GovernWith Blog

GovernWith blog for Boards, Directors and Executives who want to develop their governance capabilities so they achive their strategic goals and mitigate risk

Posts about:

Cyber Security

Director Risk without a Response Plan

Director Risk without a Response Plan

Evolving Directors' Roles in the Face of Cybersecurity Challenges

In the dynamic realm of contemporary business, where digitalisation is paramount, directors find themselves grappling with intricate decisions and unforeseen obstacles. Cybersecurity, once a distant concern, has now emerged as a pressing threat capable of disrupting an organisation's core functions. The pivotal question arises: Are directors accountable for the aftermath of a cyber attack if they lack a proactive incident response plan?

Director Risk without a Response Plan Snippet


Grasping the Concept of Foreseeable Risk

The notion of foreseeable risk delves into directors' responsibilities concerning cybersecurity readiness. Through a dialogue led by Wes Ward, the significance of conceivable risk is explored, shedding light on potential consequences directors might encounter without a robust incident response plan. Vera Visevic navigates this complex terrain, drawing parallels with unforeseen events such as the pandemic, and discussing the legal framework that seeks to strike a balance between understanding business challenges and prioritising preparedness.

Directors' Duties and Navigating Foreseeable Risks

The legal landscape acknowledges the intricacies of steering an organisation and aims to harmonise accountability with practicality. While unexpected events might temporarily exempt directors from immediate liability, the scenario shifts when it comes to risks that are increasingly foreseeable. Much like the pandemic underscored the need for readiness, the ascent of cyber attacks and environmental disruptions demands proactive involvement from directors. The law underscores that reasonable individuals would acknowledge the mounting frequency of cyber threats and environmental disturbances, necessitating discussions, assessments, and protective measures.

From News Headlines to Boardroom Agendas

Media outlets are rife with narratives of cyber attacks, underscoring the urgency of cybersecurity dialogues at the upper echelons of governance. Vera aptly highlights that ignoring the evident threat is no longer viable. With cyber security incidents dominating headlines, directors can no longer feign ignorance of the impending danger. Similar to the impacts of climate change on communities worldwide, cyber attacks are influencing organisations across industries. Directors must accept the duty of identifying and addressing these trends that have the potential to reshape business landscapes.

The Call for Proactive Responses

The interaction between Wes and Vera underscores that foresight entails responsibility. In the same manner that prudence dictates actions in response to foreseeable natural calamities, the same applies to cyber security. Boards are entrusted with addressing evolving risks that can disrupt operations, compromise data integrity, and tarnish reputations. An organisation's sustainability hinges on its leadership's ability to anticipate and counter risks proactively. The legal framework acknowledges that directors shoulder the obligation to their organisation, stakeholders, and the broader community to engage in informed dialogues and strategic planning that mitigate cyber threats.

A New Governance Paradigm

The convergence of technology, cyber security, and environmental challenges has ushered in a novel governance paradigm. Directors are no longer insulated from these pressing concerns; they are called upon to lead with a comprehensive grasp of foreseeable risks. The concept of conceivable risk acts as a compass, guiding directors toward proactive preparedness. As organisations navigate the complexities of the contemporary business landscape, the onus rests on directors to partake in ongoing discussions, evaluate evolving risks, and implement measures that shield their entities from the multifaceted threats that envelop them.

Read More
Reasonable Response - Directors and Cyber Security

Reasonable Response - Directors and Cyber Security

Strengthening Directorial Response to Cybersecurity Challenges: Strategies for Effective Governance

In today's interconnected world, cyber attacks pose a significant threat, propelling boards of directors into a pivotal role in fortifying their organisations against unprecedented risks. With cyber threats intensifying, boards must reshape their governance strategies. Fi Mercer, a governance expert, presents a pragmatic roadmap to steer boards toward proactive and comprehensive cybersecurity governance.

Reasonable Response Snippet


Adapting to the New Reality

As the cyber threat landscape expands, boards must swiftly adapt their governance approach. Mercer underscores the need for a structured and proactive response, commencing with the acknowledgement of cyber security as a foremost risk. Mercer addresses the financial constraints that some organisations face and suggests alternative methods to ensure cyber security receives due attention.

Empowering the Risk Committee

One potent approach Mercer advocates is the integration of cyber security within the risk committee's agenda. This involves enlisting a cyber security expert as part of the committee, fostering informed risk assessment and mitigation strategies. This synergy not only introduces specialised insights but also bridges the gap between cybersecurity considerations and holistic risk management.

Elevating Cybersecurity on the Board Agenda

Mercer underscores the importance of assigning cyber security a permanent slot on the board's agenda. Similar to pivotal subjects like healthcare's clinical governance or customer feedback, cyber security deserves dedicated deliberation time. This practice prevents essential matters from being overlooked and reinforces the board's commitment to addressing cyber risks.

The Role of a Dedicated Cyber Subcommittee

For larger entities with adequate resources, Mercer recommends establishing a specialised cyber subcommittee. This targeted body delves deep into cybersecurity strategies, ensuring the board remains abreast of evolving threats and effective countermeasures. This proactive stance ensures that cyber security remains at the forefront of discussions rather than an afterthought.

Collaborative Solutions in Resource-Constrained Areas

Mercer's insights extend beyond conventional organisational boundaries. In regional, rural, and even suburban settings, where resources might be scarce, she advocates exploring shared committees. Drawing inspiration from models like clinical governance, Mercer encourages collaborating with diverse organisations to pool expertise and resources. By acknowledging the cross-industry nature of cyber threats, boards can unite efforts against these risks.

The Universality of Cybersecurity Risk

One of Mercer's notable insights is that cyber security threats transcend sectors and industries. This universal nature of the challenge creates opportunities for cross-industry cooperation. Mercer suggests that regardless of primary focus, organisations can form alliances, fostering information exchange and cooperative strategies to combat cyber threats.

A Local Focus on Solutions

As Wes Ward aptly highlights, Mercer's suggestions champion local engagement and shared resources. In a world shaped by technology, Mercer's community-driven approach fortifies cyber security from the grassroots level. Local collaboration guarantees that each organisation gains access to vital expertise, fostering resilience against cyber threats.

In Conclusion

As the digital landscape grows intricate and vulnerable, boards of directors shoulder a weighty responsibility. Fi Mercer's expertise guides directors through uncharted waters, promoting prudent and effective governance. By weaving cybersecurity into the fabric of governance, boards can proactively address cyber threats and bolster their organisations against the dynamic risk landscape.

Read More
The Cost of Cyber Attacks

The Cost of Cyber Attacks

Counting the Costs of Cyber Attacks: Implications for Businesses and Individuals

In an interconnected world, the threat of cyber attacks looms large, reaching beyond physical boundaries to disrupt businesses and personal lives. Delving into this complex landscape, Jonathan Green unveils the weighty price tags and profound consequences that cyber attacks wield, extending far beyond financial ramifications. In this article, we dissect the multifaceted dimensions of cyber attack costs, exploring their ramifications on Australian businesses, individuals, and the often-overlooked not-for-profit sector.

The Cost of Cyber Attacks Snippet


A Global Outlook on Costs:

The world of cyber attacks bears a hefty financial burden, resonating in monetary and personal dimensions. Globally, the toll is staggering, hovering at an astounding 7 trillion dollars. While Australia constitutes a smaller fraction of this global picture, it remains susceptible. The financial burden on Australian businesses paints a telling picture, with costs soaring to an astounding 29 billion dollars. These numbers spotlight the gravity of the issue, underscoring the infiltration of cyber attacks into the modern societal fabric.

Personal Lives at Stake:

Beneath the ledger entries and balance sheets, the ripple effects of cyber attacks plunge into individual lives. The exposure of personal information triggers a domino effect of consequences that transcend the virtual realm. Jonathan Green shares narratives of individuals ensnared in the aftermath of a cyber attack. The arduous journey of unravelling the stolen information's web can span years, inflicting a substantial toll on personal well-being. This underscores that the costs associated with cyber attacks extend beyond the financial, encompassing emotional, psychological, and social domains.

Not-for-Profits in the Firing Line:

The crosshairs of cyber attacks reach beyond corporate giants to include not-for-profit organisations. Often operating with limited resources, they are not immune to the threat. While their incidents might not make headlines, their significance remains unwavering. The distinguishing factor lies in the response to these threats. Some exhibit adept crisis management and containment tactics, while others grapple with the aftermath of unpreparedness.

A Cry for Comprehensive Preparedness:

The narrative of cyber attack costs underscores the urgency of holistic readiness across the spectrum. Irrespective of scale—whether colossal conglomerate, modest enterprise, or not-for-profit—the peril is palpable and demands proactive measures. While financial implications are apparent, the impact on individual lives cannot be underestimated. Businesses and entities shoulder the responsibility to bolster their defences, not just for their interests but to shield the personal lives entwined with their operations.

Navigating Tomorrow:

As technology advances, so do the methods and scale of cyber attacks. The battle against these threats rages on, requiring vigilance, adaptability, and an unwavering commitment to growth. The costs reaffirm the value of investing in cybersecurity measures, cultivating a culture of readiness, and staying attuned to emerging threats. Ultimately, the ever-evolving realm of cyber attacks mandates a proactive stance—one that acknowledges the costs, anticipates risks, and champions a digitally secure future for businesses, individuals, and the broader community.

Read More
Cyber Privacy Act Board of Directors

Cyber Privacy Act

Navigating Privacy Act Compliance in the Cyber Age: Safeguarding Data Amidst Evolving Threats

In the intricate landscape of regulations governing the digital domain, the Privacy Act stands tall as a sentinel guarding personal information's sanctity. As cyber attacks grow in sophistication, understanding the interplay between cyber threats and the Privacy Act becomes pivotal. In this discourse, we delve into a conversation between Wes Ward and Jonathan Green, exploring the subtleties of the Privacy Act and its implications for organisations amidst evolving cyber challenges.

Cyber Privacy Act Snippet


The Privacy Act: An Anchor of Data Protection

Jonathan Green takes the lead to illuminate the Privacy Act—a cornerstone of Australia's data protection framework. He highlights how cyber attacks often zero in on data stored in cloud-based systems or online repositories, amplifying the Privacy Act's significance. The Privacy Act assumes a pivotal role in regulating data flow, fostering control and accountability over personal information.

Navigating the Grey Zones

Amid the vibrant discussions around cyber threats, the Privacy Act emerges as a distinct entity with its own intricacies and contours. Jonathan clarifies the threshold for organisations to fall within the Privacy Act's realm—those with a turnover of less than 3 million are generally exempt. However, exceptions abound. Organisations catering to Commonwealth and state government contracts or offering health services may find themselves subject to the Privacy Act. The act of disclosing personal information for benefit, service, or advantage, along with handling individuals' tax file numbers, triggers compliance mandates. Thus, even entities below the 3 million turnover threshold must navigate the act's obligations diligently.

A Robust Compliance Framework

Jonathan expands on the spectrum of organisations that, despite modest turnovers, are entrenched in Privacy Act responsibilities. Funding agreements with government bodies and the provision of health services activate compliance mandates, resonating with the act's intent to safeguard personal data across various spheres. Furthermore, any entity disclosing personal information carries the mantle of compliance, reinforcing individuals' data privacy rights.

Implications for Cyber Security

The nexus between cyber security and the Privacy Act is a tapestry of interwoven threads. As cyber attacks exploit vulnerabilities in digital landscapes, personal information often becomes the target. The Privacy Act, with its stringent regulations, assigns a dual responsibility to organisations—protect personal data and bolster cyber defences. An astute realisation surfaces: while the Privacy Act may not explicitly address cyber threats, its protective umbrella extends to personal information susceptible to cyber attacks.

Compliance as a Keystone

Jonathan's insights converge in a profound understanding: the Privacy Act weaves a protective cocoon around personal information, serving as a keystone in the fight against cyber threats. Compliance, beyond being a regulatory mandate, emerges as a potent tool in nurturing a culture of data security. By adhering to the Privacy Act's principles, organisations not only uphold legal requisites but also foster a resilient shield against cyber adversaries.

In Conclusion

In the ever-evolving realm of cyber threats, the Privacy Act's significance rises to the forefront. Its influence transcends turnover thresholds, enveloping a diverse array of organisations under its protective wings. Through compliance, organisations erect formidable barriers against data breaches and cyber vulnerabilities. The synergy between the Privacy Act and the cyber realm underscores a symbiotic relationship—one that champions data privacy while nurturing the digital landscape's growth.

Read More
Areas of the Cyber Security Privacy Act

Areas Of The Cyber Privacy Act

Navigating Privacy Act Compliance Amidst Cyber Threats: Safeguarding Sensitive Data

In the contemporary landscape of business and technology, the safeguarding of personal and sensitive information has assumed paramount importance. As enterprises embrace digital transformation and engage in data-intensive activities, the intricate balance between privacy and cybersecurity gains heightened relevance. This article delves into the crucial juncture where the Privacy Act intersects with the realm of cyber threats, illuminating the mechanisms of compliance that protect sensitive data amidst the evolving digital risks.

Areas Of The Cyber Privacy Act Snippet


Unpacking the Landscape: Personal Information, Sensitive Information, and Health Data

Jonathan Green masterfully unravels the dimensions of the Privacy Act, elucidating its key facets. At its core, the Privacy Act addresses two primary categories: personal information and sensitive information. The former encompasses identifiers like names and birthdates, while the latter delves into more intimate aspects such as sexuality or religious affiliation. Health information, a natural extension, occupies its own sphere. This category assumes special significance due to the critical nature of health data and the need for stringent handling.

Steering Compliance: Tailored Responses for Different Data Types

The Privacy Act underscores the need for tailored approaches to different data types. Understanding the distinct requirements for personal, sensitive, and health information emerges as pivotal. Organisations falling under the ambit of the Privacy Act or specific state health data regulations must align their practices accordingly. This underscores the multi-layered nature of data protection, demanding nuanced strategies that consider both the data's nature and the prevailing legal landscape.

Breach Evaluation: Swift Reaction in the Face of Cyber Threats

In the dynamic realm of cybersecurity, data breaches loom as tangible hazards. Jonathan Green emphasises the crucial protocol organisations must enact when a breach occurs. Whether the breach unfolds or a reasonable suspicion arises, an evaluation becomes imperative. This meticulous assessment gauges the breach's potential impact, delineating the scope of potential harm and repercussions. The assessment process bifurcates: determining if the breach may result in severe harm and subsequently initiating measures to avert or mitigate such damage.

Timely Measures: The Countdown to Compliance

As breaches materialise, prompt action becomes pivotal. Organisations face a relatively tight timeframe, typically around 30 days, to trigger their response. Within this window, they must assemble crucial information, draft comprehensive statements, and notify affected individuals. Transparency takes precedence, as organisations must apprise individuals of the breach, compromised data, and potential ramifications. This proactive stance aligns harmoniously with the core tenets of the Privacy Act, fostering a culture of accountability and prioritising individuals' privacy.

In Conclusion: Forging a Path of Compliance in the Digital Terrain

In an era characterised by data-centric pursuits and escalating cyber risks, the convergence of the Privacy Act and cybersecurity emerges as a pivotal junction. Navigating this landscape necessitates a nuanced grasp of data categories, legal requisites, breach assessments, and swift responses. Organisations grapple not only with the intricacies of compliance but also nurture a proactive mindset that places privacy at the forefront. As technology advances incessantly, harmonising privacy practices with the imperatives of cybersecurity remains an ongoing odyssey—one that fortifies data protection, instils trust, and fortifies organisational resilience.

Read More
Cyber Governance and Good Faith

Cyber Governance and Good Faith

Strengthening Governance through Cyber Vigilance and Ethical Commitment

In the landscape of governance, the essence of acting in good faith surpasses mere legal compliance. It embodies a profound dedication to safeguarding an organisation's best interests amidst the ever-evolving challenges. Wes Ward and Fi Mercer engage in an illuminating dialogue that unveils the intrinsic connection between acting in good faith and the realm of cybersecurity governance.

Cyber Governance and Good Faith Snippet


Navigating Governance with a Strategic Approach:

In the pursuit of effective governance, the principle of acting in good faith takes centre stage. This principle transcends legal obligations and resonates with the ethical core of stewardship. Fi Mercer delves into the realm of board duties and responsibilities, highlighting the pertinence of this principle. It's not just about adhering to the letter of the law; it's about fostering a culture of due diligence, prudence, and vigilance.

Ethical Governance Framework:

Ethical governance principles encapsulate the notion that boards are dynamic entities. They continually assess, develop, and refine themselves. Fi Mercer echoes the essence of these principles, emphasising that board development and director skills enhancement are integral aspects of ethical governance. Mere recruitment cannot bridge the skills gap; a proactive approach to learning and development is crucial.

Incorporating Good Faith into Action:

Acting in good faith demands tangible steps. It requires boards to delve into their organisation's cybersecurity posture. Are policies robust? Is comprehensive training imparted? Does the organisational culture prioritise cybersecurity vigilance? Fi Mercer underscores that these actions transform good faith from theoretical intent to practical measures that bolster an organisation's cyber resilience.

Empowering Directors with Insightful Queries:

Directors, while not cybersecurity experts, play a pivotal role in driving organisational vigilance. Their inquiries, their probing, their questions can shape an organisation's cyber posture. Acting in good faith entails equipping directors with the right questions to steer discussions towards cybersecurity preparedness. When directors are armed with the knowledge to ask pertinent questions, the trajectory of cyber risk management shifts significantly.

Converging Good Faith and Cyber Resilience:

In an era dominated by digital transformation, acting in good faith takes on a new dimension. It becomes synonymous with cyber resilience. Fi Mercer articulates that good faith translates into practical measures that address cybersecurity head-on. It involves proactively establishing policies, fostering a culture of cybersecurity, and continually assessing and enhancing director skills. When these elements align, an organisation can face a cyber attack with the assurance that its foundation is fortified by good faith efforts.

Confronting Challenges with Strength:

While acting in good faith cannot completely eliminate the threat of a cyber attack, it empowers organisations to confront challenges with strength. It signifies a commitment to proactive measures, diligent oversight, and a culture that values cybersecurity. Fi Mercer and Wes Ward's discussion underscores that acting in good faith serves as a compass that guides governance towards ethical, proactive, and resilient cybersecurity practices.

In essence, the essence of acting in good faith transcends legal obligations. It's a commitment, a mindset, and a foundation for ethical governance. In the context of cybersecurity, it's a guiding light that directs organisations towards proactive strategies, insightful inquiries, and an unyielding dedication to cyber resilience. Boards that embrace this principle not only mitigate risks but also emerge as exemplars of vigilant and conscientious governance.

Read More
Cyber Response Planning for the Board of Directors

Cyber Response Planning for the Board of Directors

Empowering Boards for Cyber Resilience: Navigating Director Responsibilities

In today's digital age, cybersecurity stands as a formidable challenge for organisations across sectors. The dynamic landscape necessitates boards and directors to evolve their approach, effectively countering the escalating threat of cyber attacks. In this article, we delve into a profound conversation with Vera Visevic, shedding light on the critical imperative for directors to grasp cybersecurity nuances, harness relevant expertise, and fulfil their duties within an ever-changing legal and technological framework.

Cyber Response Planning for the Board of Directors Snippet


Equipping Directors with Cyber Insight:

Vera Visevic highlights a foundational requirement – directors must acquire a comprehensive comprehension of cybersecurity. This understanding extends beyond the surface, given the far-reaching impact of cyber risks. To empower directors, tailored training in cybersecurity takes precedence. A well-informed board can cultivate a culture of cyber awareness and align their governance practices with the intricacies of the digital realm.

Leveraging Expert Proficiency:

The surge in cyber threats necessitates expertise that might be lacking within boards. Vera emphasises the value of enlisting directors who possess a background in cybersecurity. These individuals offer insights bridging the gap between boardroom discussions and the complex realm of cyber threats. However, given the scarcity of such experts, alternative avenues emerge. Establishing a dedicated subcommittee focused on cybersecurity empowers organisations to tap into external specialists. This collective knowledge reinforces a proactive stance in mitigating cyber risks.

Exploring External Collaborations:

In instances where internal expertise is limited, external collaborations become pivotal. Vera recommends that organisations allocate resources for engaging external cybersecurity specialists. These professionals provide an objective, well-informed perspective that enhances decision-making. The investment in external advice not only bolsters cybersecurity strategies but also signifies a commitment to due diligence within a transforming legal landscape.

Legal Ramifications and Continual Obligations:

Vera Visevic illuminates the evolving legal dimensions surrounding cybersecurity. As laws progress, directors find themselves under heightened scrutiny regarding their cyber readiness. Boards must remain attuned to these legal shifts. As organisations navigate this intricate landscape, it's clear that cybersecurity is not a static concern; it's an ongoing commitment. Directors must remain vigilant, adapting their strategies and policies to proactively address cyber threats.

The Imperative for Action:

The insights gleaned from Vera's expertise culminate in a resounding call to action. Boards can't afford passivity in the face of cyber risks. Ignorance is no longer a permissible excuse; the law mandates proactive measures. Organisations must facilitate cybersecurity education for directors and explore avenues to infuse cyber expertise into boardroom deliberations. Whether through specialised directors, dedicated committees, or external consultants, the objective remains constant: fostering a robust cyber defence strategy aligned with an organisation's ethos, values, legal obligations, and future aspirations.


The confluence of technology and governance propels cybersecurity to the forefront of organisational priorities. Vera Visevic's insights underscore the essential fusion of cybersecurity expertise with boardroom decisions. As cyber threats gain complexity, directors must embrace education, collaboration, and external insights to effectively navigate this evolving landscape. Forward-looking organisations acknowledge that cybersecurity isn't an isolated concern—it's a core facet of resilient governance. By championing cybersecurity proficiency, boards guide their organisations toward a digitally secure future, fortified against the ever-evolving realm of cyber risks.

Read More
Cyber Lessons Minimising Risk

Cyber Lessons Minimising Risk

Navigating Cybersecurity Risk: Lessons in Governance and Director Responsibility

In the ever-evolving world of business, the looming spectre of cybersecurity risk demands astute attention and strategic management. Vera Visevic, a legal expert, delves into the intricate realm of cybersecurity risk management, illuminating crucial lessons that underscore the importance of regular risk assessments, well-defined response strategies, and the imperative of maintaining a robust framework of governance. As businesses grapple with the complex interplay of technology and risk, Vera's insights offer a compelling perspective on how organisations can effectively traverse the complexities of cybersecurity risk to shield their operations and reputation.

Cyber Lessons Snippet


The Inevitability of Cybersecurity Risk:

In today's interconnected world, cybersecurity risk emerges as a formidable and multifaceted concern that permeates nearly every facet of business operations. Vera astutely points out that the objective isn't to eliminate cybersecurity risk entirely—an often unattainable feat. Instead, the emphasis rests on significantly reducing risk through the implementation of robust cybersecurity documentation and controls. While complete eradication remains elusive, the quest to curtail risk to an acceptable level serves as a pivotal aspect of diligent risk management.

Lessons from Cyber Risk Assessments:

The notion of performing a single cyber risk assessment and considering the task complete is a fallacy that organisations must disavow. Vera emphasises the significance of conducting regular cyber risk assessments, recognising that the cyber threat landscape is dynamic and ever-evolving. By embracing a continuous approach to risk assessment, organisations remain attuned to emerging threats and vulnerabilities, enabling timely adaptations to cybersecurity strategies and controls. Such an approach acts as a proactive bulwark against potential breaches and their subsequent fallout.

Navigating Cyber Events with Preparedness:

Preparedness lies at the heart of an effective response to any cyber event. Vera underlines the importance of having a well-defined response plan in place—a non-negotiable imperative. Cyber events can strike unexpectedly, and without a clearly delineated response strategy, organisations risk contending with chaotic scenarios that exacerbate the impact of the breach. An organised and rehearsed response plan, coupled with transparent communication channels, empowers organisations to rapidly and effectively mitigate the aftermath of cyber incidents, thus minimising potential harm to operations, reputation, and stakeholder confidence.

The Pivotal Role of the Court:

In the unfortunate event that cybersecurity matters culminate in legal proceedings, Vera highlights a critical factor that organisations must recognise—the court's reliance on cyber experts. As the legal landscape intertwines with the intricacies of technology, courts increasingly turn to cyber experts to determine the expected course of action in specific situations. This underscores the gravity of an organisation's duty of care, skill, and diligence in the realm of cybersecurity. The Australian Institute of Company Directors (AICD) director's guide reaffirms that lacking specialist knowledge in ICT and cybersecurity doesn't exempt directors from the responsibility of ensuring effective governance in these domains.

Upholding Governance in Cybersecurity:

Vera's insights reinforce the idea that cybersecurity governance isn't an isolated domain reserved exclusively for experts. Each director carries the weight of ensuring that appropriate governance mechanisms are in place to safeguard the organisation's digital landscape. The AICD director's guide serves as a compass, illuminating the fact that directors have a duty to oversee cybersecurity governance, even if they lack specialised expertise in the field.

In Conclusion: Navigating the Intersection of Risk and Governance

Vera Visevic's discourse illuminates the intricate juncture of cybersecurity risk and governance, elucidating the lessons drawn from her legal expertise. From the inevitability of cyber risk to the significance of recurring risk assessments, from the importance of readiness in responding to cyber events to the court's reliance on cyber experts, her insights chart a trajectory for organisations to skilfully navigate the intricate waters of cybersecurity risk. As technology continues to reshape the business landscape, the responsibility of directors to uphold cybersecurity governance remains steadfast, paving the way for a resilient and secure future in the digital era.

Read More
Cyber Risk - Are Directors Personably Liable

Cyber Risk - Are Directors Personably Liable

Navigating Director Liability in the Digital Age: Cybersecurity Responsibilities Unveiled

In the modern era of technology, the role of directors has undergone a profound transformation, accompanied by a slew of new responsibilities. This paradigm shift is particularly evident in the realm of cybersecurity. As organisations across diverse sectors embrace digital transformation, questions about the extent of directors' liability in safeguarding their entities against cyber threats have gained prominence. In this article, we delve into a compelling discussion between Wes Ward and Vera Visevic from Mills Oakley, shedding light on the evolving landscape of director liability and the intricate legal implications surrounding cybersecurity.

Are Directors Personably Liable Snippet


New Horizons, Fresh Responsibilities:

The infusion of technology into various facets of business and society has heralded exciting new possibilities. Yet, hand in hand with these opportunities come novel obligations that directors must grapple with. Vera Visevic underscores the pivotal notion that, alongside technological strides, directors are entrusted with an elevated duty to shield their organisations against the ever-evolving menace of cyber threats.

Amplified Director's Duties:

In the arena of directorial obligations, a core set of five or six responsibilities have long held sway. These encompass facets such as acting in the organisation's best interests, adroitly navigating conflicts of interest, and exemplifying vigilance, competence, and diligence. However, Vera cogently elucidates that the duty of care and diligence is now expanding its domain to encompass the intricate terrain of cybersecurity. In a landscape where business operations are inextricably entwined with digital dimensions, directors are expected to exercise judicious care and diligence in shielding their organisation's digital assets from the multifaceted spectrum of cyber risks.

The Unveiling of Cyber Resilience:

The concept of cyber resilience has surged to the forefront in recent times. It encapsulates the need for organisations to foster a culture that is astutely primed to withstand and rebound from cyber incidents. Vera emphasises that cyber resilience isn't just a cultural prerogative; it constitutes a bona fide legal duty for directors. They are not merely anticipated to incorporate cybersecurity practices within the organisational fabric but are mandated to do so. Cyber resilience is more than a catchphrase—it's a tangible commitment to shoring up defenses against the digital onslaught.

Decoding Personal Liability:

The notion of director liability in the context of cybersecurity isn't a mere abstraction—it's a palpable concern. Should a director falter in fulfilling their duty of care and diligence in safeguarding against cyber threats, they may find themselves confronting personal liability. In essence, if a cyber incident materialises due to a director's neglect to exercise prudent care in cybersecurity matters, they could be ensnared in a web of legal ramifications. It's a stark reminder that the evolving nature of cyber threats demands an equally dynamic approach to directorial responsibilities.

The Australian Institute of Company Directors (AICD) Standpoint:

The Australian Institute of Company Directors (AICD) has long stood as a vanguard in guiding directors through their multifaceted responsibilities. Vera astutely highlights that as far back as 2016, the AICD recognised the burgeoning significance of cybersecurity in the directorial realm. Their stance reverberates: cyber resilience isn't just an optional pursuit—it's a cultural bedrock. Moreover, the duty of care and diligence isn't confined to conventional realms; it has now expanded its embrace to encompass the rapidly evolving landscape of cybersecurity.

In Conclusion:

As technology inexorably weaves its tapestry into the fabric of modern business, directors grapple with a shifting panorama of responsibilities. No longer is directorial accountability circumscribed to traditional domains; it's expansively intertwined with cybersecurity preparedness. With the duty of care and diligence undergoing a metamorphosis to encompass cybersecurity, directors are impelled to proactively engage with and address the multifarious visage of cyber risks. In essence, embracing cybersecurity as an integral facet of directorial responsibilities heralds the cultivation of resilient organisations, poised to navigate the digital epoch with sagacity and poise.

Read More
Role Of The Director Cyber Security

Role Of The Director Cyber Security

Enhancing Director Preparedness: Addressing the Role of Cybersecurity in Corporate Governance

In the dynamic realm of corporate governance, directors wield significant influence in guiding organisations through multifaceted challenges. With the rise of cyberattacks as a substantial threat, the imperative for directors to grasp their role in risk mitigation has gained prominence. Governance expert Fi Mercer provides illuminating insights into how directors can comprehend the gravity of cybersecurity concerns, evaluate their competencies, and engage in strategies to bridge knowledge gaps.

Role Of The Director Cyber Security Snippet


The Crucial Role of Directors in Risk Management

Fi Mercer underscores the fundamental obligation of directors to proactively identify and address risks within their organisations. This responsibility extends beyond the boardroom, necessitating directors' active engagement in recognising and responding to potential threats.

Assessing Directors' Competencies

Central to addressing these challenges is the regular evaluation of directors' skills. Mercer highlights the significance of skills assessments to determine if directors possess the necessary expertise to navigate emerging risks. In cases of skills gaps, a structured plan should be developed to enhance directors' capabilities and empower them to effectively address threats.

Empowering Directors with Cybersecurity Acumen

A pressing concern is the lack of cybersecurity knowledge among directors. Mercer asserts that this knowledge gap is particularly troubling, as it hinders directors from asking pertinent questions and making informed decisions about cybersecurity matters.

Shedding Light on the Cyber Knowledge Gap

Directors' unfamiliarity with cybersecurity intricacies can lead to ineffective discussions and decisions. Mercer stresses that a lack of foundational knowledge prevents directors from posing meaningful inquiries and fully comprehending the cybersecurity landscape.

Empowering Directors for Informed Action

To bridge this gap, Mercer suggests a multi-pronged approach. Directors should actively participate in ongoing educational programs, workshops, and seminars focused on raising cybersecurity awareness. This approach equips directors with essential concepts and terminology crucial for meaningful discussions.

Leveraging Expertise for Informed Dialogue

Collaborating with cybersecurity experts is another strategy Mercer advocates. Engaging with specialists who possess real-time insights into evolving cyber threats empowers directors to contribute effectively during cybersecurity discussions.

Embedding Cybersecurity in Governance Frameworks

To address cybersecurity risks comprehensively, boards should consider integrating cybersecurity as a recurring item on their agendas. By dedicating time to deliberate cybersecurity concerns, boards signal their commitment to proactive risk management. Mercer proposes incorporating cybersecurity as a standing topic within risk committee discussions.

Crafting Specialised Cyber Committees

In scenarios where cybersecurity assumes paramount importance, organisations may establish dedicated cyber committees. These committees facilitate direct interactions between experts and directors, enabling a deeper understanding of threats and potential solutions.

Fostering Curiosity and Inquisitiveness

While directors need not be cybersecurity experts, Mercer underscores the value of cultivating curiosity. Directors are urged to ask probing questions, enabling them to navigate the nuances of the cybersecurity landscape more effectively.

Navigating Director Liability and Legal Considerations

As directors engage in cybersecurity discussions, they should also be mindful of their legal responsibilities and potential liabilities. Understanding the legal implications of cybersecurity decisions is crucial for directors to make informed choices that protect both the organisation and their personal interests.

Conclusion: Equipping Directors for Cyber-Resilient Governance

Fi Mercer's insights emphasise the evolving role of directors in mitigating cyber risks within corporate governance. By embracing continuous learning, collaboration with experts, and integrating cybersecurity into boardroom discussions, directors can bolster their capacity to manage cybersecurity challenges effectively. This proactive approach not only safeguards organisations but also empowers directors to navigate legal considerations and uphold their responsibilities with confidence.

Read More
What To Do When You Have A Cyber Attack

What To Do When You Have A Cyber Attack

The Intricacies of Cyber Incidents: Navigating Challenges

In the ever-evolving landscape of cybersecurity, the emergence of cyber incidents poses a critical threat to businesses of all sizes. In this article, we delve into the insights shared by cybersecurity experts David Rudduck and Wes Ward, shedding light on the intricacies of cyber incidents and the challenges they bring to the forefront.

What To Do When You Have A Cyber Attack Snippet


Understanding the Evolution of Cyber Incidents:

David Rudduck provides an illuminating perspective on how cyber incidents often unfold. He highlights that these incidents often start as seemingly minor computer problems, where employees encounter difficulties accessing data or systems. These initial signs prompt users to seek help from the IT help desk, which becomes the moment of revelation when the true nature of the incident comes to light.

For many businesses, this revelation is a wake-up call. In an ideal scenario, the business engages its insurance broker, who initiates the claims process with the cyber insurer. The insurer then assembles an incident response team to address the situation. However, the subsequent trajectory of the incident response varies based on the effectiveness of collaboration and the preparedness of the organisation.

Challenges in Managing Cyber Incidents:

David Rudduck and Wes Ward elaborate on the hurdles faced while managing cyber incidents:

Lack of Comprehensive IT System Inventory:

A pivotal challenge arises when incident response teams seek a comprehensive inventory of an organisation's IT systems. This inventory includes servers, databases, and other critical components. Frequently, businesses struggle to provide this detailed overview, resulting in delays in the incident response process. In unfortunate cases, the asset list itself may have been encrypted by cyber attacks, rendering it inaccessible and hindering the response team's efforts.

Inadequate Logging and Data Records:

The significance of logging data, which records every activity within an IT environment, becomes apparent during incident response. However, it's not uncommon for businesses to lack properly configured or comprehensive logging practices. Default logging settings might not suffice, making it challenging for the response team to gain insights into the incident timeline and the actions of threat actors.

Compromised Investigation Scene:

One of the most unfortunate aspects encountered after a cyber attack is the potential tampering of evidence by the organisation's internal IT team. While conducting their investigations, the IT team might unintentionally alter or damage crucial data that could have been crucial in reconstructing the actions of threat actors. This unintentional interference complicates the incident response process and impedes the creation of a comprehensive picture.

The Unfavourable Outcome:

As a result of these challenges, businesses often find themselves in an undesirable position. The lack of forensically relevant data hampers the ability to definitively disprove unauthorised access or data exfiltration. The absence of concrete evidence may require notifying stakeholders due to potential uncertainty. Moreover, threat actors may exploit the situation by employing the tactic of double extortion, claiming to have exfiltrated sensitive data and threatening its public disclosure.


The insights shared by cybersecurity experts underscore the complex nature of managing cyber incidents. Businesses must be prepared to address challenges related to IT system documentation, data logging, and maintaining the integrity of the investigation scene. Through proactive measures such as robust asset inventories, comprehensive logging practices, and adherence to incident response protocols, organisations can enhance their ability to mitigate the impact of cyber incidents. By doing so, businesses can reduce the risk of falling victim to the intricate web of cyber threats and better safeguard their digital assets.

Read More