Governance and Risk Management Being Tested in Cyberspace

Companies’ governance and risk management capabilities are being tested in cyberspace, where the threat landscape is constantly evolving. 

In Australia, the capacity of businesses to respond is being hampered by a skills shortage that stretches from under-resourced cybersecurity teams to the boardroom, where recent research reveals that directors are too often well versed in financial and geopolitical risk, but not digital risk.  

The issue has been highlighted by a recent series of high-profile corporate data breaches, and investors, regulators and politicians are now pressuring companies to do more and to be more open about how they are protecting themselves and their stakeholders from cyberattacks. 

In September, telecoms company Optus, which is Australia's second-largest mobile operator and a unit of Singapore Telecommunications Ltd, reported a data breach that exposed personal customer information, impacting almost 10 million current and former customers. 

Then health insurer Medibank Private Ltd revealed that a raft of personal details belonging to a similar number of current and former customers, and associated representatives, had been stolen from the company. 

The negative impact of such cybersecurity failures on the brands and reputations of companies may be considerably exacerbated by subsequent events. In the case of the Optus data breach, for example, frustrations with what was perceived to be poor corporate communications and customer service continued to generate negative headlines and batter the company’s public image for weeks as disgruntled customers reported difficulties in determining the extent to which they had been affected. 

Similarly, Medibank’s apparently contradictory reporting on the extent of their data breach, and ongoing news reports regarding their dealings with the criminals seeking a ransom from the company, ensured that their brand continued to be dogged by unwanted publicity over an extended period. 

In the wake of the Opus incident, a raft of breaches or attacks were subsequently revealed by other companies operating within Australia apart from Medibank. This spate of reports partly reflects greater transparency by companies, as well as increased media interest in the topic. However, the release by the Australian Signals Directorate (ASD) of its Annual Cyber Threat Report in November underscores the mounting dangers that cyberspace poses for organisations today, with the Federal Government agency warning that it has become “a battleground” and is “increasingly the domain of warfare”. 

The ASD said its Australian Cyber Security Centre received more than 76,000 reports of cybercrime in the 2021-22 financial year, equating to an average of one every seven minutes, an increase of 13% compared to the previous financial year. 

Contributing factors to this increase were the fact that data is becoming more valuable to malicious actors, and that digital technologies have made traditional crimes like extortion, identity theft and fraud far easier to replicate at scale. 

Experts have warned that given the current state of technology, cyberattacks cannot be avoided. However, the associated risks and costs can be reduced towards acceptable levels if companies are well prepared to actively defend against, and react to, such threats. 

In such a business environment, a lack of technology skills in the boardroom is a dangerous shortcoming. However, it is unfortunately not uncommon in Australia, where many directors still have hurdles to clear before they can help to lead, rather than simply observe, the digital transformation of the global economy that is currently underway. 

A recent report by The Governance Institute of Australia, Driving the digital revolution: A guide for boards, surveyed almost 500 CEOs, directors and senior managers, and found that many lack tech skills and are struggling to keep up with the fast-changing cyber landscape. 

In the survey, 41% reported that less than a quarter of their board members have technology skills as part of their core skill set, and 13% have no directors with digital skills, while 21% of respondents have no digital transformation underway at their organisation. 

Governance Institute CEO Megan Motto says the recent spate of cyber incidents in Australia should be seen as a wake-up call that this is not acceptable. 

“This area of risk is enormous, unpredictable and rapidly evolving,’’ says Motto. “These incidents must absolutely serve as a reminder to boards and senior managers about the need to prioritise digital as a matter of urgency, and it would certainly be sensible though for all organisations to take stock of their current levels of risk across all key areas, update their risk registers and ensure they are planning and preparing accordingly.’’ 

The Governance Institute report notes that corporate leaders who are uneasy about technology and ill-equipped to manage digital strategy are likely to be more risk-averse on issues like cybersecurity, which can stifle action and innovation.  

To ensure they are ready to meet today’s challenges, it is incumbent upon boards of directors to improve their ability to adapt rapidly to changing circumstances and to deepen their understanding of cyber risk, whether through education and training or through board diversity and renewal.