On 1 March 2024, Home Affairs Minister Clare O’Neil endorsed world first cyber governance guidelines to help Australian company directors better prepare for cyber incidents. Ms O’Neil said the new governance principles should be embedded by all Australian organisations “into how they do business”.

The AICD Guidance suggests more direct involvement by a board in a cyber crisis in terms of decision making and control in a manner that is more prescriptive and involved than current plans and ways in which organisations respond to a crisis.

For most organisations, the current role of the board during a crisis is to:

  1. Provide support to the Executive and become a ‘sounding board’ to the crisis management team for significant strategic decisions that need to be made.
  2. Challenge and endorse the key strategic decisions and actions of the crisis management team and provide board-level oversight regarding these key decisions.
  3. Liaise with key external stakeholders including the regulators, shareholders, and the media, only as agreed by the crisis communications team.

Only in extreme circumstances would the board be expected to respond to a crisis, where the CEO or Executive are directly implicated or impacted, where the Executive don’t have the capacity or skills for the size of the crisis or where the team need additional support.

New AICD Governance Guidelines on the role of the board during a cyber crisis include:

  1. A response structure that includes the board as a responding team, either as the full board or as a sub-committee.
  2. The expectation that members of the board convene an ‘out of schedule’ board meeting to respond to a crisis.
  3. Board members to ‘make decisions’ with the crisis management team for significant decisions such as paying a ransom during a ransomware attack.

Challenges with the new guidelines

The primary role of the board is to remain in a governance and assurance role and most board members are unlikely to have the operational knowledge or technical experience to respond directly to a cyber crisis. Non-executive board members may not have the capacity or time to respond to an ‘out of session’ board meeting or have the training or tools to respond to a crisis, unlike the Crisis Management Team (CMT) and the executive who would be trained to respond to arrange of potential crisis events.

What can executives do to maintain the current ways of working and meet the changing expectations?

  1. Clarify and agree on the role of the Board and Executive during a Crisis.
  2. Implement an integrated response structure that includes the Board, Executive and Cyber Response Team.
  3. Utilise a unified decision-making framework to maintain a clear line of responsibility between the Board, Executive and Cyber Response Team.
  4. Utilise a Situation Report as the key communications tool between the Board, CMT and Cyber Response Team.
  5. Conduct scenario planning activities to test tools available and agreed ways of working.
  6. Utilise a Resilience Scorecard to provide assurance to the Board, Executive and external stakeholders.

Janellis is hosting a forum to discuss the new AICD Cyber Governance Guidelines and practical ways in which the Board and Executive can work together during a crisis. Key discussions include:

  1. How the Board can maintain a governance and assurance role and be aligned with the new AICD Cyber Governance Guidelines.
  2. A unified decision-making framework used by the Board, Executive and Cyber Response team.
  3. Communicating effectively with all key stakeholders.
  4. The role of the insurance provider during a crisis.
  5. Ensuring decisions are robust, transparent, discoverable and defendable.

For more information email events@janellis.com.au.

About Janellis

Janellis is a Management Consulting firm specialising in helping organisations execute their strategy and build resilience.  This is done through three key practice areas of Project Delivery, Capability Uplift and Organisational Resilience.

Janellis helps organisations build resilience and deliver complex programs by uplifting capabilities in areas such as team-based critical thinking.  Uplifting critical thinking skills relies on experiential and ‘learning by doing’ activities using scenarios.  In response to COVID, Janellis has combined online learning and experiential learning through our Digital War Rooms and Virtual Labs.  Our Master Facilitators enable experiential learning both in real-time and online using virtual tools where teams put into practice our tools and frameworks.