October 10, 2023
This article was authored by Wouter Veugelen, Ben Hamilton, Damon Hunt, and David Whitely.
All organizations are at risk from cyber-related threats and the responsibility of company directors has recently been cast into the spotlight.
Recent high-profile incidents have shown that, without adequate preparation and plan to respond when the worst happens, a cyber attack can cripple operations and permanently damage a business’s reputation.
In a recent interview with the ABC, Home Affairs and Cybersecurity Minister Clare O’Neil said the government wants to take the pressure off small businesses and citizens and build layers of cybersecurity protections around them. [1]
“We’ve seen corporate Australia get a big wake-up call over the last year about their important responsibilities here. Board directors have obligations to their customers to protect their data and privacy and we intend to enforce those obligations as a government,” the Minister said.[2]
This is a clear message to corporate Australia on how seriously boards and directors must take their responsibilities to protect their organization – and Australians – from cyber attacks.
“They [directors] have got duties around cybersecurity, and boards have obligations to understand the cybersecurity of their companies.”
– Minister Clare O’Neil
As data has become integral to operations, cyber risk has grown.
The probability that an organization will experience a data breach, ransomware attack, or any other type of cybersecurity incident has never been greater, as fast-evolving threat actors become more organized and more capable.[3]
From business email compromise, phishing and spear phishing, distributed denial-of-service (DDoS) attacks, credential stuffing, nation-state-sponsored activity, ransomware, and other complex attacks involving personally identifiable information, protected health information, and intellectual property, keeping pace with the cyber threat landscape and staying ahead of threat actors is a core business focus.[4]
Through providing the strategic counsel and tactical execution needed by global boards to prepare for and navigate through cyber incidents, FTI Consulting cybersecurity and strategic communications experts have built a comprehensive picture of current vulnerabilities, most likely threats, and overall cyber readiness and incident response needs.
Fundamentally though, cyber preparedness must be led from the top-down – there must be executive-level buy-in and a whole-of-business approach for activating incident response and crisis communications plans to minimise risks and impacts of cybersecurity incidents.
Like all forms of building crisis management capability, preparedness is the best form of defence.
We have worked with boards and executive teams to review crisis plans and procedures to assess them against the top international crisis management standards.
From this, we then create table-top and simulation exercises – often in partnership with forensic, insurance, and legal partners – to drill operational teams, senior leadership, boards, and directors in risk mitigation and reputation management.
When the worst happens, we work around the clock to support the impacted organization. We help communicate proactively, transparently, and truthfully and we actively develop messaging during the crisis to prepare for questions from all stakeholders and the media. We assist with strategic and tactical incident response, such as initial containment and eradication of the threat. Where required, we assist with responding to regulator inquiries and assist with submitting breach notifications to regulators and data subjects.
The steps taken after an incident to build a culture of security and to protect relationships with peers, customers, employees, and other key stakeholders is critical for businesses. Partnering with external counsel, forensic investigators, and cyber insurers to ensure consistent and appropriate stakeholder communications across the board is key, as is implementing appropriate remediation plans.
In the end, this preparation is essential because every organization is vulnerable to cybersecurity risk.
The Australian government has an ambition for Australia to make “a big leap” to become a world leader in cybersecurity by 2030, with the aim of increasing trust in the digital environment; if this is to happen, directors have a huge role to play. [5]
Indeed, Minister O’Neil had a clear message for directors who don’t understand cybersecurity: “They certainly should not be serving on boards of Australian companies.”[6]
FTI Consulting can draw upon its global reach and experience working with ASX 200 companies, small businesses, and not-for-profit organisations across all sectors and geographies, to assist directors and companies with preparedness, response, and recovery so they can make Australia a world leader in cybersecurity.
[1] Clare O’Neil. “’We want Australia to be a cyber leader by 2030′: Cybersecurity Minister” Australian Broadcast Network (September 18 2023), https://www.abc.net.au/listen/programs/radionational-breakfast/clare-o-neil/102871708.
[2] Id
[3] Samira Sarraf, “Why Cyberattacks Against Australian Organisations are Increasing” CSO Online (June 26 2023), https://www.csoonline.com/article/643270/why-cyberattacks-against-australian-organisations-are-increasing.html.
[4] “Cost of a Data Breach Report 2023” IBM (2023), https://www.ibm.com/reports/data-breach?utm_content=SRCWW&p1=Search&p4=43700077724064000&p5=e&gclid=EAIaIQobChMIqrKf_rrsgQMVmunICh3O2Q3KEAAYASAAEgI8O_D_BwE&gclsrc=aw.ds.
[5] Clare O’Neil. “’We want Australia to be a cyber leader by 2030′: Cybersecurity Minister” Australian Broadcast Network (September 18 2023), https://www.abc.net.au/listen/programs/radionational-breakfast/clare-o-neil/102871708.
[6] Id
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2023 FTI Consulting, Inc.
All rights reserved. fticonsulting.com