Understandably, the resources to acquire expertise, or have sophisticated data security systems, will vary between organisations. To comply with their
duties, directors should ensure that the organisation’s response is commensurate to the risk. It may be that an organisation
that faces a low risk of a cybersecurity attack may adequately comply with its directors’ duties by including cybersecurity on the board agenda and having a cybersecurity policy in place.
Ways in which enterprises might comply with directors’ duties
Cybersecurity governance frameworks
The Office of the Australian Information Commissioner (OAIC) recommends that organisations have some sort of data breach response plan. In instances of cybersecurity, such as cyber-attacks or theft of data, if the board can demonstrate that it was aware of a cybersecurity risk and used a framework to mitigate that risk, it is less likely to risk breaching its duties. A good example to look to is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which provides best practices in relation to how organisations might manage their cybersecurity risks.
Under this framework, the functions split cybersecurity management into five main areas: Identify, Protect, Detect, Respond and Recover. In summary it involves:
*Identifying and developing an understanding of the overall cyber risk context which includes the asset management, business environment and having a risk management strategy;
*Protecting and deploying safeguards for access control;
*Detecting and enabling timely discovery of breaches and anomalies;
*Responding and implementing plans to damage control and improve; and
*Recovery so that an organisation can resume operation.
It can be useful to compare the organisation’s current practices with the best practices highlighted by frameworks such as NIST, so that directors can effectively deal with cybersecurity risks and comply with this duty.
Acquiring and structuring expertise
Ways in which directors might think about acquiring expertise in IT to ensure that the board has appropriate advice to exercise its required governance duties will vary depending on the organisation. Where a cybersecurity risk is identified, directors would be wise to think about adding IT expertise to the board, whether by adding a board member with expertise in IT or, forming an IT board committee. Alternatively, the board may retain an external IT expert to provide it with advice. These options would reflect how the risk is then structured through the organisation as well as the size, scope and strategic reliance of the organisation on the use of IT. However, courts will understand that, for some enterprises like not-for-profits, it may not always be possible to acquire expertise due to limited resources.
Response by Australian Red Cross Blood Service
Following the breach at the Australian Red Cross Blood Service, there was an OAIC investigation. The OAIC commended the blood service’s quick response and handling of the breach. The OAIC stated that overall the blood service acted appropriately and in a timely manner to rectify the data breach, and that its response provided a model of good practice for organisations.
18