation?

19
CYBER SECURITY GOVERNANCE PRINCIPLES

The role of insurance

Organisations often obtain cyber insurance that
can provide a measure of protection in the event
of losses from a critical cyber incident. While
cyber insurance may be necessary for certain
organisations, the often high cost and restricted
or tailored coverage of a particular policy
means that a board should carefully consider
if it is appropriate and/or value for money for
their organisation.
In addition to financial compensation, a key
motivation for holding a cyber insurance policy
is access to expert advice and assistance in the
event of a significant cyber incident. Either the
insurer, or specific industry experts engaged
by the insurer, will assist an organisation in the
immediate response and recovery phase of a
significant cyber incident.
Prior to issuing a cyber insurance policy it is
common for insurers to seek detailed information
on an organisation’s cyber posture and
procedures. This underwriting process can be
useful for organisations to assess their current
resilience levels as the questions asked by
brokers/insurers will sometimes reveal previously
unknown vulnerabilities.
There is a limited pool of providers of cyber
insurance in Australia and the often-tailored
nature of policies means they can be relatively
high cost and may have specific conditions or
exclusions of particular cyber incidents (e.g. act
of war). As there are no standard terms and
conditions for cyber policies, directors should
be aware of what is covered, including excluded
events (e.g. a ransomware attack from a state-
sponsored actor), and what assistance an insurer
may provide in the event of a significant cyber
incident. The board should also understand
the level of protection provided under other
insurance policies (e.g. business interruption),
as it is common for these policies to exclude
cyber-related claims.
The board should closely assess whether a cyber
insurance policy provides sufficient mitigation
from financial loss, and support in the event of a
cyber incident, relative to the cost. A board may
form the view that in certain circumstances self-
insurance is appropriate and choose to deploy the
savings from not obtaining the policy to boosting
cyber security controls.

20
 Principle 1: Set clear roles and responsibilities

Case Study 1: Spirit Super

It only took one email. In May 2022 the email Assistance was provided, included standing up the
account of a single employee from Spirit Super contact centre over the weekend and introducing
was compromised through a sophisticated, but personalised support for impacted members.
untargeted, phishing attack. Despite multi- In line with the plan, the board also called in
factor authentication and comprehensive cyber external forensic experts to provide additional
security training, the attacker was able to gain support to the Technology team. Unfortunately,
access to their mailbox. It set off a ripple of events they uncovered further sensitive information in
that impacted the Australian superannuation the staff member’s mailbox.
trustee’s members and sparked a rethink of its
“With their specialist knowledge and toolsets,
cyber defences. Cyber experts were critical to
they were able to identify additional personal
the handling of the incident, from discovering
information that could potentially have been
the extent of the data breach through to
accessed”, she said. “They had more technical
containing it.
ability in this area than we can resource internally.
For Spirit Super Independent Chair Naomi We did the right thing to have that on the plan,
Edwards, the incident highlighted the importance to have the third-parties come in.”
of sensitive data management and the specialist
Ms Edwards said Spirit Super had only recently
assistance of cyber experts. “It was a cyber
refreshed its cyber strategy and was investing in
incident that was compounded by a weakness in
enhanced technologies and controls, but there
the handling of sensitive information,” she said.
was more to do, especially on how to safely
“Even though we did all the things a board should handle the large volumes of sensitive information
do – overseeing the cyber strategy, setting the that staff must work with to fulfil their roles.
risk appetite, approving the policy framework,
In addition to assisting with cyber incident
and monitoring our controls - it only takes a
response, Spirit Super also utilised independent
momentary lapse in a person’s concentration.
experts to advise, review and test their cyber
Then once they [the hackers] are through, it’s all
defences. “The assessments conducted by experts
about how many layers of defences you have.”
are vital,” she said. “They force you to put that
The company detected the breach quickly. list together and to understand their roles and
Internal teams executed their technical incident when they need to be brought in. When you have
response playbooks to isolate and contain an incident, you can refine the action plan from
the impact. As that happened, the board your learnings.”
implemented its cyber incident plan, including
Provided by Naomi Edwards FAICD,Chair
advising key regulators. Transparency is key to
of Spirit Super, Director of Tasmanian
member trust - so emails, SMS’s and letters were
Development Board, AICD, Propel Funeral
issued promptly advising them of the possibility
Partners and President Elect of the Institute of
their personal information was accessed.
Actuaries Australia.

21
CYBER SECURITY GOVERNANCE PRINCIPLES

Principle 2:
Develop, implement
and evolve a
comprehensive
cyber strategy

Assessing and enhancing

KEY POINTS internal capability
1. A cyber strategy, proactively overseen A cyber strategy is a plan for an organisation
by the board, can be a business enabler to enhance the security of its key digital assets,
by identifying opportunities for the processes and people over time. An organisation’s
organisation to build cyber resilience cyber strategy will be informed by the size and
complexity of the business; its information
2. Identifying the key digital assets and data technology infrastructure and systems; its key
of an organisation, including who has personnel and core competencies; the type and
access to these assets, is a core component nature of information it holds; and stakeholder
of understanding and enhancing expectations, including regulatory and
cyber capability contractual obligations.
3. A robust cyber strategy will account for the A further essential input is the organisation’s
importance, and potential risks, associated cyber risk appetite and controls, discussed at
with key third party suppliers Principle 3, which will influence the choice of
strategic options with respect to cyber, including
operating and capital investments.
Suggested key components of a cyber strategy
are highlighted in the Box 2.1. The discussion of
these elements is covered in different sections
of the Principles – the relevant principles are
highlighted in the box.
A core element of a comprehensive cyber
strategy is how an organisation will respond
to a significant cyber incident, including
communicating with affected customers. This
element is discussed in detail in Principle 5.

22
 Principle 2: Develop, implement and evolve a comprehensive cyber strategy

For many SMEs and NFPs, a lengthy cyber strategy

BOX 2.1 - KEY COMPONENTS OF AN is unlikely to be necessary and may act as a
EFFECTIVE CYBER STRATEGY barrier to nimble responses to cyber threats.
However, for smaller businesses in industries such
1. Governance arrangements: Promote
as healthcare or those that provide services to
effective governance of cyber security that
larger organisations, a documented cyber strategy
is appropriate for the size and complexity of
will often be required. For these businesses the
the organisation (Principle 1)
strategy will assist to ensure they comply with
2. Identify and protect: Identify the key regulatory obligations relevant to the industry
digital assets and data held by the and/or demonstrate to partners how they are
organisation and how to comprehensively maintaining and enhancing cyber resilience, rather
protect them (Principles 2 and 3) than being a weak link in the supply chain.
3. Assess and enhance: Understand internal KEY DIGITAL ASSETS AND DATA
cyber capability, create a plan to enhance
Each organisation will have a set of key digital
capability and promote a cyber resilient
assets that if damaged or lost in a significant
culture (Principles 2 and 4)
cyber incident would represent a significant
4. Detect, respond and recover: Have plans threat to its ongoing business operations.
and processes to detect cyber incidents
For organisations of all sizes the key digital assets, or
and respond and recover effectively
(Principle 5) ‘crown jewels’, are most commonly critical customer
and employee related data, and the technology
5. Monitor and evaluate :Report and infrastructure that facilitates doing business.
update the board to allow for ongoing In some cases, this might be the technology or
assessment and refinement of the strategy systems supporting critical infrastructure and
(Principle 2) physical assets, such as power generation, water
treatment or telecommunications. The loss or
damage of this data or infrastructure can not only
impact the business operations or continuity of
services, but also the broader community - and in
turn, severely damage an organisation’s reputation.

23
CYBER SECURITY GOVERNANCE PRINCIPLES

A core component of developing a cyber strategy To minimise the risk of data theft or loss,
is meticulously identifying the organisation’s key organisations should only collect and store
digital assets and data documenting the answers the minimum amount of personal information
to the questions in Box 2.2. that is legally required for its relevant services
or operations. For example, some data may
A board should have visibility over these key
be necessary for a “point in time” only (e.g.
elements and receive regular updates from
onboarding or ‘Know Your Client” verifications)
management as part of ongoing evaluation
and can be deleted after certain activities.
processes (see below). This assessment will assist
directors to understand where cyber vulnerabilities There are specific requirements for some
may exist and will be a key input into risk organisations to keep some identity documents
management processes – discussed in Principle 3. (such as requirements in satisfaction of the
telecommunications metadata obligations)
 OX 2.2 QUESTIONS FOR DIRECTORS
B and in this case, directors need to be satisfied
TO ASK that data obtained for a legislative obligation is
both secure (as required by law) but that data
1. Who has internal responsibility for the has also not been stored for ‘other reasons’ in
management and protection of our key the organisation.
digital assets?
Importantly, many organisations fail to
2. Who has access or decision-making rights securely delete or destroy sensitive customer or
to our key digital assets? For example, organisational data once systems are replaced
can all customer-facing staff access and or the data is no longer required. This data (if not
change key databases? securely destroyed and on hardware) can often
3. What access to key digital assets is be readily accessed by third parties. Therefore,
provided to third parties? lifecycle management of all data must be part
of any organisation’s cyber security strategy
4. Where are our key digital assets located? and should include secure destruction of all
Is this still appropriate given identified sensitive data.
cyber risks?
All sensitive data should be stored in an encrypted
5. What is the role of external suppliers in and stored in secure manner, and access to such
hosting and managing key digital assets? data strictly monitored.
6. What is the impact of the loss A regular “spring clean” of all data collected and
or compromise of any of our key stored is an effective risk control as part of a
digital assets? broader data management strategy.

DATA GOVERNANCE – BOX 2.3 GOVERNANCE RED FLAGS

KNOW YOUR OBLIGATIONS
Storing large amounts of sensitive customer 1. Lack of formal documentation of the
and organisational data, beyond a legislative organisation’s approach to cyber security
requirement, creates a significant risk to 2. Limited understanding of location of key
customers, and the organisation, as it serves as a digital assets, who has access and how they
valuable target for cyber criminals looking to steal are protected
and use that information.
3. The cyber strategy and risk controls are not
To ensure effective data governance, directors subject to internal and external evaluation
should also understand the extent of personal and periodic refinement relative to
customer or employee data that is being evolving threats
stored and clearly understand the legislative
or regulatory reasons for doing so. All directors 4. Lack of data governance framework to
should expect of management, on an annual guide how data is collected, protected and
basis, to provide a ‘map’ of sensitive data that deleted
the organisation holds. The map should include;
the nature of that data; where it is stored, who
has access, who is protecting it; how well it is
protected; and the reason for holding this data.

24
 Principle 2: Develop, implement and evolve a comprehensive cyber strategy

INTERNAL CAPABILITY AND MATURITY ENHANCING CAPABILITY

An equally important component of a cyber A cyber strategy often encompasses steps an
strategy is the assessment of the organisation’s organisation will take over a certain period to
internal cyber capability and maturity. An enhance its cyber capabilities.
accurate understanding of key personnel
The board may seek to align cyber enhancements,
competencies, reporting chains, responsibilities
such as additional investment in new IT systems
and the IT infrastructure essential for business
and infrastructure, with broader strategic
operations (for example, databases, servers and
planning for the organisation. Doing so would
cloud software), provides the board with an
not only enhance cyber capability and resilience,
overview of cyber security strengths, weaknesses
but also have broader business benefits, such as
and where enhancement is required.
improving reputation amongst stakeholders and
Internal cyber capability often covers the maintaining a competitive advantage.
following elements:
Cyber enhancements do not always require
1. adequacy of existing staffing, including the significant capital expenditure. Rather, in
level of funding and the expertise of key cyber most cases, enhancements are accessible for
staff and the cyber knowledge of employees organisations of all sizes - being low cost, easy
throughout the organisation; to implement and contribute to building a cyber
resilient culture. Box 2.4 lists a series of practical
2. existing infrastructure and systems, for
enhancements focused on smaller organisations
instance the key software or operating systems
drawn from ACSC guidance, however these are
utilised by customers and staff;
relevant to all organisations.
3. the internal control environment for cyber,
for instance the risk controls and reporting in Key third party suppliers
respect of critical assets; and
It is equally vital that directors have an
4. business continuity planning, covering how understanding of the cyber security capabilities of
the organisation will respond in the event of a key third party suppliers who support or manage
significant cyber incident. the organisation’s key assets and data.
For larger organisations, it is useful to conduct Increasingly, organisations of all sizes utilise
a benchmarking exercise against established external providers to provide core business
maturity models or standards frameworks, services and process and store key data. For
ideally via an external expert. This review can example, the software and IT infrastructure of
help directors to understand an organisation’s cloud providers are commonly used to facilitate
internal capability and maturity. The results of payment and invoice processing, internal payroll,
the benchmarking are reported to the board and accounting services, customer databases and
can inform discussions on enhancing specific word-processing software.
capabilities. Where an external adviser is used, it In general, utilising a reputable cloud provider
is useful for them to present to the board directly will provide greater cyber protections than if the
to reduce the risk that management may present organisation were to manage these functions
an overly positive depiction of the results. in-house. However, poor internal cyber practices
Common frameworks or maturity models that are (e.g. weak password settings or lack of multi-
utilised in benchmarking exercises can include: factor authentication) when utilising the
provider’s services can expose the organisation
1. ACSC Strategies to Mitigate Cyber Security to potentially significant cyber incidents.
Incidents, including the Essential Eight Additionally, providers can themselves suffer
Maturity Model significant cyber incidents that impact their
2. International Standards Organisations (ISO) customers so conducting due diligence on key
standards under the ISO 27000 series external providers is critical.
3. National Institute of Standards and
Technology’s (NIST) cybersecurity framework
and/or Zero Trust Architecture

25
CYBER SECURITY GOVERNANCE PRINCIPLES

A board should have sufficient visibility of Ongoing evaluation

the key third party suppliers, what key digital
assets and data they manage or host and what
and refinement
risk controls are in place and importantly, a Ensuring the cyber strategy remains fit-for-
direct communications channel if they need purpose requires the board to periodically review
to notify the organisation of a data breach or performance against the strategy and identify
issue. Directors should have confidence that opportunities for evolution and improvement. An
management, and the organisation more broadly, evaluation or formal review of the cyber strategy
has the appropriate internal capabilities and at larger organisations may occur annually, in
risk-management processes in place to appoint addition to regular monitoring via board reporting.
and monitor key external providers. This includes At smaller organisations, an evaluation may be
understanding the extent of an organisation’s more ad-hoc or informal based on the complexity
dependence on a provider’s service, what data of the strategy.
a provider may hold or have access to, the
There may be events or circumstances where it is
jurisdiction of not just the provider but where
appropriate for the board to review the strategy
they will store the organisation’s data, and any
outside the annual process. For example, when
vulnerabilities associated with the arrangements
an organisation experiences a significant cyber
that may exist.
incident, a key component of recovering from
At larger organisations, management should the incident would be to reflect on whether the
report regularly to the board on the cyber security strategy requires amendment. In addition, a
capability and performance of key providers as a sudden change to the threat environment, for
component of monitoring the cyber strategy. instance an industry peer experiencing a significant
Obtaining a view of a provider’s cyber security incident, may warrant the board reflecting on the
capability may be achieved through interviews, organisation’s strategy and cyber posture.
testing or certification checks. The board may
For larger organisations, it is better practice for
also obtain additional oversight on key providers
the evaluation to be conducted by an external
from the provider itself presenting to the board
party, which is genuinely independent, and
and/or the use of independent assurance.
the report presented to the board unfiltered
For smaller organisations, there may be barriers by management. This approach provides an
to obtaining specific information from large impartial perspective that assists directors in
service providers about their cyber resilience due assessing the performance of the strategy.
to differences in bargaining power and/or the
provider offering standard terms and conditions.
However, the organisation should still have a clear
understanding of, or criteria for, what cyber-
resilient practices there should be in place to
provide confidence.

BOX 2.4 SMEs AND NFPs – PRACTICAL CYBER CAPABILITY ENHANCEMENTS

1. Utilise the ACSC Cyber Security Assessment Tool to identify the cyber security strengths of the
organisation and understand areas for improvement
2. Assess whether utilising reputable external providers will enhance cyber resilience over
managing in-house
3. Assess whether there is certain data (e.g. employee or customer data) that does not need to
be collected
4. Establish an Access Control System to determine who should have access to what
5. Regularly repeat cyber security training and awareness amongst all employees
6. Promote strong email hygiene (e.g. avoid suspicious email addresses and requests for login or
bank details)
(Source: Drawn from ACSC Small Business Cyber Security Guide)

26
 Principle 2: Develop, implement and evolve a comprehensive cyber strategy

Case Study 2: Third party supplier risk

The board must have a level of oversight of the “So often I see, ‘It’s okay, they are managing that
processes for appointing and monitoring the for us’,” Ms Brenner said. “But how do we have
third-party suppliers that store and manage an confidence that these key arrangements and
organisation’s key digital assets, according to controls are properly understood, overseen and
director Catherine Brenner FAICD. governed?’.
Key to ensuring the appropriate level of visibility Ms Brenner advises directors to be aware of
at the board level is developing a strong data where, how and when data is collected by the
governance framework. organisation, its nature and volume, and where
it is held, both by which providers and in which
• As a first step, the board must understand
locations and for how long. This can be done with
what the organisation’s key digital assets are
summary dashboard reporting. Then, directors
(or ‘crown jewels’), who has access to them
can question the risk controls behind that data
and how that access is managed (including
management. Directors do not need to see
for example, what consent frameworks are
granular data on provider performance but must
in place).
be in a position to verify what is presented to the
• Secondly, the board needs to understand board.
what privacy laws apply, and what obligations
“Ensuring compliance with privacy laws is a key
their organisation owes, in respect of the data
part of the cyber piece,” Ms Brenner says. “If
it holds.
you’re getting the data governance and privacy
Ms Brenner says organisations often take comfort piece right, then it is a great part of mitigating
in storing key data with a third paper cloud-based cyber security risk.”
provider, for example, but the board needs to Catherine Brenner FAICD is the Chair of
understand how the organisation has confidence Australian Payments Plus, Director of Scentre
in the cyber and data management risk controls Group, Emmi and The George Institute for
of both the provider and the organisation itself. Global Health

27
CYBER SECURITY GOVERNANCE PRINCIPLES

Principle 3:
Embed cyber
security in existing
risk management
practices

Cyber-risk appetite
KEY POINTS Cyber-risk appetite is, in broad terms, the risk
that an organisation is willing to take in its digital
1. Cyber risk, despite its prominence and
activities to achieve its strategic objectives and
velocity, is still an operational risk that fits
business plans. Importantly, an organisation’s
within an organisation’s existing approach
cyber-risk appetite is distinct from its cyber-
to risk management
risk profile, which commonly represents an
2. While cyber risk cannot be reduced to organisation’s ‘point in time’ position with respect
zero there are a number of accessible and to cyber risk once controls have been factored in
low-cost controls that all organisations (discussed below).
can utilise
A clear cyber-risk appetite can be used as an
3. The board should regularly assess the input by directors and management to inform
effectiveness of cyber controls to account current and future business activities, as well
for a changing threat environment, as overall strategic decision making and the
technology developments and the allocation of resources. For example, a cyber-risk
organisation’s capabilities appetite would inform whether an organisation
partners with a third party, particularly if the
arrangement involves the third-party utilising
or handling the key digital assets (i.e. ‘crown
jewels’) of the organisation. Further, it may assist
in investment decision making and where a board
should prioritise additional resources for cyber
security controls.

28
 Principle 3: Embed cyber security in existing risk management practices

Larger organisations may have a board-approved Developing and overseeing controls

risk-appetite statement that incorporates all
Where possible, it is appropriate to embed the
relevant risks, including cyber, to present the
management of cyber risk into existing risk-
organisation’s holistic risk appetite.
management controls and processes. For larger
For smaller organisations, documenting a cyber- organisations this may be ensuring cyber risk
risk appetite in detail may not be necessary. is reflected in the enterprise risk management
Rather, directors should determine the level of risk framework. An embedded approach can enable
the organisation will tolerate in undertaking its directors to assess the interaction or impact of
business activities and objectives. other risks on cyber and vice versa.
Having a zero or very low cyber-risk appetite Risk controls or strategies are the mechanisms by
is unlikely to be appropriate or achievable in which an organisation seeks to avoid, mitigate or
an increasingly digitally connected economy. transfer cyber risk.
A balanced cyber-risk appetite would recognise
the inherent risk that comes with doing business  OX 3.1 QUESTIONS FOR DIRECTORS
B
in a digital economy, while taking a pragmatic TO ASK
approach to managing this risk in the context
of business opportunities. For example, an SME 1. Does the organisation have a cyber risk
may identify that there are cyber risks associated appetite and is it being utilised in strategic
with outsourcing website payment processing decision making?
to a cloud provider. However, this strategy 2. Is cyber risk specifically identified
may outweigh the cyber risks associated with in the organisation’s risk
managing payments in-house. management framework?
3. How regularly does management present
to the board or risk committee on the
effectiveness of cyber risk controls?
4. For a larger organisation, is there external
review or assurance of cyber risk controls?

29
CYBER SECURITY GOVERNANCE PRINCIPLES

In general, management is responsible for For all organisations, the ACSC’s Strategies
developing, implementing and managing risk to Mitigate Cyber Security Incidents provides
controls. In larger organisations, a dedicated risk/ a comprehensive resource for operationally
audit or technology committee allows directors focused cyber-risk controls, including a number of
to more closely oversee management. For practical steps smaller organisations can take in
smaller organisations, this oversight may occur mitigating cyber risks.
in an informal manner, for example through
For larger organisations, traditional risk-control
conversations with key personnel. However, it is
frameworks, such as the three lines of defence,
central to sound risk governance that directors
can be readily utilised for managing cyber risk.
understand what cyber risks exist, what controls
The advantage of utilising already embedded
are in place to reduce or mitigate those risks, and
risk frameworks is they are understood across an
how those controls are performing.
organisation and draw upon the expertise of key
Cyber-risk controls will ultimately depend on risk and compliance staff, reducing the likelihood
an organisation’s size, complexity, information that cyber risk remains the sole responsibility of IT
systems and infrastructure and cyber-risk or digital teams.
appetite. However, there are common stages of
risk control that can be applied in organisations
of all sizes to manage cyber risks.

30
 Principle 3: Embed cyber security in existing risk management practices

Avoid • Avoiding cyber risks through ceasing or eliminating certain activities

• For example, avoiding the collection and storage of unecessary
customer data

Mitigate  • Reducing cyber risks by implementing internal processes or utilising

external service providers
• For example, implementing multi-factor password authentication,
ensuring patching and anti-virus software is up to date and educating all
staff on what cyber threats to look out for on a daily basis

Transfer  • Transfering, in part or fully, specific elements of cyber risk to external

third parties
• Outsourcing systems and functions to third party providers may alleviate
an organisation having specific IT infrastructure and systems

31
CYBER SECURITY GOVERNANCE PRINCIPLES

Measuring and evaluating

internal controls
 OX 3.2 SMEs AND NFPs – RISK
B
Periodic reporting and regular engagement with CONTROLS
management on the performance of risk controls
can provide directors with meaningful insights. 1. Patch and update applications and
However, by themselves it may be challenging anti-virus software
for directors to assess the effectiveness of risk 2. Configure Microsoft Office macro
controls, in part due to the rapidly evolving nature settings (e.g. only allow macros from
of cyber risk and the lack of established metrics trusted sourced)
for cyber performance.
3. User application hardening – limit
In practice, effective cyber controls could mean interaction between internet applications
that attempted cyber threats or incidents have and business systems
little to no impact on business operations or key
4. Limit or restrict access to social media and
assets, due to the effectiveness of the measures
external email accounts
put in place to mitigate the threat. While this is
a good outcome, it may not accurately reveal 5. Restrict use of USBs or external hard drives
the underlying role of controls in preventing
6. Restrict operating system and software
incidents. The absence of no or few reports on
administrative privileges
cyber incidents should have directors on notice
to engage regularly with management to 7. Implement multi-factor authentication
understand what inputs are informing the level of
8. Maintain offline backups of key data
risk assessment.
9. Ensure that departing employees and
Directors should also assess whether prominent
volunteers no longer have access to
cyber incidents that impact other organisations
systems and passwords
warrant an evaluation of risk controls, including
asking management whether a similar incident
would inflict damage to the organisation and
what steps need to be taken to mitigate against
a similar incident. All directors should treat other
incidents as simulations.
BOX 3.3 GOVERNANCE RED FLAGS
As discussed in Principle 2, at least annually,
directors should reflect on the cyber risk controls 1. Cyber risk not reflected in existing risk
of the organisation and whether the cyber-risk management frameworks
appetite remains appropriate, having regard to 2. High management confidence that cyber
the evolving external threat environment and risk controls are effective without regular
internal capabilities. external validation
For larger organisations, it may be appropriate 3. Over reliance on the cyber security controls
to have an annual external audit or assurance of of key service providers, such as cloud
cyber risk controls. software providers
4. Cyber security controls of potential vendors
are not assessed in the procurement
process for key goods and services
5. Prolonged vacancies in key cyber roles

32
 Principle 3: Embed cyber security in existing risk management practices

Case Study 3: Constantly evolving risk management practices

Reflecting on how boards should approach cyber • External audit, review and penetration
risk management, experienced non-executive testing which are conducted by rotating
director, Melinda Conrad FAICD, noted that providers to ensure they are “not marking their
while cyber risk is an operational risk, it is not a own homework”. This overlay allows directors
static risk. to test what management is reporting to
the board and provides visibility of how an
The cyber threat environment is dynamic and
organisation is benchmarked against industry
constantly evolving, often at a much faster pace
peers and standards frameworks.
than other operational risks an organisation
faces. It is for this reason that oversight of cyber Melinda Conrad FAICD is a Director of ASX
risk warrants an elevated focus by the board, and Limited, Ampol Australia, Stockland, Penten and
directors should be continuously looking for ways The Centre for Independent Studies
to uplift their skills and knowledge and identify
where external help may be needed.
In Ms Conrad’s view, effective levers to assist
a board’s oversight of cyber risk management
within an organisation include:
• Setting a cyber risk appetite as a tool to guide
investment decision making and evaluating the
adequacy of risk controls. In determining the
cyber risk appetite, boards should take the time
to understand the organisation’s key assets (or
“crown jewels”) which could be most impacted
by a cyber event.
• Regular reporting to the board using both
lead and lag metrics. In addition to reporting
on the technical aspects, such as patching
and perimeter protection practices, the board
should also focus on how “cyber hygiene” is
being practiced across the company—what is
the percentage of staff who have completed
cyber awareness training? What is the staff
phishing failure rate? The outcomes of these
metrics can then be assessed against the
board’s risk appetite so that there is alignment
with management on what is an acceptable
cyber risk position for the company.

33
CYBER SECURITY GOVERNANCE PRINCIPLES

Principle 4:
Promote a culture
of cyber resilience

Creating a cyber security mindset

KEY POINTS from the top down
1. A truly cyber resilient culture begins Building a cyber resilient culture is the
at the board and must flow through responsibility of everyone, however the board
the organisation and senior management has a central role to
play in promoting and demonstrating a cyber
2. Regular, engaging and relevant training security mindset. Governance decisions, and the
is a key method to promote a cyber oversight of cyber risk management, should seek
resilient culture, including specific training to promote a culture of cyber resilience across the
for directors organisation – that is, the day-to-day attitudes
3. Incentivise and promote strong cyber and conduct of staff in their interactions with
security practices, including participating in the digital world. Frequently significant cyber
phishing testing and penetration exercises incidents have an element of human error (e.g.
in a manner that builds awareness an employee opening a malicious email) and a
genuine culture of cyber resilience is a crucial, and
often overlooked, cyber control. Building cyber
resilience in staff will both improve cyber resilience
in workplace settings as well as when staff use
work devices in home settings. Initiatives that
directors can require of management fall into
three main categories outlined below.

34
 Principle 4: Promote a culture of cyber resilience

Behaviour and • Ongoing cyber awareness training is completed by all

employees, including by directors
language • Embedding a common and accessible language when
talking about cyber security
• Being open and honest about cyber risks to the organisation
and encouraging all staff to play their role in promoting
cyber resilience
• Cyber training and phishing exercises promote a culture of
continuous learning rather than criticising employees for
poor understanding

Governance  • Clearly defining key roles and responsibilities for cyber

security management
• Ensuring cyber security strategy and risk management
are standing items for the board or meetings of the board
audit/risk/technology committee
• Developing a comprehensive Response Plan in the event of a
cyber security incident (see Principle 5)

Incentives  • Developing KPIs and incentives for management, key

personnel and/or where appropriate, all staff, to ensure
cyber security performance, including both sound cyber risk
management practices and execution of the cyber strategy
• Rewarding conduct such as transparency and early reporting
of cyber breaches (or attempted breaches such as phishing)

35
CYBER SECURITY GOVERNANCE PRINCIPLES

Skills and training

 OX 4.1 QUESTIONS FOR DIRECTORS
B
Effective cyber security policies alone are not
TO ASK
sufficient to promote cyber resilience across the
organisation. While policies may explain where risks 1. Is cyber security training mandatory across
lie, ongoing training and education is necessary. the organisation?
It is critical that cyber security training is 2. How often is training undertaken?
implemented beyond the induction or orientation
process for new staff, including directors. 3. Is training differentiated by area or role?
Engaging and relevant training will reinforce 4. How is the effectiveness of training
sound cyber hygiene practices and an overall measured?
culture of cyber resilience. Cyber training should
5. What are the plans for building the cyber
take place at least annually and the board
security awareness of directors and
through reporting should have visibility of training
senior executives?
performance, including differences between
business areas.
In larger organisations, it may be appropriate
that certain business functions or key personnel
that have greater exposure to key digital assets,
systems and infrastructure receive more in-depth
training and more frequently. External training
providers can assist with technical “deep dives”
where appropriate for specific cohorts of staff.
Cyber awareness training and technical “deep
dives” should not be limited to staff, with directors
and senior executives undertaking similar cyber
security training and upskilling.

36
 Principle 4: Promote a culture of cyber resilience

In addition to training, best practice at larger

 OX 4.2 SMEs AND NFPs – CYBER
B organisations is for directors and senior executives
RESILIENT CULTURE to have additional technical controls and security
settings associated with use of systems (e.g.
1. Mandatory training and phishing email) and devices.
testing for all employees, and volunteers
where appropriate For organisations where cyber security risk is
highly material and/or tied to an ambitious
2. Regular communications to employees on strategic agenda (e.g. digital transformation) it
promoting strong cyber practices, including may be appropriate for a director to hold cyber
email hygiene. The communications could security or digital skills. In such cases, having a
be electronic (e.g. email reminders) or director with deeper knowledge may provide the
physical (e.g. signage in the workplace) full board with additional insight, although it is
3. Incentivise strong cyber practices, for critical that remaining board members do not
example small rewards for performance on abdicate responsibility for cyber security to that
phishing exercises one individual.

4. Pick a staff member to be a ‘cyber security Becoming cyber literate can help directors gain
leader’ to promote strong cyber practices confidence in their understanding of the cyber
and respond to questions from other staff threat landscape, the potential impacts that cyber
failings can have on the organisation, strategies
5. Subscribe to ACSC alerts to stay across for improving cyber resilience, as well as response
emerging cyber threats and recovery in the event of cyber incidents.
Directors should also keep across the evolving
cyber security regulatory landscape, including legal
obligations that may apply to their organisation.
Critically, this requires an understanding of
the organisation’s notification requirements to
regulatory and reporting bodies such as the OAIC,
APRA and the ACSC in the event of a cyber incident.

37
CYBER SECURITY GOVERNANCE PRINCIPLES

Collaboration
Directors can also instill an outward and
proactive focus on the cyber threat landscape
by encouraging management to participate
in information sharing and collaboration
with regulators and industry peers, within
legal constraints.
Directors should test whether their organisation
is contributing to formal intelligence exchanges,
such as threat information, and whether
this network is providing timely updates on
emerging threats. Large organisations, for
example, are encouraged to participate in the
ACSC Partnership Program and Joint Cyber
Security Centres.
Management should also be encouraged to
contribute to collaborative industry fora that can
share information on effective risk control and
may be able to assist in cyber incident recovery,
for example through pooling of resources to
support impacted organisations

BOX 4.3 GOVERNANCE RED FLAGS

1. Board and executives do not undertake

cyber security education nor participate
in testing
2. Cyber security is not reflected in the role
statements and KPIs of key leaders
3. Communication from leaders does not
reinforce the importance of cyber resilience
to staff (cyber is seen as an issue for IT staff
to manage)
4. There is a culture of ‘exceptions’ or
workarounds for board and management
with respect to cyber hygiene and resilience

38
 Principle 4: Promote a culture of cyber resilience

Case Study 4: Resilience testing is key to promoting a

culture of cyber resilience
Experienced director Anne Templeman-Jones 5. The board should participate as observers
FAICD has found that testing is central to during a ransomware exercise and a committee
promoting a culture of cyber resilience across of the board be delegated to work with
an organisation. Ms Templeman-Jones’ key management to consider information as it
observations as a director participating in comes to light. These may be aspects such
resilience testing are: as business and customer impact, regulator
communications, and any required disclosure.
1. “To pay or not to pay” isn’t the biggest issue
The committee might consist of the CEO/MD,
nor guarantee your data is returned with the
Chair of the Board, Chair of the Audit and Risk
encryption key and operating environment is
Committee and the Group Counsel.
restored. The speed at which you can restore
the operating environment and access to data 6. The fastest route to restoration in the event
is critical for avoiding business failure. of a significant cyber security event is having
secure backups, an operating platform
2. Seek legal advice on paying a ransom prior
alternative upon which to restore and one that
to an event, so that you are well informed
has been tested and re-tested.
of Australian law, director’s obligations and
laws in other jurisdictions in which you or your 7. Some director responsibilities cannot
customers may operate. You will need to have be delegated during a significant cyber
this advice refreshed should an incident occur security incident:
and before you make a decision.
– in respect of any contractual arrangement
3. A cyber strategy must be designed to protect, with third parties brought in to assist and
respond and reactivate. This requires a the decisions they might make in terms of
framework that is tested through regular a course of action – consideration should be
controlled and uncontrolled outages. given to whether this does this give rise to
Penetration tests and white box exercises questions of being a shadow director?
(be they by management or third parties)
Anne Templeman-Jones FAICD is the Chair of
are excellent methods to learn how to be
Blackmores Ltd, director of Commonwealth
prepared to respond. Internal Audit can also
Bank of Australia, Worley Ltd, Trifork AG and
play a role in identifying weaknesses in the
the CSCRC
control environment and opportunities for
improvement.
4. To create a cyber security mindset, the board
and management need to know what data
and systems are valuable, what types of cyber
crises they may need to manage should the
data be stolen or systems compromised, and
can operations be restored in the event of
an attack:
– Data – know what it is, where it is and
its value;
– System resilience and the ability to restore
operations – has management tried a shut
down and full restore from a backup? What
is the alternative if your platform is also
compromised;
– What is the stakeholder communication
strategy – for example which law
enforcement agencies need to be contacted,
what backup plans might you have with
other providers to assist customers?

39
CYBER SECURITY GOVERNANCE PRINCIPLES

Principle 5:
Plan for a
significant cyber
security incident

Preparation
KEY POINTS A board and organisation that is well prepared for
a significant cyber incident will be in a stronger
1. All organisations are susceptible to a
position to mitigate impacts to its business
significant cyber incident and directors
operations, reputation and stakeholders, as well
should proactively plan for an incident
as recover in a timely manner.
2. Simulation exercises and scenario testing
Directors should appreciate that, following a
are key tools for the board and senior
significant cyber incident, information may be
management to understand and refine
fluid and there may be inaccurate or unverified
respective roles and responsibilities
material being spread via media, chat forums and
3. A clear and transparent approach to elsewhere on the Internet. Such information may
communications with all key stakeholders be disseminated by the actual perpetrator of the
in a significant cyber incident is critical attack or others impersonating them to create
in mitigating reputational damage and confusion or profit opportunistically.
allowing for an effective recovery
For this reason, communications during a ‘live’
cyber incident must be planned beforehand
so there is a consistent approach as to how
the organisation will shape the narrative, who
their external incident responders will be, and
which experts will be critical in shaping the
communications. This way, irrespective of the
media attention and counter narratives that may
circulate during the incident, the organisation
will be able to respond to all stakeholders in a
constructive and measured way.

40
 Principle 5: Plan for a significant cyber security incident

CYBER INCIDENT RESPONSE PLAN 3. Triage and immediate response: Steps to

identify that a cyber incident is occurring
A documented cyber incident response plan
and to assess the severity, including impact
(Response Plan) can be a key tool in ensuring an
on business operations, reputation and key
organisation is well placed to respond effectively.
stakeholders (e.g. customer or employee
Significant cyber incidents can be incredibly
data, suppliers/vendors) and whether
complex with a high number of variables that
any external criminal reporting, insurance
make comprehensive planning challenging.
notification or regulatory notification/market
However, developing a Response Plan is a key
disclosure obligations may be triggered.
tool in ensuring that those involved at the board
Serious consideration should be given to
and operational level have a clear understanding
enlisting external support at this time, such as
of their respective roles and responsibilities.
from cyber incident response experts and/or
The Response Plan is a core component of an
government agencies such as the ACSC.
organisation’s broader cyber strategy or policy. For
larger organisations, the Response Plan may also 4. Containment and eradication: Strategies for
be a component of broader business continuity limiting the scope of the cyber incident will
and crisis management planning. differ by the nature of the incident. Steps for
containing and eradicating an attack may
The Response Plan would seek to cover a series
include taking affected systems offline or
of potential incidents (e.g. ransomware, denial-
isolating unaffected systems to prevent spread
of-service) and be informed by scenario and
of malware.
simulation exercises, discussed below. Appendix A
provides a summary of the threat of data theft, 5. Communication: Specific communication
including ransomware, and a high-level decision channels for staff and impacted customers,
tree for how a board may approach a data including engagement with law enforcement
theft event. agencies, government, regulators, media,
and other affected parties (e.g. those whose
Key elements of a Response Plan include:
data may have been compromised) as well
1. Responsibilities: The Response Plan should as the broader public. It should be clear who
set out what business functions and key will be responsible for communicating with
personnel will be responsible for implementing which stakeholders. Cyber incidents tend to
key steps in the plan, including the board. be fast moving and very dynamic. While the
Primary responsibility for enacting the incident itself that can be damaging, how an
Response Plan is at the operational level, rather organisation handles the incident can be just
than the board, and could include a cross- as damaging to their ongoing reputation.
organisational response team of staff from IT,
6. Recovery: Steps for not only rebuilding systems
communications, legal, a representative from
and infrastructure, including new investment in
the senior executive leadership team, as well as
IT systems if necessary, but also for examining
a nominated director. It should also include any
‘lessons learnt’ and identifying strategies to
third-party external experts who could assist in
minimise the risk of a similar incident occurring
the event of an incident.
in the future.
2. Resources: What resources those responsible
with responding to the incident will draw
upon – for example, physical resources (e.g.
computer assets, data back-ups), key internal
expertise (e.g. cyber security, legal) and
external expertise and support (e.g. crisis
advisors, legal advisors, cyber insurer support,
communications support).

41
CYBER SECURITY GOVERNANCE PRINCIPLES

Cyber Strategy
Cyber Incident
Response Plan

Post-incident
Cyber incident
review, lessons
detected
learned

Cyber Incident
Life Cycle
Recovery Triage -
and remediation determine
steps severity

Communicate
Contain and
with key
eradicate
stakeholders

Directors should approve the Response Plan and Maintaining hard copies of cyber incident
have an understanding of the responsibilities of response plan documents – and other documents
the board and/or specific directors in the event – is essential. In the event of an incident, the
of an incident. The Response Plan should be organisation’s systems may be inaccessible.
cascaded through the organisation with key staff
While a Response Plan will need to be tailored
aware of it and their roles and responsibilities.
to each organisation, its personnel and assets,
The Response Plan should be reviewed on a a range of templates are available, such as
regular basis and be updated based on changes the Victorian Government Incident Response
in environmental factors (e.g. emerging threats), Plan Template, and the ACSC Cyber Incident
organisational structure and any changes to Response Plan Guidance and Template.
the key digital assets (or ‘crown jewels’) of
the organisation.

42
 Principle 5: Plan for a significant cyber security incident

Response Organisations can undergo a simulated

cyber incident to test the robustness of its
Simulation exercises and testing are key tools in Response Plan, with a particular focus on the
preparing directors, and the broader organisation, key steps as ’Triage and immediate response’,
to respond effectively to a significant cyber incident. ’Communication’, and ’Recovery’. The board
Many organisations prepare for a cyber incident should be closely involved in these exercises,
by having third-party providers test and practice with a focus on understanding the distinct
their systems with simulation exercises. This can responsibilities of management and the board.
help assess whether the processes in place under Simulation exercises can take a range of forms.
the Response Plan are appropriate, and provide For smaller organisations, it may be appropriate
the opportunity to fine-tune approaches. These to just discuss or run a step-by-step walk through
‘rehearsals; allow directors to become familiar of the Response Plan. For larger organisations,
with their oversight responsibilities and/or identify it may be appropriate to run a full coordinated
areas for improvement while working through the response exercise where external providers
scenario with management and experts. conduct a cyber incident simulation and assess
an organisation’s response and recovery effort
 OX 5.1 QUESTIONS FOR DIRECTORS
B
Exercises could cover:
TO ASK
• Real-time analyses of the simulation incident
1. Do we have a Response Plan informed by and the impacts (with the response team not
simulation exercises and testing? being pre-briefed on the details);
2. What role does the board have • Dealing with changing scenarios (e.g.
in communications and/or an escalation in the severity of the data
public announcements? compromised in a ransomware attack);
3. In the event of data loss or theft what • Testing business continuity if key systems go
is the plan for communicating with down; and
customers and employees?
• Preparing external and internal
4. Are we aware of our regulatory obligations communications (preferably based off pre-
to notify or report the incident? prepared materials such as draft FAQs and
5. Can we access external support if media releases with standard messaging pre-
necessary to assist with response? prepared which can be used for first release to
customers, media and impacted stakeholders).

Once the simulation exercise is complete, it is

 OX 5.2 SMEs AND NFPs – PLAN
B
critical to reflect on the outcomes, how teams
AND RESPOND
responded and update the Response Plan to
1. Prepare an incident response plan utilising ensure key learnings are embedded.
online templates if appropriate.
2. If practical conduct a simulation exercise or
test various scenarios against the incident
response plan.
3. Ensure physical back-ups of key data and
systems are regularly updated and securely
stored.
4. Maintain offline lists of who may assist in
the event of a significant cyber security
incident and which key stakeholders to
communicate with.

43
CYBER SECURITY GOVERNANCE PRINCIPLES

Communications Where there has been a significant incident, in

addition to any regulatory notification obligations,
A clear and comprehensive approach to
it is important that those whose data has been
communications during a significant cyber
compromised (most acutely customers) are
incident is critical. Many organisations have
advised quickly.
experienced greater reputational damage
from poor communications rather than the
incident itself. This can range from not clearly BOX 5.3 GOVERNANCE RED FLAGS
communicating the key facts of the incident,
including how the organisation stored and 1. The board and senior staff have not
protected key data. undertaken scenario testing or incident
simulations to test the Response Plan
While ultimately the responsibility of senior
management, the board will often have close 2. Likely scenarios and consequences
involvement in the approach to communications are undocumented with lessons from
due to its importance to stakeholder relationships, simulations not being captured
including with regulators, customers and staff. 3. It is not clear how communications with key
It is vitally important that an organisation stakeholders will be managed in the event
communicates as quickly and transparently as of an incident
possible with key stakeholders (most acutely
customers) on the nature and potential impact 4. No post incident reviews with board
of the cyber incident. However, assessing the full and management
extent and severity of a cyber incident can take
some time. In some cases, it may be appropriate
Directors of ASX listed organisations should
to acknowledge that the direct cause of the
also bear in mind their continuous disclosure
incident and/or impact to business operations
obligations under the ASX Listing Rules and
and stakeholders may not yet be known, and to
Corporations Act. Directors will need to consider
update stakeholders as the situation evolves.
whether the cyber incident is likely to have
Organisations should be mindful that what may an operational or reputational impact that
appear to be a ‘fact’ early on can sometimes materially affects the company’s share price
be false. Therefore, ‘facts’ can change and that and if so, disclose this information to the market
communications will need to acknowledge that as soon as possible after becoming aware of
cyber incidents can often evolve. In doing so, the incident – failure to do so may trigger a
organisations should be clear on what facts are regulatory response and/or create class action
known, and unknown, so that there is appropriate risk. More broadly, regulators, investors and other
transparency and stakeholder expectations can stakeholders may expect listed company directors
be managed. to disclose cyber security risks as part of other
regulatory disclosures such as the Operating
and Financial Review which outline material
ACSC – REPORTCYBER business risks.
Organisations of all sizes are encouraged
The Response Plan should be clear on
to report significant cyber incidents to the
responsibilities for real time managing and
ACSC. Reporting can assist an organisation
approving of communications, including the role
receive support and also provides visibility
of the board, and who will engage with regulators
to the ACSC of current threats to Australian
and law enforcement bodies or make statements
organisations.
to the media. Depending on the organisation
Reporting can be done via the ACSC website’s and the incident, notification requirements may
ReportCyber portal. include the OAIC under the Notifiable Data
The ACSC 24-hour Cyber Security Breaches scheme in the Privacy Act and the ACSC
Hotline(1300 CYBER1) is a key source of advice under the SOCI Act.
for individuals and SMEs.

44
 Principle 5: Plan for a significant cyber security incident

Recovery
 OX 5.4 KEY POST-INCIDENT
B
A comprehensive Response Plan should also REVIEW QUESTIONS
address what happens once the immediate crisis
has passed, outlining the process for recovery. 1. What have we learnt about our existing
Operationally, this can include the approach to systems, controls and cyber behaviour,
recovering IT networks, systems and applications including weaknesses?
to ensure business continuity. This may be done in 2. Did everyone know their respective roles
partnership with external IT advisers. and follow them?
For directors, a key role in the recovery phase is to 3. Did the organisation become aware of the
assess where improvements may be required to incident within an appropriate timeframe?
an organisation’s risk management controls and Was the incident reported to us by a third
cyber strategy. For larger organisations, a post- party like a vendor or the media? What
incident review may assist in identifying lessons does this tell us about monitoring and
learned and ultimately promote a cyber resilience reporting controls?
culture. Key questions or issues that would be
covered in a post-incident review are highlighted 4. Were the Plan steps, responsibilities and
in Box 5.4. procedures followed? Did the steps mitigate
the impact of the incident?
As highlighted in the case study below,
an organisation that learns from a cyber 5. Was the board appropriately briefed about
incident is in a far stronger position to prevent the incident and had sufficient oversight
future incidences. and visibility of management actions?
6. What improvements could be made to
communication plans?

45
CYBER SECURITY GOVERNANCE PRINCIPLES

Remediation
Although an organisation that is a victim of an
attack may feel aggrieved that they have had
data stolen or leaked, they should not lose sight of
who has been most compromised by the breach.
The organisation’s response must be crafted with
those most impacted front of mind.
Where a major cyber incident has occurred and
especially where it involves the loss of sensitive
personal data, the organisation should decide
what support and/or compensation should be
offered to those impacted. For some customers,
even the thought of having their personal data
exposed is enough to cause anxiety, stress and an
overwhelming sense of powerlessness. Where the
organisation identifies it has vulnerable customers
(e.g. victims of domestic violence) that have been
impacted it should consider providing additional
targeted support.
Where the organisation identifies it has vulnerable
customers (e.g. victims of domestic violence) that
have been impacted it should consider providing
additional targeted support.
At a minimum, support for all customers
might take the form of advising them of what
recommended steps they should take to mitigate
the impact of the lost data (for example identity
theft risk) and where they can go to access more
expert advice or support (e.g. credit monitoring
services or IDCare).
It is better practice though, in a situation where
people have been significantly exposed by a cyber
breach, for the compromised organisation to offer
to pay compensation (financial or in-kind)
and/or provide reimbursement for any out-of-
pocket expenses incurred in seeking to mitigate
their actual or potential loss.

46
 Principle 5: Plan for a significant cyber security incident

Case Study 5: Major cyber attack on Toll Group

In early 2020 Toll Group, one of Australia’s largest But the challenge was inherent in the complexity
logistics providers, suffered significant cyber of the event, he said, requiring communications
incidents that crippled its business operations and to be constantly updated and refined as further
ultimately threatened its solvency. details were uncovered.
For John Mullen, then Chair of Toll, the “As a board we got far more involved [in cyber
ransomware attacks were both an existential IT resilience] following the incidents,” he said. “It
crisis and a profound challenge to the company’s really, really sharpens your focus. It’s such a
ongoing operations. complex and fast-moving area that it can be
challenging for directors to stay on top of the risk.
“It rapidly moved, for me as Chairman, from
We went back to square one assuming we were
being an issue of what is our IT preparedness
more vulnerable.”
and what is our strategy, through to a potential
insolvency issue,” Mr Mullen said. “We had over He said for all those reasons, directors should
50,000 employees around the world who we pay seek independent oversight on a regular basis,
every week, and we couldn’t collect cash from comparing cyber assurance to an auditor’s review
our customers. of financials.
“That became my major preoccupation.” “It needs to be regular,” he said. “You don’t say,
‘We’re not going to do an audit this year, we
The Toll Group cyber-attacks have become one of
did that last year’, you just wouldn’t do that
Australia’s most high-profile incidents.
with finances. You need to systematise [cyber]
Mr Mullen said the attack highlighted to as well.”
companies and directors the potential for
Mr Mullen said the incident was a warning to
significant damage that a successful ransomware
all organisations – especially small and medium
attack can wreak on a company.
businesses – to be aware of the profound risks
“We had no reason to believe that something of of cyber security incidents and take actions to
that magnitude would happen,” he said. “We had mitigate them. “Do not think you’re immune,” he
done all the right things. But that was a lesson. said.
Do the right thing and you can still be in trouble.”
John Mullen AO is the Chair of Telstra, Brambles
Mr Mullen credits the Toll executive team for and the Australian National Maritime Museum
providing detailed and timely information
throughout the crisis. Directors were also
able to access external advisers, separate
from management.

47
CYBER SECURITY GOVERNANCE PRINCIPLES

Appendix A:
Cyber extortion
-Ransomware
and data theft

In 2021 the ACSC identified ransomware as the most serious of the

cybercrime threats facing Australia due to its high financial and
operational cost and other disruptive impacts to victims and the
broader Australian community. As highlighted in Case Study 5, such is
the impact of ransomware that it can imperil the ongoing solvency of
an organisation.

Ransomware and data theft

LEGALITY OF RANSOMWARE PAYMENTS
Data theft involves criminals accessing an IN AUSTRALIA
organisation’s systems and extracting key data.
Australia does not currently have any laws
The most common form or method of data theft that explicitly prohibit the payment of ransom
is ransomware - a form of malware designed to demands. However, the ACSC has clear advice for
seek out vulnerabilities in the computer systems organisations not to pay a ransom, as amongst
of organisations, both large and small, locking up, other issues, there is no guarantee it will regain
an organisation’s access to their data and it may
stealing and encrypting data, and rendering
incentivise future attacks.
computers and their files unusable. The
ransomware attack is accompanied by a demand Although there is no express prohibition on the
for ransom to be paid, often in cryptocurrency, in payment of cyber ransoms in Australia, there
return for decrypting and unlocking systems. are certain laws in place that mean doing so
could amount to a criminal offence depending
In recent times, as companies have moved to on the facts. These laws include the Anti-Money
protect themselves against ransomware attacks, Laundering and Counter-Terrorism Financing Act
including by ensuring they have adequate back- 2006 (Cth) and the Criminal Code Act 1995 (Cth).
ups (as one example), the extortion model has An organisation experiencing a data theft event
changed to include data extortion, with the should obtain legal advice on paying a ransom
threat of disclosure or the sale of data on the or extortion.
dark web.
48
 Appendix A: Cyber extortion -Ransomware and data theft

Board decision-making Nonetheless, directors should recognise that data

theft incidents can be very messy with events
Whether to pay a ransomware or data theft
moving rapidly and information or facts difficult
extortion raises difficult legal and ethical
to determine. In addition, communicating and
questions for directors, including whether a
negotiating with criminal threat actors adds
payment promotes further attacks on the
significant unreliability and limited trust, including
organisation. Obtaining external legal advice will
whether the stolen data will be deleted and not
often be necessary.
otherwise exploited.
It is important to remember that even if an
Key to board decision making in a data theft
organisation pays the ransom, it does not
event is obtaining expert external advice, this will
guarantee full recovery of their data or that the
likely include cyber security expertise, legal advice,
threat actor will not retain a copy of the data.
communications or public relations support
The effectiveness of an organisation’s response and close communication with cyber insurers (if
to an extortion event involving ransomware applicable). For many organisations, including
and /or data theft will depend on how prepared those under the SOCI Act, there will often be
both management and the immediate response obligations to notify /regulators and impacted
team are for such an incident. Developing a individuals within a specified time frame.
cyber incident response plan and the board
The below decision tree provides a high-level
undertaking simulations (including ransomware
overview of steps and factors directors should
and data theft war game exercises) together with
consider in the event of a significant data theft
management are key steps directors can take.
event or ransomware attack.
Principle 5 discusses preparation and recovery in
further detail.

DECISION TREE

Assess data Assess recovery

Establish team, loss and options,
including potential Undertake
including data
external damage to recovery
backups
experts operations

Pay Consider
Assess recovery
Ransomware Cyber incident remediation of
Decision by options,
or extortion response plan parties that have
board including data
demand or playbook experienced data
backups
Don’t pay loss or damage

Communications
with staff and Understand Assess legality
Obtain data:
affected parties demands of of making a
assess for
(e.g. customers, criminal, incl ransom
damage or loss
insurers, form of payment payment
regulators)

Data not
provided

Undertake
recovery

Note: The decision tree presents a linear and binary set of events and decisions of one particular form of data theft incident. However,
in practice a data theft event often presents complex decision making challenges for the board and management based on imprecise,
unreliable and fast changing information. It is strongly recommended that appropriate external expertise is obtained to support sound
decision-making.
49
CYBER SECURITY GOVERNANCE PRINCIPLES

Appendix B:
Resources

1. Government and d. APRA, including

industry resources i. Prudential Standard CPS 234
a. ACSC, including: Information Security

i. Cyber security for small and ii. Prudential Practice Guide CPG 234
medium businesses Information Security

ii. Cyber security for large organisations iii. Insight article (November 2021):
and infrastructure Improving cyber resilience: the role
boards have to play
iii. Strategies to Mitigate Cyber Security
Incidents, including the Essential e. OAIC, including
Eight Maturity Model Cyber Incident iv. Australian Privacy Principles guidelines:
Response Plan Chapter 11: APP 11 — Security of
iv. ACSC Partnership Program personal information
v. ReportCyber v. Notifiable Data Breaches
vi. Alerts vi. CDR Privacy Guidelines

b. Cyber and Infrastructure Security Centre vii. My Health Record

c. ASIC, including: f. IDCARE

i. Cyber resilience good practices g. Australian Energy Sector Cyber

Security Framework
ii. REP 716 Cyber resilience of firms in
Australia’s financial markets: 2020–21 h. Council of Small Business Organisations of
Australia: Cyber Security Resources
iii. Market integrity rules for market
operators and participants

50
 Appendix B: Resources

2. International standards 4.  Research and reports

frameworks a. CSCRC:
a. NIST Cybersecurity Framework i. Smaller but Stronger: Lifting SME Cyber
b. NIST Zero Trust Architecture Security in South Australia (2022)

c. ISO/IEC 27001 Information ii. Case Studies

Security Management iii. Underwritten or Oversold? How cyber
insurance can hinder (or help) cyber
3.  AICD resources security in Australia
a. Course: The Board’s Role in Cyber b. Actuaries Institute: Cyber Risk and the role
b. Director tools (member only): of insurance (2022)

i. Information technology guidance c. Insurance Council of Australia: Cyber

Insurance: Protecting our way of life, in a
ii. Managing a data breach: Ten oversight digital world (2022)
questions for directors
d. National Cyber Security Centre (UK): Cyber
iii. Data and privacy governance Security Toolkit for Boards
a. AICD and Australian Information Security e. World Economic Forum: Principles for Board
Association research (June 2022): Boards Governance of Cyber Risk (2021)
and Cyber Resilience Study: Insights into f. ASX: ASX 100 Cyber Health Check
director views and current board practices Report (2017)

51
CYBER SECURITY GOVERNANCE PRINCIPLES

Appendix C:
Industry
requirements
and standards

APRA Prudential Standards: CPS 234 Information Security (CPS

234), CPS 220 Risk Management (CPS 220) and proposed CPS 230
Operational Risk Management (CPS 230)

CPS 234 aims to ensure APRA-regulated entities Separately, APRA requires comprehensive risk
takes measures to be resilient against information management practices under CPS 220 that are
security incidents, including cyberattacks, by relevant to how an organisation manages cyber
maintaining an information security capability risk, including a board approved risk appetite
commensurate with information security statement that covers material risks. Lastly,
vulnerabilities and threats. CPS 234 states “the APRA has proposed a new prudential standard,
board of an APRA-regulated entity is ultimately CPS 230, which will expand existing outsourcing
responsible for ensuring that the entity maintains and business continuity requirements.2 CPS 230
its information security”. will require more comprehensive approaches
to managing and overseeing material service
A key objective of CPS 234 is to minimise the
providers, including those providing key IT and
likelihood and impact of information security
digital infrastructure and services.
incidents on the confidentiality, integrity or
availability of information assets, including
information assets managed by related parties or
third parties.

52 2. CPS 230 was released for consultation in July 2022. At that time it was expected to be finalised in early 2023.
 Appendix C: Industry requirements and standards

Consumer Data Right (CDR) ASIC Market Integrity Rules

The CDR, under the Competition and Consumer ASIC Market Integrity Rules (the Rules) apply
Act 2010 (CCA), provides consumers with to networks (e.g. ASX) and participants (e.g.
improved access to, and control over, their data. securities trading firms). Under changes that
CDR is being implemented in a phased approach will commence in March 2023 the Rules will seek
sector-by-sector, beginning with the banking greater technological and operational resilience
sector, before being extended to other sectors through requiring:
including energy and telecommunications.
• business continuity plans that respond to
Implementation of the CDR is the joint major events that have the potential to
responsibility of the Australian Competition and cause significant disruptions to operations
Consumer Commission (ACCC) and the OAIC. or materially impact their services, such as a
The security and integrity of the CDR regime is significant cyber security event;
maintained by 13 privacy safeguards, contained in
the Competition and Consumer Act 2010 (Cth) • the board or senior management must have
and supplemented by the Consumer Data Rules, overall oversight of business continuity plans;
which is enforced by the OAIC. • adequate arrangements to identify, assess,
manage and monitor risks to ‘ensure the
My Health Records Act 2012 resilience, reliability, integrity and security of
The My Health Record system, established by the [their] Critical Business Services
My Health Records Act 2012 (Cth), is designed to • adequate arrangements and controls in
facilitate access by the healthcare recipient and place to ensure confidentiality, integrity
treating healthcare providers, to a summary of and protection of information. This includes
health information about a healthcare recipient. recovery backup systems.
The system requires that an organisation take
reasonable steps to protect healthcare identifiers
from misuse and loss, and unauthorised access, Australian Energy Sector Cyber
modification or disclosure. Security Framework
The supporting My Health Records Rules sets The Australian Energy Sector Cyber Security
out the security requirements that participating Framework (AESCF) is an energy sector industry
organisations must comply with to be eligible framework that has been developed by Australian
to be registered and to remain registered under Energy Market Operator, industry participants
the My Health Record system. The system also and governance agencies, including ACSC. The
requires a participating organisation to notify the AESCF is designed as a tool to assess cyber
OAIC of any data breaches. maturity and promote uplift in capability and
cyber resilience. The AESCF leverages existing
international standards frameworks, including
NIST, ISO 27001 and the US Department of
Energy’s Electricity Subsector Cybersecurity
Capability Maturity Model.

53
CYBER SECURITY GOVERNANCE PRINCIPLES

Appendix D:
SME and NFP
Director Checklist

1. Set clear Document where possible who has responsiblity for cyber security

roles and Appoint a cyber champion to promote cyber resilience and respond
to questions
responsibilities
Consider whether a director, or group of directors, should have a more
active role in overseeing cyber security

Collect data where possible on the effectiveness of cyber risk practices

2. Develop, Utilise the ACSC Cyber Security Assessment Tool to identify the
cyber security strengths of the organisation and understand areas
implement for improvement
and evolve a Assess whether utilising reputable external providers will enhance cyber
comprehensive resilience over managing in-house

cyber strategy Assess whether there is certain data (e.g. employee or customer data)
that does not need to be collected

Establish an Access Control System to determine who should have access

to what

Regularly repeat cyber securily training and awareness amongst

al employees

Promote strong email hygiene

54
 Appendix D: SME and NFP Director Checklist

3. Embed Patch and update applications and anti-virus software

cyber security Configure Microsoft Office macro settings (e.g. only macros from trusted
locations enabled)
in existing risk
User application hardening - limit interaction between internet
management applications and business systems
practices Limit or restrict access to social media and external email accounts

Restrict use of USBs or external hard drives

Restrict operating system and software administrative privileges

Implement multi-factor authentication

Maintain offline backups of key data

Ensure that departing employees or volunteers no longer have access to

systems and passwords

4. Promote Mandatory training and phishing testing for all employees and volunteers
where appropriate
a culture
Pick a staff member to be a ‘cyber security leader’ to promote strong
of cyber cyber practices and respond to questions from other staff
resilience Subscribe to ACSC alerts to stay across emerging cyber threats

5. Plan for a Prepare an incident response plan utilsing online templates if appropriate

significant If practical conduct a simulation exercise or test various scenarios against

the incident response plan
cyber security
Ensure physical back-ups of key data and systems are regularly updated
incident and securely stored

Maintain offline lists of who may assist in the event of a significant cyber
security incident and which key stakeholders to communicate with

SME AND NFP RESOURCES

1. ACSC: Cyber security for small and medium businesses

2. ACSC 24/7 Hotline on 1300 CYBER1 (1300 292 371)
3. Council of Small Business Organisations of Australia: Cyber
Security Resources
4. CSCRC: Smaller but Stronger: Lifting SME Cyber Security in
South Australia

55
CYBER SECURITY GOVERNANCE PRINCIPLES

Appendix E:
Glossary

56
 Appendix E: Glossary

ACSC has an extensive online glossary of cyber security relevant terms

available here.
ACSC Australian Cyber Security Centre

AFSL Australian Financial Services License

APRA Australian Prudential Regulation Authority

ASIC Australian Securities and Investments Commission

ASX Australian Securities Exchange

Cloud computing A service model that enables network access to a shared pool of computing resources
such as data storage, servers, software applications and services

Cloud service A company that offers some component of cloud computing to other businesses
provider or individuals

Essential Eight The eight essential mitigation strategies that the ACSC recommends organisations
implement as a baseline to make it much harder for adversaries to compromise
their systems

IDCARE Australia and New Zealand non-government identity & cyber support service

ISO 27001 International Standard Organisation 27001 Information Security Management

Malware Malicious software used to gain unauthorised access to computers, steal information and
disrupt or disable networks. Types of malware include Trojans, viruses and worms

Multi-factor A method of computer access control in which a user is granted access only after
authentication successfully presenting several separate pieces of evidence to an authentication
mechanism – typically at least two of the following categories: knowledge (something they
know), possession (something they have), and inherence (something they are)

NDB scheme Notifiable Data Breaches scheme

NIST National Institute of Standards and Technology (US)

NFP Not-for-profit; an organisation that does not operate for private benefit

OAIC Office of the Australian Information Commissioner

Penetration testing A method of evaluating the security of an ICT system by seeking to identify and exploit
vulnerabilities to gain access to systems and data. Also called a ‘pen test’.

Phishing Untargeted, mass emails sent to many people asking for sensitive information (such as
bank details), encouraging them to open a malicious attachment, or visit a fake website
that will ask the user to provide sensitive information or download malicious content

Ransomware Malicious software that renders data or systems unusable until the victim makes a payment

SME Small-medium enterprise

SOCI Act Security of Critical Infrastructure Act 2018

White box exercise A form of penetration testing carried out by an ethical hacker who has full access to the
system they are carrying the simulated attack on.

57
CYBER SECURITY GOVERNANCE PRINCIPLES

Acknowledgements About the AICD

The AICD and CSCRC would like to thank the The AICD is committed to strengthening society
following directors who gave generously of their through world-class governance. We aim to be
time and provided insights into best practice in the independent and trusted voice of governance,
the governance of cyber security, including the building the capability of a community of leaders
case studies included in these Principles: for the benefit of society. Our membership
includes directors and senior leaders from
• Kathleen Bailey-Lord FAICD, Director of QBE
business, government and the not-for-profit
Insurance, Alinta Energy, Melbourne Water
sectors.
and Datacom
• Catherine Brenner FAICD, Chair of Australian About the CSCRC
Payments Plus, Director of Scentre Group,
Emmi and The George Institute for The CSCRC is dedicated to fostering the next
Global Health generation of Australian cyber security talent,
developing innovative projects to strengthen
• Melinda Conrad FAICD, Director of ASX Limited, our nation’s cyber security capabilities. We
Ampol Australia, Stockland, Penten and The build effective collaborations between industry,
Centre for Independent Studies government and researchers, creating real-world
• Naomi Edwards FAICD, Chair of Spirit Super, solutions for pressing cyber-related problems.
Director of Tasmanian Development Board,
AICD and Propel Funeral Partners
• John M. Green FAICD, Chair of UOW Global
Enterprises, Director of Challenger and
the CSCRC
• John Mullen AO, Chair of Telstra, Chair of
Brambles and Chair of the Australian National
Maritime Museum
• Anne Templeman-Jones FAICD, Chair of
Blackmores, Director of Commonwealth Bank
of Australia, Worley, Trifork AG and the CSCRC
58
 Appendix E: Glossary

Disclaimer Copyright
The material in this publication does not Copyright strictly reserved. The text, graphics and
constitute legal, accounting or other professional layout of this guide are protected by Australian
advice. While reasonable care has been taken copyright law and the comparable law of other
in its preparation, the AICD and CSCRC do not countries. The copyright of this material is vested
make any express or implied representations or in the AICD and CSCRC. No part of this material
warranties as to the completeness, reliability or can be reproduced or transmitted in any form, or
accuracy of the material in this publication. This by any means electronic or mechanical, including
publication should not be used or relied upon photocopying, recording or by any information
as a substitute for professional advice or as a storage and retrieval systems without the written
basis for formulating business decisions. To the permission of the AICD and CSCRC.
extent permitted by law, the AICD and CSCRC
excludes all liability for any loss or damage arising
out of the use of the material in the publication.
Any links to third party websites are provided
for convenience only and do not represent
endorsement, sponsorship or approval of those
third parties, any products and services offered by
third parties, or as to the accuracy or currency of
the information included in third party websites.
The opinions of those quoted do not necessarily
represent the view of the AICD and CSCRC. All
details were accurate at the time of printing.
The AICD and CSCRC reserve the right to make
changes without notice where necessary.

59
 CYBER SECURITY GOVERNANCE PRINCIPLES
CCT-106-1_22

JOIN OUR SOCIAL COMMUNITY

60
aicd.com.au