Six Principles for Effective Cyber-Risk Governance
Cybersecurity is a critical concern for governments and organisations in today’s digital age. Companies are facing new pressures to overhaul their business models and fundamentally reimagine how they conduct business and embrace more digital and automated technologies. Given that companies are increasingly judged on how well they protect their own information as well as the data entrusted to them by customers and partners, cybersecurity and cyber resilience have become crucial board concerns for any trustworthy organisation.
The World Economic Forum Global Risk Report 2022 showed that cybersecurity failure ranks in the top five risks facing nations. It is the number one risk here in Australia: “At a regional level, “cybersecurity failure” ranks as a top- five risk in East Asia and the Pacific as well as in Europe, while four countries—Australia, Great Britain, Ireland and New Zealand— ranked it as the number one risk.” 
In 2023, the Australian Institute of Company Directors (AICD), in its submission to the Department of Home Affairs led consultation on the development of a 2023-2030 Australian Cyber Security Strategy, strongly supported Government and industry working together to ensure that Australia is a world leader in cyber security, with Australians having confidence that our economy operates within a secure and trusted digital environment. 
Cybersecurity governance will continue to be a significant matter of importance for board directors. Boards have a responsibility to ensure that their organisation is adequately protected against cyber threats and that they have effective cyber-risk management structures in place.
However, common mistakes made by boards when it comes to cybersecurity can undermine an organisation’s cyber-resilience. These mistakes include skipping or failing to understand cyber-risk, failing to prioritise the most valuable digital and data assets, overlooking the human factor, falling victim to a cyber-attack without a tested crisis plan in place, and siloing the cyber-risk discussion.
“Cybercriminals are increasingly finding ways to manipulate human trust in order to bypass the security protocols they can’t overcome via technical means alone. An understanding that it’s impossible to stop all incidents will enable an organisation to shift its focus from planning for failure to learning from and reacting to failure.” 
Board members must set the tone for the rest of the organisation
To help boards understand the organisation’s cybersecurity posture, and to fulfill their cybersecurity responsibilities, here are six principles for effective cyber-risk governance:
- Integrate cybersecurity into the organisation’s corporate governance framework: Cybersecurity should not be seen as just an ICT issue, but rather as a strategic business enabler that can help organisations achieve their goals. By elevating cybersecurity as a board issue and developing a priority list that outlines cybersecurity’s new place within the corporate governance framework, directors can maximise their involvement and ensure that cybersecurity is integrated into the organisation’s overall strategy. 
- Ensure organisational design supports cybersecurity: Boards should ensure that their organisation’s design supports cybersecurity by having effective cyber-risk management structures in place. This includes ensuring that management has the necessary ICT and cyber resources and expertise to assess and manage cyber risks, and that there is clear reporting and communication between management and the CEO, and the board on cybersecurity issues. 
- Understand the economic drivers and impact of cyber risk: Boards should have a clear understanding of the economic drivers and impact of cyber risk on their organisation. This includes understanding the organisation’s data holdings, the potential financial, reputational, and operational consequences of a cyber-attack, as well as the benefits of investing in preventative cybersecurity measures.
- Align cyber-risk management with business needs: Cyber-risk management should be aligned with the organisation’s business needs and goals. This means ensuring that cybersecurity measures are integrated into the organisation’s overall risk management framework and that they support the achievement of business objectives. 
- Incorporate cybersecurity expertise into board governance: While some companies may choose to recruit board directors with cyber-risk or cybersecurity expertise, boards should at a minimum increase the entire board’s understanding of cyber-risk through external expertise, and building relationships with their CIO or CISO who can provide internal expertise to guide strategic cybersecurity decisions and improve the organisation’s cyber risk. 
- Encourage resilience and collaboration: Boards should encourage systemic resilience and collaboration within their organisation, and with external partners and stakeholders to improve the organisation’s cybersecurity posture. This includes developing peer networks through board governance associations, and with other board professionals to share best governance practices across institutional boundaries. [3,4,5]
In summary, boards have a critical role to play in ensuring that their organisation is adequately protected against cyber threats. By following these six principles for cyber-risk governance, boards can improve their organisation’s cybersecurity posture and effectively govern cyber-risks. It is important for boards to see cybersecurity as their responsibility, not just an ICT issue.
About: Gary Morgan is a seasoned board director, CEO, consultant, and corporate advisor with extensive knowledge in strategy, innovation, and growth across various sectors including health tech, aged care, agtech, information security, and research. Gary’s focus is on driving business growth through transformational change, with a particular emphasis on leveraging emerging AI technologies. He is a Fellow of the Governance Institute of Australia and serves on the Griffith University Industry Advisory Board for the ICT School. Gary has co-authored several papers and reports that have been published in top entrepreneurship and medical journals and has presented his work at international conferences.
Acknowledgment: This article was composed in part with the assistance of AI technology.
- World Economic Forum. The Global Risks Report 2022. https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf
- Australian Institute of Company Directors. AICD submission on 2023-2030 Australian Cyber Security Strategy. https://www.aicd.com.au/news-media/policy-submissions/2023/aicd-submission-on-2023-2030-australian-cyber-security-strategy.html
- Governance Institute of Australia. Managing cybersecurity governance https://www.governanceinstitute.com.au/resources/governance-directions/volume-71-number-5/managing-cybersecurity-governance/
- Leibel. A, Pales. C. The Secure Board. 2021. Sydney, Australia
- The Harvard Law School Forum on Corporate Governance. Principles for Board Governance of Cyber Risk. https://corpgov.law.harvard.edu/2021/06/10/principles-for-board-governance-of-cyber-risk/
- Australian Institute of Company Directors. Six principles for boards on cyber-risk governance. https://www.aicd.com.au/risk-management/framework/cyber-security/six-principles-for-boards-on-cyber-risk-governance.html
- Zongo, P. Three Effective Ways For Boards To Prepare For Imminent SEC Cyber Rules. (Forbes 2023, April 20). https://www.forbes.com/sites/forbesbusinesscouncil/2023/04/20/three-effective-ways-for-boards-to-prepare-for-imminent-sec-cyber-rules/
- Gallagher. Cyber Security Governance ‒ a guide for business boards and directors. (2023) https://www.ajg.com/au/news-and-insights/2023/apr/cyber-security-governance-a-guide-for-business-boards-and-directors/