Insight,

OnBoard December 2022,

Top takeaways for boards on cyber: lessons from KWM’s digital future summit

14 December 2022

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

With recent incidents demonstrating the enormous reputational and business risks cybercrime creates, it is little surprise cybersecurity is now the key issue for organisations and their boards in 2023.  King & Wood Mallesons’ recent 2022 Digital Future Summit heard from leading experts, boards and business leaders on what this new heightened risk environment means for organisations and boards. In this article, we round up the top 10 takeaways for boards on cyber from the Digital Future Summit. Links to watch the full session on demand or listen to a podcast version can be found below.

You must take cybersecurity very seriously

The overarching message to boards was clear: we are at a moment in time where you must take cybersecurity very seriously. You have to immerse yourself in it. You have to know what the risks are, take all reasonable steps to mitigate them, and know how you will respond to cybersecurity incidents.

Data is a valuable strategic asset for organisations. But the level of cybercrime and malicious activity is increasing with the level of society’s digital adoption. Data should be treated as nuclear fuel. Use it for its intended purpose, extract the maximum value from it, store it carefully and appropriately, and dispose of it meticulously.

Educate yourself

Boards need to properly engage with cybersecurity. At a minimum, make sure you understand:

  • what cybersecurity risks are
  • what the minimum and best practice cybersecurity standards are
  • the ACSC’s Essential Eight
  • your legal obligations, including compliance with the Privacy Act 1988 (Cth) and the Security of Critical Infrastructure Act 2018 (Cth) (if it applies to you)
  • for listed organisations, understand how ASX continuous notification obligations would impact your cyber security response and
  • what your cybersecurity insurance covers.

You should also understand the ‘Five Knows of Cyber Security’ when it comes to protecting data across your organisation:

  • know the value of your data
  • know who has access to your data
  • know where your data is located
  • know who is protecting your data and
  • know how well your data is protected.

The person whose data it is will often be in the best position to protect themselves

Responding to cybersecurity incidents can often be particularly challenging in that the organisation will often be dealing with incomplete and changing information. For incidents that involve personal information, the organisation may not know at the outset exactly what information has been stolen or lost. Boards should be guided by the principle that the person whose data it is will often be in the best position to protect themselves. That means that if a company develops a reasonable basis to believe that personal information in relation to their customers may have been leaked, they should tell those customers as soon as practicable. Communications with the public should be honest, prompt and updated as new information comes to light. Often, an organisation cannot provide all information up front, but they can be on the front foot with communications and update customers as soon as possible. 

Promote and develop a culture of cyber resilience

It is important for every organisation to have a culture of cyber resilience. That involves having a common language, personal responsibility, ownership, and an ethos of speaking up and rewarding transparency. It also involves regular cybersecurity training, clear roles and responsibilities and response plans that are current, practised, adaptable and strong, all with regular and consistent governance.

Do an inventory of every computer system that exists across your organisation and assess it

One of the first practical steps for boards to take is to do an inventory of every discrete computer system that exists across the organisation and then apply the lens of the Essential Eight or similar framework. The Essential Eight is a set of Government-endorsed baseline mitigation strategies designed to make it harder for adversaries to compromise systems. It includes advice regarding security patches, restrictions to administrative privileges and implementing multi-factor authentication. Applying the lens of a framework such as the Essential Eight will clarify what your organisation is doing well and how it can improve basic cybersecurity defences.

Other frameworks include the NIST Cybersecurity Framework and the APRA Prudential Standard CPS 234 (Information Security).

Implement active, passive and soft defence strategies

Every company should implement minimum cybersecurity strategies – and ideally go far beyond that. A helpful way to conceptualise cybersecurity strategies is to categorise them into soft defences, passive defences and active defences:

  • soft defences are the people-related defences. These include training and a cyber resilient culture where speaking up is encouraged and all staff are alert to cyber risks
  • passive defences are the network hygiene defences most often implemented by the organisations’ IT staff. These defences include patching software, firewalls, encryption, administrative rights, multi-factor authentication and audits and
  • active defences are the defences that involve monitoring systems, detecting risks and responding quickly and effectively if a cybersecurity incident occurs. Every organisation should have a thorough and up-to-date cyber response plan, which includes a plan to mitigate the harm from the incident, compliance with notification obligations, and a communications plan (including communications to staff, customers, suppliers, investors, law enforcement, the media and other stakeholders). The plan should clearly set out who will be engaged in the response and when.

Engage external experts to test compliance

Regularly engaging independent, external experts is a pre-requisite to boards being comfortable with their organisation’s cybersecurity practices. Independent parties can certify organisations’ compliance with cybersecurity preventative measures, including compliance with the Essential Eight. A good ethical hacker will test every important aspect of the organisation’s cybersecurity defences. Tests should be regular so you can be comfortable that you are protected as attacks become more sophisticated.

Engage experts with technical and legal expertise

It is important for boards to engage experts who can help them navigate the organisation’s technical defences and legal obligations when it comes to cybersecurity. A board needs to be receiving different perspectives so it can properly assess its risk profile. An organisation’s preparedness for a cyber incident is rarely black and white.

The board should also retain key advisors who it will rely on in the event of a cybersecurity incident. Advisors should know the organisation’s business. The organisation’s lawyers should ideally already be on a retainer and approved by the insurer.

Do simulation testing

Simulation testing is critical to test your organisation’s preparedness in the event of a cybersecurity incident. You should engage third parties to perform unannounced tests, ranging from phishing exercises to full-blown attacks. You should feel pressure and stress in those simulations or else they are probably not worthwhile.

Know what you would do if a threat actor demands a ransom from you

A key question facing any organisation that has been hacked, had its systems encrypted or had its data stolen is whether it should pay a ransom. The majority (54.1%) of survey respondents to King & Wood Mallesons’ 2022 Directions Survey indicated they did not support paying a ransom. Just over one third (33.9%) supported payment of a ransom if needed to provide continuity of essential services. Only 30.3% of survey respondents supported an outright ban on making ransom payments. It is important for each organisation to have debates in advance of a cyberattack to decide whether it would pay a ransom and, if so, in what circumstances.

You can watch all sessions from KWM’s 2022 Digital Future Summit on-demand here.

Thank you again to our excellent panellists in Session 8 of the Summit “Cybersecurity – Today and Tomorrow”:

Rachael Falk, CEO, Cyber Security Cooperative Research Centre
Andy Penn, Chair, Cyber Security Industry Advisory Committee and former CEO, Telstra
Catherine Brenner, Chair, Australian Payments Plus and NED, Scentre, Emmi, The George Institute for Global Health
Mike Hawker AM, Deputy Chair, BUPA and NED, Westpac, Washington H. Soul Pattinson, MCA 
Cheng Lim, Partner, King & Wood Mallesons

Categories

MEET THE AUTHORS

LATEST THINKING
Publication
Navigating data centre opportunities across APAC
Harnessing these opportunities without 'hype-crash' risk requires sectoral intelligence.

10 July 2025

Insight
Consumer energy resources: Cyber security
Cybersecurity considerations are increasingly critical in the management of consumer energy resources.

09 July 2025

Insight
Consolidation in the private health insurance sector - a unique ‘dealscape’
The private health insurance space remains competitive and dynamic – with many insurers revisiting their long-term strategies.

08 July 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies