Thursday, 21 March 2024 By Ian Simpson It’s been 10 years since NIST Cybersecurity Framework (CSF) was updated. This is a long time if you think about how much the world of cybersecurity and the sophistication of its criminals has changed in that period. Following a lengthy consultation process by the U.S. Government and the National Institute for Standards and Technology (NIST), a new framework has been published and it represents a significant leap forward in how organisations view and manage cyber risk. The NIST CSF has become the world’s most popular. Its five headline words that describe the functions it recommends – identify, protect, detect, respond, and recover – have become taglines in the world of cyber risk management. Now, the latest version of the NIST CSF adds a sixth function – govern, which address a critical gap that existed in the earlier version: that organisations need responsible, accountable, consulted and informed decisions and decision makers to manage an organisation’s cyber risk. Recent data breaches in Australia and across the world have increased the pressure on governments, organisations, and companies to enhance their oversight of cybersecurity risks. While NIST’s update to the CSF is a major development, the rise of guidance by entities such as the Australian Institute of Company Directors (AICD) in relation to cybersecurity risk management illustrates the importance of governance in cyber risk management and strategy. With governance as a fundamental leadership responsibility, it clearly articulates that cyber risk management begins at the top of the organisational chart. Failure to take cybersecurity governance seriously can and does have severe consequences for organisations, including reputational damage, financial loss, legal liabilities, and diminished stakeholder trust. Globally, we continue to see regulators in the U.S. and the EU take strong action in matters where cyber risk was not addressed. And Australia is fast catching up. Regulators such as ASIC and APRA have made it clear that should a director or board choose not to act on a significant risk such as a cyber risk, they may find themselves liable for a breach of director duties should a cyber incident impact the organisation that they lead. While directors could try to defend against an alleged breach of director duties through mounting a crafty business judgement rule defence, the scale, volume, and depth of information available about the serious business risks of poor cybersecurity leaves directors and boards with few places to hide in relation to care and diligence requirements. Boards and executives should take proactive governance measures to integrate the principles of the NIST CSF for their organisations to understand and manage cybersecurity risks better. This means ensuring steps to establish clear cybersecurity risk management strategies, effectively communicating expectations and policies throughout the organisation and implementing robust monitoring mechanisms. Directors should also ensure adequate budget, resources and expertise are allocated to cybersecurity initiatives, while seeking to foster a culture of cyber resilience, accountability and transparency at all levels. After all, cyber risk is just another risk. And every good leader needs to manage business risks.