Low board engagement, possible ransom bans increase Australian businesses’ cybersecurity risks

If Australia bans insurers from paying ransoms, cybersecurity-ignorant boards will be in for a shock.

A life preserver floats on the water with sharks closing in. [risks / threats / attacks]
Paul Fleet / Getty Images

Security executives have failed miserably to improve their engagement with senior business executives, according to new research that found CISOs continue to operate three levels away from the CEO, on average—threatening board-level shocks as a growing Australian push to ban ransomware insurance threatens to yank away a key risk safety net.

Although 60% of global executives believe security leaders should report directly to the CEO, only 6% actually do so, according to a study by the Ponemon Institute and security vendor LogRhythm assessing security executives’ progress in turning security priorities into business priorities. “Despite respondents having complete ownership or significant influence over an average annual budget of [US$17 million],” the report notes, “most IT security leaders are still not having a direct relationship with the CEO and board of directors.”

And while 55% of organisations said they had suffered a cybersecurity attack in the last two years, the fact that 94% of respondents remain disconnected from the executive suite points to a major gap between theory and action.

The figures come as no surprise to Claire Pales, director of consultancy the Secure Board and co-author, with director Anna Leibel, of a book on the challenges of changing the relationship between security and business executives.

Australian boards not keeping up on cybersecurity

“Australian boards are languishing behind their international peers,” Pales said. “The rapid acceleration of digital transformation efforts catalysed by the COVID-19 pandemic has not been met with a commensurate increase in board expertise in cybersecurity. While businesses become increasingly dependent on digital technologies and tools, cybersecurity awareness at the board level has barely moved.”

Fixing this problem requires change at both the board and CISO levels. “All board members must update their view of corporate risk and accept that cyber risk and resilience are not something that can be delegated to a technical team or ignored,” Pales said. “This doesn’t mean board members need to become technical experts. But it means they need to understand what risks they face and put in place strategies to mitigate them,” she said.

“There is a need for boards to have a greater involvement in corporate cybersecurity and resilience,” Pales said. “But the journey towards that goal won’t be achieved without a shift in attitude, culture, funding, and, potentially, increased intervention by regulators.”

One useful approach is to have dedicated cybersecurity committees that include business executives but are led by cybersecurity experts. They “allow for discussion of cybersecurity matters in a confidential environment, led by someone deemed suitably qualified,” said Gartner research director Sam Olyaei. “Effective CISOs realise that heads of sales, marketing, and business unit leaders are now key partners as the use of technology and, subsequently, the incurrence of risk happens outside of IT.”

Pulling the plug on ransomware support

While boards and executives may be comfortable discussing cybersecurity risk without input from cybersecurity specialists, their complacency could become a real problem as mooted changes to Australia’s regulatory environment threaten a key safety net around the corporate response to ransomware.

As the biggest cybersecurity threat facing today’s businesses, many boards and C-suite executives have relied on the knowledge that cybersecurity insurers will step in to help cover the cost of ransoms.

Yet with the Australian Cyber Security Centre (ACSC) firm in recommending that businesses not pay ransoms, the Labor Party pushing hard for mandatory reporting of ransomware payments, and, most recently, suggestions that insurance companies could be banned from covering ransomware payments, boards could be in for a shock when that new ransomware infection becomes a multi-million-dollar business liability.

Reliance on cybersecurity insurers to pay ransoms—providing “an accessible and affordable means of risk for insureds,” as risk consultancy MarshMcLennan puts it, has sent Australian premiums skyrocketing, with increases of 15% to 20% reported as company management invests in higher coverage limits and drives “sizeable growth” in the number of Australian cyber insurance policies.

Noting “caution” from the sector, MarshMcLennan notes, many insurers are already capping liability limits and requiring more underwriting information.

A complete ban on covering ransomware payments might bolster the insurance sector’s profitability, but it would be problematic for boards and executives that have grown accustomed to outsourcing their cyber risk.

It would also force a reckoning at the top—where CEOs seem to be getting off lightly when it comes to apportioning blame for historically poor CISO engagement. Although 22% and 15% of respondents to the Ponemon research believe the CEO should be held responsible for data breaches and cyberattacks, respectively, those CEOs were only actually blamed in 12% and 9% of incidents.

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)