“With the digitisation of everything, rising surveillance capitalism, intensive national security monitoring and large intelligence gathering activities, organisational boards worldwide have moved beyond seeing privacy as just a compliance line item” 

(Australian Institute of Company Directors: The New Governance of Data and Privacy)

Boards need to be considering where Cyber Risk (and Opportunity) sits within their organisations. How do new data-driven business models and value-chains enhance, or threaten, what they are doing? APRA CPS 234 has lifted the game by tasking Boards with accountability for Cyber Risk management – ensuring capabilities commensurate with the threat. Cyber Risk is fast becoming a whole of business problem, not just an IT problem. Boards should consider their Cyber liabilities as seriously as the consider their financial liabilities. Equally, there is no substitute for improving cyber resilience and communicating the business impacts to the business stakeholders. It is a business problem requiring a transformation of corporate security culture. Organisations should beware of the temptation to bury the problem under cyber insurance, or delegate to their IT department. 

Questions for Boards:

  • What is your Cyber Strategy? (Do you have one?) Ways is the impact of a breach on the customer? How do you deal with victims of cybercrime?
  • How do you protect your relationship with customers, from a Cyber perspective? (Cyber trust)
  • What is at risk within your organisation? Where is it?
  • Potential GDPR liability? (Boards are now liable)
  • NIST Framework – how mature is the organisation in these areas? (Identify/Protect/Detect/Recover). Have you prioritised where you need to invest?
  • What privacy processes are in place?
  • Where is Cyber discussed? Dedicated Cyber committee? Audit/Risk Committee? (Cyber is no longer just an IT problem)
  • Does the organisation value data & privacy? (Tricker model)
  • ‘Future-proofing’ the Board: how do new data-driven business models and value-chains enhance, or threaten, what the entity is doing? What new laws must be adhered to? What new technologies can be deployed?
  • Who has overall responsibility and accountability for privacy practice? (are there metrics in place?)
  • In what ways is the data the entity holds an asset? A liability?
  • What knowledge/expertise does the board require to help it make decisions about deriving value from, and protecting, the data?
  • Has an IT Governance Framework been established?

NIST Framework (NIST.gov)


Where does Cyber Risk fit within the overall Risk Management framework? Driving the right decisions and actions requires a cultural shift with a quantitative and qualitative approach.

1. The impact of Cyber Risk is no longer just an IT issue. Cyber Risk professionals are competing for focus and funds to create relevance and buy-in from top management.

2. A quantification approach to Cyber Risk helps to improve the perception on risk to make decisions by design and not by default with a taxonomy for stakeholders.

3.  APRA standard CPS 234 is a new requirement for organisations, but not a new responsibility – it simply raises the bar for compliance driving actions.

4. Incentives influence choices towards Cyber Risk appetite as a cultural change within organisations. The recent enforcement of the standard signals a paradigm shift, where Cyber Risk is now recognised as a material business risk. 

(Source: Kerry McGoldrick of ShineWing. The impact of Cyber Risk, FAIR Institute Sydney)

Recommended Reading:

“Cyber Risk Leaders” (Shamane Tan) – discusses leadership and influence in the Cyber Age, offering advice from battle-hardened CISOs in Australia and from around the world: https://www.mysecuritymarketplace.com/product/shamane-tan-apac-executive-advisor-privasec/

One in five CISOs are now reporting directly to the CEO: https://www.linkedin.com/posts/wandenny_itwire-business-leaders-focus-on-rising-activity-6565048588701843456-19lo 

Cyber insurance is not a panacea for managing cyber risk: https://www.linkedin.com/posts/wandenny_demand-for-cyber-insurance-grows-as-volatility-activity-6564706912934469632-NkDe