Here’s a fact: cyber risk management is a business imperative, not an IT one. And though awareness of cyber risks is growing in Australia, only 50% of Australian big businesses believe they have adequate plans in place to mitigate a cyber security crisis.
Effective cyber risk management is everyone’s responsibility, but it begins at the leadership level. Ensuring that risk managers, board members and C-level executives are aware of the risk exposures is critical for understanding, managing and transferring risk.
But where do you start? How can you help your leaders and colleagues (and yourself) develop a more comprehensive understanding of cyber risk? Your insurance broker should be your first port of call for risk management advice, but these 8 resources for cyber risk management are helpful too.
1. Australian Cybercrime Reporting Network (ACORN)
ACORN is a reporting and referral service for victims of cybercrime, but it’s also a hub for helpful cyber risk management resources. It’s geared towards consumers but the website contains useful information for companies, including:
- statistical reports, published quarterly, which provide a breakdown and analysis of reports received through the ACORN;
- fact sheets and other materials to raise awareness of cybercrime; and
- advice and information about cybercrime and how to prevent it.
2. Assessing Cyber Risk by Deloitte
This free guide by Deloitte is an excellent resource for cyber risk management, especially for companies with a fairly nascent risk management programme.
Published in 2016, the guide contains 10 questions designed to help C-suite level decision makers assess their organisation’s cyber risk maturity level:
“This list of key cyber risk questions and accompanying range of responses should effectively guide organizations in assessing their cyber posture, challenge information security teams to ask the right questions and provide critical information, and help consistently monitor and improve cyber resilience going forward. These questions are designed to help you identify specific strengths and weaknesses, as well as paths to improvement.”
Read and answer the questions here.
3. Australian Signals Directorate (ASD)
The Australian Signals Directorate is an intelligence agency in the Australian Government Department of Defence. In addition to its primary mission, the organisation provides information security advice and services (mainly to federal and state government agencies) and publishes many useful cyber risk management resources including:
- Strategies to Mitigate Cyber Security Incidents, a collection of eight mitigation strategies devised by the ADS ‘to help technical cyber security professionals in all organisations mitigate cyber security incidents.’
- Information Security Manual (ISM), the standard which governs the security of government ICT systems
- Specific guidance for secure cloud computing, enterprise mobility and bring-your-own-device (BYOD) policies.
4. Institute of Risk Management (IRM)
On the IRM website you’ll find thought leadership articles, a cyber risk summary, and reports for risk management practitioners. You can also access a number of cyber risk management resources in the Online Resource Centre, but you’ll need a login and password to access them. The IRM also publishes Enterprise Risk Magazine, a must-read publication which often features editorials about cyber risk.
5. The Australian Cyber Security Centre (ACSC)
The ACSC is a ‘hub for private and public sector collaboration and information-sharing’ designed to help combat cyber security threats. On its website you can report a cyber security incident, read the latest national cyber security news and access the centre’s publications.
Useful publications and cyber risk management resources on the ACSC website include:
- ACSC Threat Report 2016 (you can read a summary of the report’s key findings on our blog)
- 2015 Cyber Security Survey: Major Australian Businesses
Scamwatch is a website run by the Australian Competition and Consumer Commission (ACCC) that provides information to consumers and businesses about known scams – and how to avoid them.
Risk Management professionals will benefit from the reports and factsheets published by Scamwatch as well as Scamwatch Radar, a newsletter which delivers email alerts on the latest scams.
7. Australian Securities & Investments Commission (ASIC)
As Australia’s corporate, markets and financial services regulator, ASIC publishes a wealth of material that’s useful for cyber risk management. It regularly publishes articles and advice on issues relating to corporate governance, risk identification and risk management. Some articles are point-in-time statements, but they’re still useful. Here are some highlights:
- Brave New World – How cyber resilient is your business?
- Good practices in cyber risk governance
- Cyber resilience health check
- World Economic Forum and cyber security
- Cyber security and directors
8. The AJG blog
This list wouldn’t be complete without mention of our own blog. We regularly publish helpful articles about topics such as cyber risk management, mandatory data breach reporting, ransomware and mitigating cyber risk. Our quarterly Market Overview Report also contains unqiue insight into cyber management and risk exposures, and is free to download.
Cyber risk management: a priority for every company
No business, organisation or individual can afford to ignore cyber risk. That’s why it’s important to understand and mitigate risks with a comprehensive cyber risk management plan and the right cyber insurance.
Check out these 8 resources and talk to your insurance broker about your company’s cyber risk maturity. They will help you understand your exposures and help you mitigate cyber risk with the right insurance.
Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers’ control.
Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312