Board cyber risk reporting - using APRA’s examples to build a reporting framework
Much has been said recently about boards becoming more aware of their organisation’s cyber risks, and what is being done to mitigate them. APRA’s CPS 234 Information Security regulation, which became enforceable on July 1st 2019, goes as far as to place responsibility for the oversight of an organisation’s information security directly in the hands of the board:
“The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security.”
There is no question that boards, and executives outside of IT, are demanding accurate and relevant facts regarding their organisation’s information security and other cyber-related risks. Cyber risk management strategies and issues must be reported to boards without obfuscation or the far-too-common “papering over the cracks.” Too many times I have seen the most important information, both good and bad, hidden in a swathe of unnecessarily technical gobbledygook.
Unfortunately the hiding, intentional or otherwise, of important information in swathes of unnecessary detail for boards is not limited only to cyber risk. Directors are frequently overwhelmed with the amount of information provided to them in board papers, in some examples several hundreds of pages.
After many years working in various aspects of cyber risk, there is one consistent issue that I have rarely seen adequately resolved: Lack of effective communication of cyber risk issues and mitigation strategies from the IT security management “coalface” to executive leadership and the board.
One reason that many of my peers and I find this so frustrating is because it doesn’t help anyone. The IT and IT security functions are better served when both executive leadership and the board understand the magnitude, and potentially devastating impact, of the cyber risks their organisation faces. Visibility into control capability gaps and the remediation strategies for cyber risks helps drive prioritisation of the IT security budget.
Leaders demand to know more about their cyber risks and the steps that are being taken to mitigate them. APRA has regulated board responsibility, and this may be a sign of things to come for unregulated organisations. Certainly CPS 234 & CPG 234 are “best practice” guides for information security management and any organisation would benefit from aligning their own cyber risk management strategies with them. Also, under CPS 234, responsibility for ensuring that unregulated 3rd party service providers are prepared for cyber incidents lies with the regulated organisation, “tendrils” of CPS 234 extending outside of regulated entities.
In its CPS 234 Practice Guide (CPG 234), APRA have helpfully provided some “examples of information that could be provided to the Board and management as part of their oversight of information security.” I have analysed the value of these examples with colleagues in cyber risk and information security as well as board directors. These stakeholders each have their own unique perspective of what is interesting, important, and essential information for management and boards to be familiar with. We believe that with some adjustments and a data collection, analysis and reporting framework, the APRA examples can provide a solid basis for concise and effective management and board cyber risk reports.
Taken at face value, the categories are straightforward: “Capabilities; Incidents; Controls and Education.” Once broken down to the source documents that are required as input to these categories, there could be a requirement to review and report on at least 40 different sets of information for a single entity. It is easy to see how the board reports can become so large and unwieldy. Also, as part of good governance, this information needs to be assessed as to currency and quality. Executives and boards need to know that they are reading from the most current and accurate playbook.
There are areas of cyber risk management that are notably missing from the APRA examples and should also be built into the reporting framework. One example is regulatory compliance outside of APRA, which is especially important for organisations that do business in other jurisdictions with concerning privacy regulations like the EU, and more recently, California. Another example is insurance. Whilst CPS 234 is strong on incident response planning and testing, nothing is mentioned regarding the role of cyber insurance in incident response and financial resilience. Directors and officers of companies should also be aware of their potential liabilities from cyber incidents and how both cyber and directors & officers insurance can respond in various scenarios.
With a process of distillation and information gathering governance, it is possible to improve and refine the examples given by APRA to provide succinct cyber and information security risk reports for management and the board. A customised and accessible cyber risk board reporting framework that those accountable for reporting can use to provide regular or bespoke reports in a format and terminology that management and the board are familiar with. When built on APRA’s own examples, the reporting framework will be designed to withstand regulator scrutiny. An effective framework will lead to better communication of cyber risk and mitigation strategies, along with streamlining of the report process. This leads to better understanding of an organisation’s past, current and planned cyber risk management issues and strategies.
It is not possible to guarantee that an organisation is immune from a damaging cyber incident. Effective dissemination of information around cyber risk management brings any resilience issues to light for management and the board. Increased understanding of cyber risk management will also improve the organisation’s cyber risk culture and assist in reducing the scale of post-incident impacts, for example damage to brand and reputation.
For years now It has been hard to find an article on cyber risk that doesn’t mention somewhere that IT security and resiliency are “…a business risk, not just an IT problem.” By this rationale all business leaders should have access to, and the opportunity to question, effective cyber risk management reports.
Please contact the CAP if you would like to discuss cyber risk board reporting
