New governance principles in wake of Medibank cyber attack

An Australian-first partnership aims to better prepare organisations to protect their data, and more importantly, the data of their customers and clients.

Just one month after the high-profile cyber attack on telecommunications giant Optus, Australia has yet again been rocked by another privacy breach, this time a hack exposing the personal data of just under four million Medibank customers.

To better equip organisations to strengthen their cyber security, the Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre are partnering to release new governance principles.

It comes as not-for-profit leaders signalled the vulnerability of the sector to cyber attacks, with research showing more than 60 per cent expect a surge in reportable cyber incidents this year despite just under half making progress on establishing a security and privacy program.

See more: NFP leaders say they are vulnerable to cyber attacks

Cyber Security Cooperative Research Centre CEO Rachael Falk said this worry is reasonable, and emphasises the importance of a cyber security framework for organisations.

“Companies must expect to be attacked and the worst thing any organisation can do in this current environment is to proceed with a false sense of security. This is a core risk that has to be incorporated into the everyday business of running any organisation.”

The new principles were informed by extensive consultation with government, industry experts and the wider community of company directors.

They provide a practical framework for effective board oversight across five key areas including roles and responsibilities; cyber strategy development and evolution; incorporating cyber into risk management; building a cyber resilient culture; and preparing and responding to a significant cyber incident.

See more: Cybersecurity is paramount for not for profits – we need to act now

Minister for cyber security Clare O’Neil said the principles will benefit sector leaders and resonate broadly across all Australian industries.

“Building our nation’s cyber resilience is crucial. This will require a huge collective effort across government and industry, with company directors having a critical role to play. These principles provide a clear picture of cyber security best practice for organisations across the whole economy.”

See more: Bridging the digital divide between government and charities

Australian Institute of Company Directors’ CEO Mark Rigotti said he was “delighted to be releasing these principles with the [Cyber Security Cooperative Research Centre]”.

“Cyber security is a crucial area for boards and we know they are looking for as much support as possible. Building cyber resilience within organisations is ultimately about building resilience across the nation as well as capacity within our teams and organisations.”