Company board members could potentially be held personally liable if their company suffers a cyber attack, Minister for Home Affairs Karen Andrews has warned, as the government continues tightening controls on the way companies manage ransomware and other cyber attacks.

A series of mooted policy changes – such as recent proposals to mandate reporting of ransomware payments, fine companies that don’t fess up, and ban insurers from paying fast-increasing ransomware payouts – reflect government concerns that escalating cyber security attacks are extracting an immense financial and operational toll.

“The government is taking action to mitigate the real and present danger that cybercrime presents to Australians and our economy,” Andrews said in announcing a new industry consultation and discussion paper floating ways to make directors more responsible for cyber risk.

“We cannot allow this criminal activity to become a significant handbrake on our economic growth and digital security.”

Boards of directors already manage a range of other risks – issues like business disruption from supply chain interruptions, natural disasters, staffing shortages, and global pandemics – but the proposed mandates would extend this by making them accountable for cyber security breaches.

“Consistent feedback to government has been that large businesses need to improve their management of cyber security risk,” the paper notes. “There is wide variation in the level of cyber security knowledge, including at the board level…. [and] it is widely accepted that cyber risks are an increasingly important set of risks that most large businesses… need to oversee and manage.”

“However, there is no explicit requirement that cyber security forms part of many existing obligations including those applicable to directors.”

Maintaining the status quo – allowing large businesses “to continue to manage cyber risks as they see fit” – will foster “significant variance” in companies’ cyber resilience, the paper noted, while voluntary governance standards could motivate government and private industry to “complement existing regulatory requirements”.

Mandatory standards “would result in improved management of cyber security risk”, the paper argues, noting that consumers and smaller businesses “would benefit from reduced costs of cyber security incidents”.

Yet mandatory standards “could also inter act poorly with other jurisdictions’ regulation of cyber security”, it notes – for example, dissuading multinational corporations from investing in Australia.

Variations on a theme

The proposed mandates echo CPS 234, an Australian Prudential Regulatory Authority (APRA) governance standard introduced in July 2019 that threatens significant penalties for directors of financial-services institutions that suffer cyber attacks.

Other industries remain far less woke when it comes to cyber: one recent Ponemon Institute study, for example, found that 94 per cent of Asia-Pacific CEOs don’t even talk with the chief security officers (CSOs) charged with managing cyber risk.

“I think there’s a lot going on within the organisations and in the press, but maybe not enough going on at the board level to give them confidence that their organisation is prepared for this growth in cyber security attacks,” Claire Pales, director of governance consultancy The Security Collective and co-author of a recent book on boards’ cyber security awareness, told Information Age.

“They may never have even met the cyber security people who are dealing with this day to day. They are getting dribs and drabs of information, and they’re not getting a clear view of whether or not the risk is being addressed.”

Just 37 per cent of CSOs in the Ponemon study said they ever report to company boards, with almost half of those saying that they only get to talk to the board about cyber risk after the company has suffered a security incident.

Board members often defer to one director who understands cyber security issues, Pales said, warning that stricter rules would push each board member to learn how cyber security affects their individual expertise.

Mandatory guidelines and direct liability “will scare a lot of directors”, she said, “especially those that may not be as technically savvy as they feel they need to be.”

“But I hope that it will spur boards to have more conversations with their security leaders, and to seek out education in this space.”

Growing awareness of cyber security “is going to be an education in the same way that modern slavery has been, and climate change has been,” she added.

“Board members can no longer think that the education and experience they’ve had in the past will be sufficient for them to understand this risk.”

Yet despite Andrews’s warnings, the changes could well prove too heavy-handed for a market that is still racing to keep up with the ever-changing cyber security threat.

“On balance,” the paper notes, “a mandatory standard may be too costly and onerous given the current state of cyber security governance, and in the midst of an economic recovery, compared to the benefits it would provide.”