Quick takes
NZX Director Independence Review update: implications for directors
Changes announced will enhance robustness of governance practices for New Zealand-listed issuers.
Boards, do not let your guard down.
Over the past five years, New Zealand boards have made considerable progress when it comes to cybersecurity.
The conversation has developed from cybersecurity basics, to how organisations can be best positioned to fend off attacks. Instead of crossing fingers and hoping it won’t happen, businesses acknowledge attacks are inevitable and are prepared to return to business as usual in the most orderly, cost-effective and rapid way.
This is laudable, but there is still work to be done. You need to recognise the risks and impacts of cybersecurity across all levels of the business.
By its very nature, cybersecurity is a volatile beast, because bad actors are smart, unpredictable and downright diabolical.
The recent distributed denial of service (DDoS) attack on the NZX stands as a useful case in point for several reasons.
The first is that DDoS attacks are old hat. So much so that it is easy to believe this sort of threat belonged in the past, no longer in the repertoire of modern-day hackers. The newsflash is that, while a relatively unsophisticated attack, neither DDoS nor other simple threats have gone away. They always remain in a hacker’s arsenal and that means continued vigilance.
The next lesson is cautionary. It is not a question of “if” you suffer a cyber breach, but “when”. You have to be prepared – and it is all about how you respond.
You cannot be responsible for the actions of others (hackers) and by now it should be clear there is a good chance a motivated attacker may get into your systems one way or another. You are, however, clearly responsible for your business and the actions of those within it.
This leads to a third lesson, one which I believe boards are busying themselves with now. The NZX DDoS attack was so sustained and so massive, that there was likely very little to nothing the exchange could have done to prevent it. Instead, this attack showed that while being proactive is essential, reacting with speed and agility will always play a vital part in any security strategy.
A successful security strategy encompasses two components. It must establish all potential security risks that could affect a business, along with a clear understanding of the likely impact of a successful attack on a business.
You can never predict the disruption a cyber breach could cause your business. The important part is putting in place mitigatory measures and procedures and ensuring everyone is comfortable with the required response. I hope you never have to, but you do need to be ready to go at any time.
These measures should return your organisation to business as usual in an orderly fashion, with as little disruption as possible.
There is a useful (and perhaps well-worn) analogy in health and safety. Health and safety is a readily-recognised risk on board agendas everywhere. Why? Because a failure is costly, unnecessary, can result in actual injury and can greatly impact a company’s reputation. Therefore, the expectation with health and safety is that there should be no surprises. Your operations should be compliant with all reasonable risks identified and suitably mitigated.
But here is the thing. Despite taking all those measures, health and safety failures still happen because people are people and sometimes things happen that we would prefer did not.
That’s when well-rehearsed mitigation strategies kick off. Because health and safety is so well known, every person in the organisation involved with health and safety knows exactly what, when and how to do it. This is precisely where your board should be with its approach to cybersecurity. The recently enacted Privacy Act is a step towards ensuring boards take cyber security seriously, requiring breaches to be notified and including potential fines. It shows there are consequences for not protecting a business properly.
Know the risks, take all reasonable precautions to prevent them from happening, then have a clear plan in place for remediation when someone gets through the defenses.
Just as with health and safety, you should be able to demonstrate (to shareholders or investigators, if necessary) that every reasonable precaution was taken.
How? Take Target as an example. Since the American retailer was hit by an infamous data breach (which cost it a US$18m fine), it now conducts exhaustive quarterly mock cyber-attacks. These exercises involve everyone, from board members to operations staff, IT personnel, the media team and all executives.
While Target might never suffer another breach on the same scale, it accepts it is possible. If the possibility becomes reality, it knows exactly how to respond.
The fire drill approach is essential. Cyber security is a moving target and the better every business gets at the task, the harder it becomes for the criminals to win.
When your board properly appreciates the threat, you can put in place sufficient measures not only to keep attackers out, but to equip your business for a rapid, orderly response.