Speakers
Synopsis
Cyber incidents require Boards and leadership teams to make critical decisions swiftly to mitigate risk and accelerate recovery. This presentation explores the unique challenges faced by leaders and Boards of SMEs and NFPs during cyber incidents, examines relevant incidents, reviews relevant regulations, and offers practical insights and strategies to enhance executive and board-level decision-making during a cyber crisis.
Problem:
Leadership teams and Boards are often unprepared for the unique challenges posed by significant cyber incidents, requiring high-stakes decisions under intense scrutiny from regulators, governments, employees, customers, and the media. Without proper preparation, responses can be inadequate, exacerbating the situation.
Relevant Incidents:
The presentation will examine real-world examples of cyber incidents impacting SMEs and NFPs, such as the 2021 cyber-attack on Eastern Health and the 2021 ransomware attack on JBS Foods. These studies will highlight operational disruptions, reputational damage, and the critical need for prepared leadership. Eastern Health faced significant disruptions to hospital services, while JBS Foods had to shut down operations, affecting the food supply chain.
Relevant Regulation:
This presentation will discuss the relevance of key regulations, including Privacy Act 1988, SOCI Act 2018, and APRA CPS 234, emphasising regulatory reporting and notification obligations that Boards must navigate during a cyber crisis.
Solution:
The presentation will outline several key strategies to enhance decision-making capabilities during cyber incidents.
(1) Developing a cyber incident response plan: A comprehensive, regularly tested response plan with clear roles and responsibilities for the Board and crisis management team.
(2) Training and simulations: Regular scenario-based training and incident simulations to prepare leaders for effective response under pressure.
(3) Effective communication strategies: Guidance on developing robust communication strategies to maintain trust and transparency with all stakeholders during a crisis.
(4) Engaging external support: Utilising external advisors and cybersecurity experts to enhance response capabilities, ensuring timely and comprehensive crisis management.
The presentation will also cover:
(b) Role of the Board: Discussing the critical oversight role in cybersecurity efforts.
(d) Rebuilding reputation: Offering insights into managing public relations and restoring stakeholder confidence post-incident.
(c) Wellbeing of staff: Providing strategies for supporting staff during and after a cyber incident.
(a) Regulatory reporting and notification obligations: Detailing the steps required to comply with relevant legislation.
(e) Decision-making on ransom payment: Exploring the complex considerations surrounding ransom payments.
(f) Long regulatory investigation tail: Understanding potential long-term implications.
Conclusion:
The presentation will conclude by emphasising the importance of Board and leadership roles in cyber crisis governance. Effective decision-making frameworks, regular training, and understanding regulatory obligations are crucial. By fostering a culture of preparedness and leveraging resources from ACSC, Cyber and Infrastructure Security Centre, ASIC, APRA, and the Australian Charities and Not-for-profits Commission, SMEs and NFPs can mitigate immediate impacts, manage long-term consequences, support staff wellbeing, and rebuild their reputation. Adopting these strategies will enhance their ability to respond to cyber threats and sustain trust with stakeholders.
