COMPANY DIRECTORS & CYBERATTACK RESPONSIBILITY

COMPANY DIRECTORS & CYBERATTACK RESPONSIBILITY

Along with increased public and media scrutiny and more onerous duties, Australian directors are now also responsible for every cyber-attack on their business.

This at a time when security breaches have jumped by 18%[1] in the last year and where each attack is estimated to cost on average $2.5 million[2].

Recent changes from the Australian Prudential Regulation Authority (APRA), means directors need to be ready –  and quickly. Read more here about the recent changes and what directors can do to manage their new responsibility and increased personal risk.

On July 1, 2019, APRA introduced a new mandatory regulation – CPS 234 – to minimise the likelihood and impact of information security incidents, such as cyberattacks, at APRA regulated entities.

CPS 234 means that banks, credit unions, insurers, building societies, and super funds throughout the country are now required to develop and maintain security systems equal to the level of threat posed to their assets.

Few would argue that imposing minimum security standards on institutions that hold sensitive information about their  customers and clients is an appropriate and critically important measure in this day and age.

APRA is so concerned about the growing frequency and sophistication of cyberattacks on Australian financial services companies that it has placed ultimate responsibility for information security on the Board.

Not only must APRA approved entities understand their information assets and cyber risk profile, the boards of these companies are forced to take an active role in all cyber security matters to fulfil their legal and regulatory requirements.

This decision by APRA is part of a growing recognition that businesses need to be vigilant and capable of dealing with cyber-security threats. Those that are seen to have failed in their management and response to a risk event, are increasingly on the receiving end of lethal backlash from the media and the public.

Maintaining public confidence and trust during a crisis requires effective co-operation and co-ordination with external audiences and stakeholders.

Cyber crisis is often complex and difficult to manage. It carries greater uncertainty for many organisations due to a lack of understanding and skill in how to identify and respond to these types of threats.

Success relies on a solid crisis communications plan. Businesses must then continually stress test the systems, processes, and people responsible for information security. Being prepared is vital.

Only then, will your board and management team be ready to move quickly, with an agreed approach to handle a cyber incident when it arises.


[1] 2019 Ninth Annual Cost of Cybercrime Study.

[2] 2017 Ponemon Cost of Data Breach study.