Photograph of board meeting with diverse board members sitting at a table in front of notebook computers. The image has a transparent pink overlay for Privacy 108's branding.

5 Key Questions Boards Should Ask About Cyber Incidents

The frequency of ransomware attacks is rising, as is the average cost of a privacy breach. Given the growing risk cyber security poses to Australian organisations, it’s unsurprising that it is a growing concern for boards. If your board hasn’t yet turned its head to the issue, read on to discover five key questions about cyber security issues for boards.   

Banner image with the text Questions boards should ask about cyber incidents in a search bar and the five questions outlined in the blog post below in hexagons

Cyber Security for Boards: 5 Questions to Ask 

How can we reduce the cyber risk our team poses to our organisation? 

Human error is still (by far) the most common cause of cyber breaches. Boards should give an appropriate portion of the cybersecurity budget to training the team. This can help to avoid and prevent cyber incidents and reduce the risk your personnel pose.  

If you believe the answer is yes – perhaps it’s time to put your team to the test. There are experts called ‘white hat hackers’ who work with organisations to put their defences to the test. In the case of your team, ‘white hat’ social engineers can see what it takes to get your team members to click on a suspicious link or download malware. 

How can we reduce the cyber risk data we collect poses to our organisation? 

Yellow diamond-shaped sign saying caution cyber attacks ahead with thunderstorm in the backgroundOrganisations that collect more personal and sensitive information are at greater risk of reputational, legal, and financial consequences in the wake of a breach. While boards do not need to concern themselves with the minutiae of data collection, they should know and understand the difference between personal and sensitive information. Additionally, they should be aware of the categories of data the organisation collects – and why.  

If there is no legitimate or reasonable purpose for collecting that data, boards should encourage management to stop collecting the data and delete existing data to reduce the risk it poses.  

Would we pay if a ransomware attack occurred?  

If you don’t know whether your organisation would pay a ransom following a ransomware attack, you haven’t got a sufficient ransomware plan in place. Ransomware planning involves your organisation considering technical and procedural measures to reduce the risk of ransomware attacks occurring.  

Robust ransomware plans should also consider:  

  • Technical backups and how your organisation would recover from a ransomware attack.  
  • Whether paying the ransom is a viable strategy for your organisation. The average ransom for Australian organisations in 2020 was $150,000.  
  • When and how you will notify the relevant stakeholders and regulators in case of ransomware.  

How will we pay the costs of a cyber security incident? 

Planning aside, your organisation should also consider how it will pay the costs of a cyber security breach or ransomware incident. Privacy breaches are expensive, with the average cost of a privacy breach in 2021 hovering around $2.82 million 

Your organisation must be prepared to pay for IT costs, legal costs, restitution to affected individuals, and regulator penalties (although, the OAIC is not known to hand out significant financial penalties), among other costs.  

Who is accountable in case of a cyber security incident? 

It’s important that your organisation has accountabilities in place. The primary reason for this is that these accountabilities will play a key role in the speed and effectiveness of your organisation’s response to a cyber security incident. It is essential that whoever handles the response is aware of that responsibility and up-to-speed with the planning. Ideally, they will regularly test the planned response too.  

If your organisation could benefit from guidance on cyber security issues for boards, reach out. Our team of privacy lawyers would love to help.  

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.