Swimming with the sharks - Board accountability in a cyber-hostile world
Based on an interview with Theo Psychogios, Financial Advisory Partner and Ben Davis, Security of Critical Infrastructure Principal.
Imagine waking up on Saturday morning, 5 June, and looking forward to a relaxing weekend. You turn your mobile on, and urgent texts instantly grab your attention. You’re suddenly wide awake, heart pounding – and in dreadful anticipation, you open the link to the latest media headline about your company:
“Hackers breached Colonial Pipeline using compromised password.”
Like sharks, cyber hackers lurk in the shadows waiting to strike
For organisations, we've reached a tipping point where the prospect of dealing with a cyber-attack isn’t a matter of if, but when. It’s time to have some uncomfortable, but ultimately constructive, conversations at Board level to truly understand the challenging environment businesses and governments operate in.
Colonial Pipeline is just one recent example. There are many more, like this one:
“Hackers demand $92m in bitcoin for data stolen during attack on US IT company Kaseya."
”This ‘gargantuan’ cyber-attack affected 1,000 companies that relied on the IT services provided by Kaseya. All over the world, there will be many more attacks. And more often, quickly, and devastating.
So, are you ready for an (un)expected attack?
Here in Australia, our Commonwealth Government is reforming its Security of Critical Infrastructure Act (SOCI). Why? Because the nature of threats to our national critical infrastructure are broader than before, and the likelihood of further attacks is reasonably foreseeable. As far as the Commonwealth is concerned, Boards and Directors need to prepare for material risks, and avoid or minimise their impact.
The revised Act has resulted in interesting tension: between the Government’s good intentions to protect our economic and social scaffolding – by holding infrastructure stakeholders accountable through new due diligence, risk mitigation and governance obligations; and murmurings in the business world that the new legislation is too complex, onerous and costly to comply with.
Theo Psychogios, Financial Advisory Partner, explains that his conversations with Chairs and Non Executives about this hot topic focus on changing perceptions; from avoiding short term ‘pain and costs’, to deciding to make investments now for a stable future with no nasty surprises.
“Historically, conversations about cyber and cyber threats have been about just that; now they’ve expanded to become much more holistic, because their reach is extensive – from compromised supply chains, to technology assets, infrastructure, operations and IT. The nature of cyber-attacks has also diversified, making organisations’ preparedness more important than ever,” says Theo.
Ben Davis, Security of Critical Infrastructure Principal, agrees. “We know the legislation is changing, and we know why. The Commonwealth has provided a clear direction, but it’s also creating grey areas that organisations will need to traverse. We need to look more closely at the roles and fiduciary responsibilities of Board Directors. Energy, water, gas, transport – these are all delivered through critical infrastructure assets that millions of Australians rely on every day. And Directors have an implicit obligation to look at all the risks that could affect their ability to operate.
“Boards are becoming increasingly liable for not having the right mechanisms in place to protect against a host of potential threats. Directors are expected to take responsibility. Increasingly, we’re talking to Boards about expecting – and anticipating – cyber-attacks and their (too often) detrimental domino effects,” says Ben.
