Board cyber risk reporting - using APRA’s examples to build a reporting framework
Much has been said recently about boards becoming more aware of their organisation’s cyber risks, and what is being done to mitigate them. APRA’s CPS 234 Information Security regulation, which became enforceable on July 1st 2019, goes as far as to place responsibility for the information security of an organisation directly in the hands of the board:
“The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.”
“I’ve heard that cyber insurance doesn’t pay out!”
My second favourite: “we don’t need cyber insurance; we have next generation firewalls!” Both are false statements and yes, I’ve had more than a couple of IT leaders tell me that their excellent perimeter controls mean that they are unlikely to have a cyber incident that would impact the organisation sufficiently to need insurance.
Are you prepared for a cyber incident? Are your customers and service providers?
It seems like a straightforward question. What do we do in the event of a cyber incident?
Cyber incidents take many forms. These can range from ransomware attacks, through to social engineering fraud, system failures and targeted hacking campaigns. All of these can have a major impact on an organisation and lead to serious financial losses and damage to brand and reputation. Being unprepared will make the impact worse.
Australian Insurance Law Association (AILA) National Conference 2019 – presentation and 6 Questions for Leaders
I was very fortunate to be invited to present on cyber risk at the AILA National Conference on the 31st October. The conference was excellent with many interesting topics covered including autonomous vehicles, cladding, class actions and an introduction from Chief Justice Allsop.
On average a cyber crime in Australia is reported every 10 minutes.
ABC news 9 October 2019: “There have been more than 13,500 reports of cybercrime from individuals and business to the Australian Cyber Security Centre (ACSC) in the past three months, which equates to one case being referred every 10 minutes.”
“Boards must pay attention.” The Australian newspaper Cybersecurity Special Report
On October 9, 2019, The Australian released a “special report” liftout regarding cyber security. On the front page of the report was an excellent article by James Dunn that outlined the responsibilities of the board when it comes to cyber risk management.
“Our 3rd party service provider’s systems are unavailable, it’s not our fault!” 3rd party service provider risk. Part 1 – Recent issues.
Have you heard this before - “Our data is all stored in the cloud so it’s totally secure” or “we have guaranteed 99.9999% uptime (6 nines!) as we use the cloud?”
“Our 3rd party service provider’s systems are unavailable, it’s not our fault!” 3rd party service provider risk. Part 2 – Risk and liability management.
The larger and more regulated an entity is, the more likely that they will have one or more teams that look specifically after 3rd party service providers. They investigate important details like service level agreements (SLAs), contract small print, termination of contracts and limitations of liability