Boards must play a critical role in managing cyber risk

BDO Australia’s national leader in cybersecurity, Leon Fouche, says incidents are increasing in frequency and cost.

Fouche says the average cost of a data breach in 2024 in Australia will be $4.03 million, with the Healthcare and Financial services sectors experiencing the most data breaches. 

“This is also the highest cost to date. Of course, financial repercussions are not the only costs organisations face when they deal with a cyber security incident; reputational and operational damages can also derail the business,” Fouche says.

“Board members must actively participate in mitigating and preventing cyber-attacks. However, only 12% of S&P 500 companies have a current or former board member who is a cyber expert. This knowledge gap may harm your organisation now and in the future.

“How can you ensure your organisation doesn’t end up in the latest cyber security breach news cycle? It starts with asking the right questions,” he says.

Navigating today’s cyber security landscape: Areas of focus for boards

“Technology capabilities have grown significantly, empowering organisations to operate more efficiently and drive expedited outcomes. As technology increasingly intertwines with business objectives, board members must evaluate technology decisions similarly to strategic business decisions,” Fouche says.

“Just as the board guides an organisation’s business direction, it is now responsible for ensuring that the correct technology elements support the business strategy and that the right level of cyber risk tolerance is achieved and managed,” he says.

To ensure responsible oversight, the board should focus on the following areas:

• Strategic alignment: Ensure cyber security initiatives align with the organisation’s business and technological goals. To be proactive, boards should also consider future risks and trends.
• Regulatory compliance: Provide oversight of the organisation’s compliance with relevant regulations and laws. This includes confirming that the required audits and assessments are performed and that the board has insight and a clear understanding of the results.
• Governance and oversight: The board should oversee the organisation’s cyber security policies and strategies and ensure alignment with the overall risk management framework. They should also understand the organisation’s relevant cyber risks and ensure established policies support mitigation.
• Monitoring and reporting: Board members must receive regular updates regarding the organisation’s cyber health, including progress on critical cyber security initiatives, key metrics, and key performance indicators.
• Expert engagement: Engage with cyber security experts, either by appointing a cyber expert to the board, leveraging a Chief Information Security Officer (CISO) on the management team, or consulting an external Virtual CISO (vCISO). This will ensure the board is well-informed on emerging threats and trends.
• Cyber incident response: Ensure the organisation has a defined incident response programme and regularly reviews updates on the results of incident response testing. In a cyber incident, the board should oversee how the organisation communicates with the public and stakeholders.

Six strategies to increase cyber security knowledge

“Bridging the current knowledge gap is essential for boards to oversee their cyber security programme successfully. This will help ensure cyber security is adequately addressed in regular board meetings and allow boards to carry out their duties confidently,” Fouche says. 

“Here are six strategies you can use to build your knowledge and become more prepared to integrate technology risk into decision-making processes:

1. Establish regular cyber education sessions. Ensure you are getting regular updates about cyber security. During these sessions, carve out time to discuss the top risks in your industry and relevant experiences of similar organisations. Ask questions about what your business is doing to mitigate, prevent, or respond to the risk of those types of incidents happening to your organisation. The answers you receive may be vital in strengthening your organisation’s defence framework.
2. Refocus the metrics and leverage industry benchmarks. It’s essential to shift the focus from technical metrics to common sense metrics highlighting risk and value and, for example, identifying the number of end-of-life systems with vulnerabilities and the controls in place to mitigate their risks or discussing the complete costs of cyber breaches, which includes the actual response team and legal support, as well as the impacts to insurance premiums and the organisation’s revenue. Use industry benchmarks to compare your organisation with others in your vertical, helping you understand where the organisation stands and what improvements are required.
3. Bring in external cyber security experts. By bringing in external cyber security experts, board members can enhance their knowledge and get support translating technology-focused information into risk-focused insights and strategies. Ultimately, adding a cyber seat to the board will offer regular access to the expertise you need that complements your organisation’s risk management, security, and technology teams.
4. Conduct cyber simulations. To better understand cyber threats and how to respond to them, consider hosting facilitated incident simulations. These exercises will help you understand your role as a board member during a cyber event, potential impacts, areas for continuous improvement in process flows, and build muscle memory.
5. Provide oversight during an incident. In the event of a cyber-attack, board members should actively engage with and receive updates from security experts and incident response teams. By staying updated on the progress and outcomes of an incident, they can offer independent oversight and ask questions to uncover any lingering risks. It’s also essential for boards to understand how the organisation plans to respond to future cyber-attacks.
6. Look back with hindsight. What you can learn from close calls or even a previous cyber incident may stop it from happening again, especially since 83% of organisations have had more than one cyber security breach. Ask how often these close calls or actual incidents have happened and what the organisation has learned to identify gaps and develop appropriate measures.

The board’s critical role in managing cyber risk

“The level of scrutiny surrounding the board of directors has changed in recent years,” Fouche says. 

“After all, boards are there to help the organisation manage risk—including risks from cyber security incidents.

“In a recent Gartner study, 88% of boards of directors said they view cyber security as a business risk, highlighting the move to prioritise cyber security as a board focus.

“It is your fiduciary duty to provide independent oversight to manage the company’s cyber security posture and challenge your organisation in different ways to raise the bar for your defence framework,” he says.