AICD releases Cybersecurity Governance Principles for company directors and NFPS

There is no doubt that of the many challenges facing businesses today, it is cybersecurity and a businesses’ cyber resilience that are giving company directors sleepless nights, headlined by the recent cybersecurity breaches that have affected Optus and Medibank.

It is therefore welcome that the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) have recently released a set of Cyber Security Governance Principles (the Principles) which are intended to provide a clear and practical framework for businesses to improve their cyber resilience.

In particular, the AICD and the CSCRC have released five key principles and responsibilities for company boards and directors, being:

1. to set clear roles and responsibilities for how cybersecurity risks are governed and addressed including the importance of having appropriate processes and delegations in place to oversee management’s actions;
2. to develop, implement and evolve a comprehensive cyber security strategy which identifies the key digital assets and data of the organisation and accounts for the importance and potential risks associated with key third party suppliers;
3. to ensure that cyber security is embedded in existing risk management practices and to regularly assess the effectiveness of cyber controls;
4. to promote a culture of cyber resilience including regular, engaging and relevant training and incentivizing and promoting strong cybersecurity practices; and
5. to plan and prepare for a significant cybersecurity incident including simulation exercises and scenario testing.

In addition to those key principles, the AICD and CSCRC have also provided a list of questions for directors to consider in determining the extent to which their organisation is complying with those Principles as well as a list of ‘Governance Red Flags’ which are indicative of when each of those five Principles are at risk of not being complied with.

For small and medium enterprises (SMEs) and not-for-profits, the AICD have also released a checklist for directors containing practical steps and actions which can be taken to address the five key principles, in recognition of the fact that it is SMEs and not-for-profits who are often key targets for cyber criminals where those businesses often lack the resourcing and funding when it comes to cybersecurity.

A copy of the Principles can be accessed here.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

Paul Dugan would like to thank Lachlan Chuong for his assistance in preparing this article.

DMAW Lawyers has partnered with Comunet & Digital Trace Australia to form a comprehensive, industry leading cyber security service group, the Cyber Alliance Group.

Head to the Cyber Alliance Group website to find out more about our full service, cyber security offering and how we can assist your business.