Australia’s largest director advocacy-and-guidance outfit, the Australian Institute of Company Directors (AICD), is urging boards to consider their supply chain risk and data governance requirements as it refreshes its flagship cyber principles.

Initially released October 2022, the Cyber Security Governance Principles offer critical guidance for directors trying to navigate Australia’s ever-changing cyber threat landscape.

While its first iteration achieved some 25,000 downloads, garnered positive industry feedback, and received strong support from the federal government (according to AICD head of policy, Christian Gergis), the principles have now been updated to include some much-needed advice on managing risk from third-party suppliers.

“Given the scale and speed of change, the updated principles reflect the evolving cyber threat landscape and best practice cyber resilience strategies,” Gergis told Information Age.

“Significant changes in version two of the principles have [included] new guidance on digital supply chains and oversight of key third party suppliers.”

After 2024 saw data breaches at such notable vendors as Fortinet, Microsoft and Snowflake, the principles now include a dedicated section on “cyber supply chain risk” which encourages directors to clarify the role, value, and risk of their third party providers.

Produced in conjunction with the Cyber Security Cooperative Research Centre (CSCRC), the principles point out that since organisations are increasingly reliant on third parties and software-as-a-service solutions, it is crucial they create a “map” of their supply chain, identify key providers, and determine which third parties supply business-crucial services.

“Many organisations of all sizes have a cyber supply chain where goods and services that are essential to the operation of the organisation can be jeopardised by an external cyber failure or event,” read the principles.

Performing such mapping might include “understanding the location and ownership structure” of a given provider, “monitoring” their cyber security posture, and attaining visibility of how a key provider utilises its own subcontractors or partners in delivering its service.

Citing this year’s global IT outage which was kicked off by a botched update from security vendor CrowdStrike, the updated principles urge boards to consider redundancy for key services or products where possible.

“In the wake of CrowdStrike, prominent directors reflected publicly on how the incident was a wake-up call on critical vulnerabilities and how boards and organisations must plan for these events,” read the principles.

The principles also point out the effectiveness of “supplier diversification” and data backups in mitigating supply chain risk.

Fresh outlook on data governance

Among the updates for the principles is also new guidance on “data governance practices”, alongside an expanded section on effective cyber incident response and recovery.

The guidance highlights the Office of the Australian Information Commissioner’s (OAIC) ongoing civil proceedings against health insurer Medibank for its 2022 data breach, during which the commissioner alleged Medibank failed to implement appropriate data protection measures.

“The OAIC claims before the court serve as an example of heightened regulator focus in Australia on cyber security,” read the principles.

The latest version of the guidance suggests identifying “key digital assets” (and who has access to them) is “core to understanding and enhancing cyber capability”, while some “governance red flags” might include an organisational lack of “data governance framework to guide how data is collected, held, protected and ultimately destroyed”.

The AICD has also updated its guidance in consideration of Australia’s regulatory changes, including the recently passed Cyber Security Act and amendments to critical infrastructure obligations.

Finally, the principles include a specific checklist for Aussie small and medium enterprises and not-for-profits, many of which Gergis said still “struggle when it comes to cyber security”.

“These principles will help Australian directors build a strong understanding of what ‘good’ looks like in relation to cyber governance and help keep Australian organisations and the community safer in our digital world,” said CSCRC chief executive, Rachael Falk.