Government seeks to hold company directors responsible for cyber attacks

Under a suite of reforms being considered by Federal Government, board directors could be held personally responsible if a company suffers a cyber attack due to inadequate risk management.

Outlined in a discussion paper released to industry mid-year, the proposed cyber security governance standards would seek to improve cyber security risk management practices in listed companies and other large businesses. The standards would be co-designed with industry and could be mandatory or opt-in.

Quoted in both Information Age and The Age, Minister for Home Affairs Karen Andrews said the government was “taking action to mitigate the real and present danger that cyber-crime presents to Australians and our economy.”

Speaking with the AICD’s October Company Director Magazine, Australian Information Security Association President Damien Manuel said company directors need to “manage cyber as a business risk, rather than being obliged to tick a compliance box which won’t move the needle.”

The Australia Strategic Policy Institute’s Exfiltrate, encrypt, extort report argues ransomware is a threat that’s right here, right now and calls for:

• legal clarity around the issue of paying ransoms and mandatory reporting
• greater transparency in reporting, alerts and information about ransomware attacks
• incentivising cyber security uplift and a public education campaign highlighting the dangers of ransomware.

Find out more about practical steps you can take to understand and improve your organisation’s approach to managing risks.

Cyber in 5: Damien Manuel on why cyber is everyone’s issue

Damien was a guest speaker at a client roundtable in the first-half of 2021. Here’s what he shared:

1. Preventing incidents relies on the combination of people, process and technology – not technology alone. Senior risk leaders need the skills and support to become trusted advisers.
2. Attackers will target you because of who you are, what you know, where you sit in the supply chain or information you have access to.
3. Attackers range from script kiddies to terrorists, hackers and creative explorers, crime syndicates trusted insiders, and state-based actors, who may be watching an individual or organisation for years before an attack.
4. Links to criminal networks make state-based actors more sophisticated. Networks recruit from countries with large populations, making attribution difficult. Motivation varies for state-based actors.
5. We might outsource services to third parties, but citizens expect safe and reliable services no matter what – they aren’t concerned who's managing it.