The Australian Information Security Association (AISA), in collaboration with the Australian Institute of Company Directors (AIC), recently released a study on Boards and Cyber Resilience. The survey found that despite being considered a high priority by the majority of Australian directors, there is little formal governance by company boards to reflect this.
The AISA survey examined 850 Australian directors and revealed that only 53% of directors had an established cybersecurity framework or strategy. Moreover, only 43% of the directors’ boards were receiving regular reporting on cyber incidents.
Key findings of the survey include:
- director awareness of threats, rather than actual attacks or increased Government regulation, is driving increased cyber investment
- directors can do more to improve their cyber skills and build stronger cyber governance practices
- cybersecurity is regarded as a material risk yet there is a lack of internal frameworks to manage cybersecurity
- directors of small and medium enterprises, not-for-profits, and public organisations need greater support to overcome resources constraints and improve cybersecurity resilience, and
- almost all Australian organisations have characteristics that make them susceptible to cyber-attacks.
Beyond cybersecurity governance practices, the survey includes responses regarding directors’ cyber capabilities, incidents, investments, and insurance. The results across all of these areas generally indicate an upward trend in awareness and focus on cybersecurity on boards, but there remains a need for more consistent and widespread adoption of oversight and action at the executive level.
For a full reading of the findings, see here.
We regularly advise clients on their cyber security obligations both from a contractual and regulatory perspective. Please contact us if you need any assistance with your cyber security legalities.