Practice makes perfect

This year’s survey found in the 12 months prior, 53% of respondents had participated in a cyber simulation, which represents a significant increase in participation by legal teams from previous surveys. However, only 52% of boards had ever participated in a simulation, with just 36% taking part in one in the last 12 months. The survey found 18% of boards had never been involved in a simulation, despite encouragement from industry bodies such as the AICD and increasing emphasis from regulators such as ASIC about the importance of incident response testing.

Whittfield noted that simulations are an effective way of engaging boards, particularly those less familiar with cyber risk. “There is usually a ‘Eureka moment’ in these simulations. Board members previously lacking confidence in the subject matter suddenly click into the room, become fully engaged and then we’re off,” he said.

HSF Kramer’s Peter Jones, Partner and telecommunications and financial services expert, highlighted the need to ensure simulations remain “fresh”, so participants do not become complacent. “If you don't actually learn anything from a simulation, then it's not a useful test. A well-developed simulation should stress-test areas that are in need of improvement and encourage participants to engage in some uncomfortable decision-making. Participants should not expect to walk away from a simulation patting themselves on the backs,” he said

“Simulations have evolved significantly. We’re now designing tailored simulations that are plausible and align with an organisation’s sector, functions and specific operations. They also need to test the parameters of people's understanding and how they want to go about managing risk as a part of an integrated enterprise.”

“In addition, the importance of simulations is also being recognised by regulators. There's an expectation, whether it's explicit or implicit, that organisations should be testing incident response plans and undertaking simulation activities, particularly in and around cyber risk and resilience.”

Whittfield noted for listed companies, continuous disclosure obligations were a key topic. “We spend a lot of time with listed company boards, engaging with issues related to trading halts and ASX disclosures as a result of a cyber incident. As recently as twelve months ago, boards would default to a trading halt and disclosure. Now, we are seeing a more considered approach, applying the appropriate legal tests and acknowledging that many cyber incidents are not price sensitive. Each incident must be considered on its facts,” he said.