Experts debate the need for a dedicated cyber expert in the face of rising directors’ and officers’ liabilities

Data breach

Fewer than one in five companies in Australia and New Zealand employ a chief information security officer (CISO), according to a new survey in to cyber security.

The research, conducted by advisory firm BDO and cyber consultancy AusCERT, found that only 18% of the 400 respondents worked for companies that employed a CISO. And more than 70% indicated that they never intended to fund a dedicated role to manage cyber security outcomes for their organisation.

The survey also found that fewer than half of respondents (48%) have a cyber incident response team in place and even less (41%) have a team or system in place to respond to an incident.

BDO national leader for cyber security Leon Fouche said that the results highlighted that firms were relying too much on technical solutions.

“The people and process component of cyber defences must be addressed if organisations want to improve their cyber resilience,” he said.

“Getting back to basics and understanding the risks, defining baseline security standards to address these risks, and then enforcing these standards, while monitoring how well they are implemented, is critical to improving the maturity of a business’ cyber security posture.”

But Cybassurance chief executive Paul Looker said he didn’t see a need for all firms to have a CISO.

“To the contrary, I believe that IT security must be a culture or mindset that permeates the organisation, led by a very strong tone at the top. I believe a better outcome is to have the CEO, and his/her executive team actively participating in promoting IT security awareness training, and IT disaster recovery/crisis management plan practice exercises.”

According to the BDO/AusCERT survey, however, only 47% of respondents have implemented security awareness training for staff.

“Although businesses have adopted good security technologies, their cyber security processes and practices are relatively weak,” Fouche said.

“For example, 40% of organisations are able to detect security incidents, and 52% of organisations are performing regular security risk assessments which is great to see.”

But only 49% of organisations regularly report cyber risks to the board.

“It’s important the board and CEO continue to play an increasingly active role in the cyber security of their own business. After all, they are ultimately accountable for it.”

In fact, a recent ‘2017 predictions’ report by law firm Clyde & Co, said that cyber would be an emerging threat to directors’ and officers’ liability.

This is largely owing to the expected introduction of mandatory breach legislation in Australia next year and the resulting potential for financial exposure and reputational damage to the company and directors, who may incur personal liability as a result of a data breach.

The new reporting framework is expected to apply not only to personal data held and collected in Australia, but also to data held offshore on behalf of Australian businesses.

“Directors will need to ensure that robust cyber resilience frameworks are embedded in their companies, consistent with the expectations of Australia’s corporate regulator,” said the law firm’s Dean Carrigan and Yvonne Lam.

But insurance broker Aon said that companies cannot necessarily rely on their D&O policies when it comes to a cyber breach.

“There remains still some naiveté regarding cyber exposures and the role that D&O coverage would play in the event of a data breach or cyber-attack,” the broker said in its H2 2016 insurance market update.

“Specialist cyber protection is generally a more appropriate way to transfer cyber risk than relying on D&O.”

Cyber coverage remains low in Australia with only about one in 50 organisations having any form of cover.

“The anticipated introduction of mandated data breach notification should spur organisations into action, preferably well in advance of the legislation coming into effect,” Aon said.


BDO/AusCERT research highlights

  • Many respondents have already taken up endpoint and gateway controls like anti-virus (93%), website and internet filtering (75%), and email filtering to block suspicious emails (91%)
  • 52% of respondents are performing regular security risk assessments, but only 49% regularly report cyber risks to the board
  • 40% of respondents can detect security incidents, but only 21% have a security operations centre in place to investigate and respond to security incidents
  • 48% of respondents have a cyber incident response plan in place and only 41% have a cyber incident response team or capability in place to respond to incidents
  • 44% of respondents have defined security standards for cloud and third parties or supply chain.