In an era of escalating cybercrime sophistication, board directors must proactively invest in cyber resilience to stay ahead of threats. With cloud exploitation surging and “breakout time” of cybercriminals reduced to less than 90 minutes, the need for swift and effective cybersecurity response measures is greater than ever.

Understanding the Threat Landscape

The 2023 Global Threat Report by CrowdStrike, a cybersecurity leader, highlights the increasing opportunism of cybercriminals. These “cloud-conscious” threat actors have become more numerous and their exploits more troubling, given the rising reliance on cloud environments across industries. This trend underscores the urgency of maintaining vigilance and responsiveness in less than 90 minutes—the average breakout time.

The Legal Implications of Cyber Attacks

The Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) have reinforced that cyber resilience is the board’s responsibility. High-profile cybercrime incidents and legislative reforms such as the Security of Critical Infrastructure Act 2018 (Cth) and APRA’s Prudential Standards reflect this focus. Directors could potentially face personal liability, including “stepping stone liability,” where a breach of directors’ duties is established by failing to prevent the organisation breaching the Corporations Act 2001 (Cth).

The Importance of Proactive Investment

A reactive approach to cybersecurity is no longer viable. Pieter Danhieux, CEO of Secure Code Warrior, emphasises the importance of proactive investment in protecting digital assets and company reputation. Directors must consider the “reasonableness test” in assessing their planned level of action, understanding that risk reduction steps deemed reasonable today are different from what they were a decade ago.

Resilience over Security

Kris Lovejoy, global security and resilience practice leader at Kyndryl, suggests that traditional concepts of security risk management are inadequate given the complexity of the cyber threat landscape. She advocates for a broader perspective encompassing resilience, which includes efforts to anticipate and plan recovery from cyberattacks.

Key takeaways for board directors:

  1. Alert, detect, and respond: It’s now critical to react to cyber threats in less than 90 minutes. Speed and efficiency in response measures can make all the difference.
  2. Understand your legal responsibilities: Boards need to comprehend their liability in the event of cyberattacks and must ensure that all obligations under recent regulatory reforms are met.
  3. Invest proactively in cybersecurity: Rather than reacting to cyber threats, take proactive measures to safeguard your organisation’s digital assets and reputation.
  4. Shift to a ‘resilience by design’ approach: Go beyond traditional security risk management. Plan for the entire lifecycle of a cyberattack, from prevention to recovery.

In the face of a formidable and rapidly evolving cyber threat landscape, directors must adapt swiftly and effectively. As the guardians of their organisations, they hold the key to ensuring their businesses can weather the storm of cybercrime.