Learn@IoD
Cart

Cyber risk: a practical guide 2023

type
Guide
author
By Institute of Directors
date
8 Aug 2023
read time
14 mins to read
code on a computer screen

Cyber risk is like any other business risk and requires board level attention and responsibility. Since the 2021 edition of the Cyber risk practice guide was published, many boards have significantly stepped up their focus on cybersecurity and gained real-life experience preparing and responding to cyber attacks. However, there is obviously more focus needed. In the 2022 IoD/ASB Director Sentiment Survey, just 54% of directors reported their boards regularly discuss cyber risk and are confident their organisations have the capacity to respond to a cyberattack or incident.

It’s important that directors don’t dismiss cybersecurity issues as something that only affects other people – no matter the size of your organisation.

The 2023 edition of the Cyber risk: a practical guide retains five core principles to help boards understand and approach cybersecurity in their organisations. Updates to the guide includes privacy guidance following the 2023 Lattitude Finance event and dealing with cyberhate and misinformation. It also presents new questions for directors to ask management around their cybersecurity policies and settings.

Core principles

There are five core principles for boards in their oversight of cyber risks.

  1. Take a complete approach

    Directors should approach cybersecurity as an enterprise-wide risk issue, not just an IT issue.

  2. Establish an enterprise-wide cyber risk management framework

    Ensure that an enterprise-wide cyber risk management framework is established.

  3. Give cybersecurity regular attention on the agenda

    Cybersecurity needs regular and adequate time on the agenda. Boards should also continue to build their cyber competency and ensure they have access to external expertise.

  4. Understand the legal environment

    It is essential that directors understand their legal responsibilities and the implications of cyber risk relevant to their organisation.

  5. Categorise and address the risks

    Board and management discussion of cyber risks should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

For further understanding on why boards need to prioritise cybersecurity and the risks of holding on to private data. 

Download the practice guide

Cyber risk: a practical guide

( PDF FILE, 497 KB )

Related content