(Australian Institute of Company Directors: The New Governance of Data and Privacy)
Boards need to be considering where Cyber Risk (and Opportunity) sits within their organisations. How do new data-driven business models and value-chains enhance, or threaten, what they are doing? APRA CPS 234 has lifted the game by tasking Boards with accountability for Cyber Risk management – ensuring capabilities commensurate with the threat. Cyber Risk is fast becoming a whole of business problem, not just an IT problem. Boards should consider their Cyber liabilities as seriously as the consider their financial liabilities. Equally, there is no substitute for improving cyber resilience and communicating the business impacts to the business stakeholders. It is a business problem requiring a transformation of corporate security culture. Organisations should beware of the temptation to bury the problem under cyber insurance, or delegate to their IT department.