Connect Support Advance

White Paper
Cyber Risk Readiness,
Response & Ransom:
An Audit Committee
Perspective
July 2021

Level 7, 133 Castlereagh Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au
 Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
Contents › 20 Critical Questions Series – ‘What Directors should
ask about Information and Cyber Security’.
Background 2
› Factsheet – ‘ICT Governance and Assurance’.
- Purpose 2
- Background 2 Other useful guidance to assist ARCs in examining and
Discussion 2 questioning cyber risk maturity of their organisation includes,
et al:
- Readiness and Response 2
- Responsibility 4 › Australian Signals Directorate (ASD) ‘Essential Eight’.

- Scope of Technology Risks 4 › Essential Eight Maturity Model.

- Cyber Insurance 5 › International Standard ISO/IEC 27001:2013 ‘Information
- Cyber Ransom 6 security management’ which includes a cyber security
Conclusion 7 toolkit and a cyber risk assessment process.
- Summary 7 › Cyber risk frameworks of various public sector
- Five Action Steps 7 jurisdictions such as the NSW ‘Cyber Security Strategy’
- Conclusion 7 (including policy, methodology, cyber security incident
Bibliography and References 7 emergency plan, cyber risk awareness materials) and
the National Institute of Standards and Technology (NIST)
Purpose of White Papers 8
Cybersecurity Framework.
Author’s Biography 8
About the Institute of Internal Auditors–Australia 8 The range of guidance serves multiple purposes and assists:

Copyright 9 › Organisations to build and mature their cyber risk

Disclaimer 9 strategies.

› ARCs to develop their cyber risk literacy.

Background
› ARCs to question their organisation on what cyber risk
Purpose
standards and frameworks are being applied.
The purpose of this White Paper is to assist and prompt
Even so, this area is a fast-moving tide. ARCs are charged with
thinking and questioning by Audit and Risk Committees (ARCs)
staying abreast of the risk frontier and must be able to make
on emerging issues in cyber risk.
relevant enquiries of their organisations. This White Paper:
Background
› Considers some current angles where existing guidance
Cyber risk is the number one current issue of concern for most may be limited.
ARCs.
› Seeks to stimulate thinking and discussion on these
To assist ARCs to enquire about how such essential matters emerging issues, rather than providing definitive
are being addressed in their organisation: guidance.

› IIA Global has established the ‘IIA Cyber Security

Discussion
Resource Exchange’ which includes a range of tools and
support materials including: Readiness and Response

› Guidance on Assessing Cyber Security Risk (GTAG). History

› Cybersecurity Toolkit. Recent briefings from official sources within Australia suggest
that 2021 is seeing two serious trends:
› IIA-Australia has issued guidance including:

© 2021 - The Institute of Internal Auditors - Australia 2

 Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
› Significant growth in, and more vigorous forms of, cyber
attacks (brute force, spear-phishing, multi-facetted
attacks, ransomware, crypto-locker).
› Growth in attacks by ‘organised agents’ (meaning not
bored teenagers or IT students experimenting).
As a consequence, predictions are that successful attacks are
likely to increase.
Thus far, most ARCs have given significant focus to:
› Questioning the level and nature of cyber risk prevention
and mitigation by their organisation.
› Assessing cyber risk maturity of their organisation.
› Reviewing the cyber risk roadmap of their organisation.
› Deploying internal audit and other assurance providers
to:
› Assess, test and provide assurance regarding
appropriateness and effectiveness of the
organisation’s cyber risk arrangements.
› Utilise cyber tools to:
› Test vulnerabilities for third-party data breaches
› Test capabilities to continuously monitor
vendors.
› Understand the organisation’s attack surface.
ARCs are then concerned to:
› Monitor progress of further actions identified by those
enquiries.
› Monitor the ongoing operation of cyber risk mitigations.
› Monitor the evolving nature and form of cyber risks that
relate to their organisation.
› Encourage continuous improvement of their organisation’s
approach to cyber risk.
Discussion
Initially, it is quite common and logical for ARCs to focus on
the standards, frameworks, artefacts (policies, procedures)
and actions (training, implementation plans) put in place by
their organisation.
© 2021 - The Institute of Internal Auditors - Australia
As an ARC tool, internal audits are commonly deployed to test
and provide assurance over:
› Effective deployment of implementation plans.
› Substantive effectiveness of cyber risk measures such
as domain vulnerability identification, penetration testing
and hacking simulation.
In assessing the organisation’s cyber risk readiness, it is
important the ARC also give attention to two vital dimensions:
› Condition and effectiveness of soft controls – also often
referred to as ‘culture’.
› The organisation’s validated readiness to respond should
a cyber-attack succeed.
The Dimension of Soft Controls (Culture)
The IIA places a strong emphasis on soft controls (aka culture)
as a key dimension of the control environment.
Hard controls include such elements as organisational
structure, assignment of authority and responsibility,
standards, policies, procedures and human resources.
Management puts hard controls in place to mitigate identified
inherent risks down to acceptable levels of residual risk in line
with approved risk appetite.
Soft controls are intangible controls like morale, integrity,
ethical climate, empowerment, competencies, openness and
shared values.
Hard controls can guide employee behaviour through defined
policies and procedures, while soft controls can influence
the behaviour of the employees and ensure compliance with
procedures.
Soft controls are a vital component of control DNA. They
lead to efficient hard controls and help in strengthening hard
controls or, if not aligned to desired values and outcomes,
can seriously impede and undermine the operation of hard
controls.
Soft controls (culture) are so important to an effective control
environment that they must be understood, influenced and
tested.
With regard to cyber risk mitigation, effectiveness of hard
controls relies heavily on the awareness, diligence, maturity
and conformance of employees and other relevant agents
3
 Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
such as contractors. A matrix approach to governing cyber risk management may
need consideration.
ARCs need to ensure testing and assurance of cyber risk
arrangements includes careful attention to the effectiveness of Scope of Technology Risks
the supporting soft controls (culture) in the organisation.
History
Responding
The current scope of ‘cyber’ has evolved over an extended
While efforts to prevent and mitigate cyber risks are essential, period through a range of technology chapters, including et al:
as a consequence of predictions that successful cyber-
› Technical systems such as building and factory control
attacks will likely increase ARCs need to be satisfied that their
systems.
organisations are sufficiently prepared.
› Mainframe computers:
Detailed cyber-attack incident response plans are required.
Who will do what, when, and how? › central processing.

They may be contained within business continuity plans, or › distributed processing.

as associated plans or sub-plans. These actions will often be › servers, networks and nodes.
required to activate and execute very rapidly in real-time.
› The internet.
Apart from the technical considerations involved, effective
management of cyber incidents requires careful and, to the › Personal computers.
extent reasonably possible, pre-determined communication › Laptop computers.
plans and protocols which cover:
› Apps.
› Advice to the leadership and governance members of the
› Smartphones.
organisation, including relevant political leaders in the
public sector. › Tablets.

› Staff, internal stakeholders and contractors. › Wireless technology.

› External stakeholders including regulators where › Cloud computing.

relevant.
› The internet-of-things (IoT).
› Data breach reporting obligations as appropriate.
Each technology chapter and advancement provides both
› Customers. opportunity and danger.

› Suppliers as appropriate. Discussion

› The community as appropriate. A great deal of focus has been afforded by organisations and
ARCs over many years to risks related to ‘traditional’ aspects
Communications have proven to be a particularly important
of computer technology variously captured by terms such as
element of managing cyber breaches, which if left unplanned
information and communication technologies (ICT).
or unmanaged may be a material risk factor.
Areas where less focus may have been given by some ARCs
Responsibility
include the management and mitigation of cyber vulnerability
Another aspect of great importance for ARCs is the clarity issues for:
for, and effectiveness of, responsibility arrangements. A
› Technical systems such as building and factory control
holistic approach is required for strong cyber resilience but,
systems.
typically, responsibility is scattered for the various aspects of
technology across the organisation. › Smartphones and tablets.

© 2021 - The Institute of Internal Auditors - Australia 4

 Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
› Wireless technology.
› Cloud computing.
› Drones.
› The internet-of-things (IoT).
› Artificial intelligence (AI).
Several of these dimensions have now combined, for example
the NSW Government ‘Internet of Things Policy Guidance’
states that:
› IoT is likely to disrupt every aspect of our lives .
› IoT has the potential to deliver significant benefits
to government, industry and citizens by generating
intelligent data that can enable better decision-making
and provide better services.
› Although we have only seen the tip of the iceberg, IoT is
already so pervasive that most people do not notice its
presence and take for granted the services that it makes
possible.
› Many projects may not be recognised as involving IoT
such as infrastructure projects like building a bridge or
tunnel, but if they have sensors capturing data then they
are IoT-enabled projects.
› The true value of IoT lies in the ability of organisations to
use the information generated by IoT to gain insights for
better decision-making to provide better services.
› IoT is emerging to add value everywhere but there is often
a low understanding of how it works and its implications.
Rapid growth and the potential of technology is often
accompanied by high risk and uncertainty.
In terms of risks, The NSW Government ‘Internet of Things
Policy Guidance’ states that challenges in securing IoT devices
include:
› IoT devices often lack resources that enable advanced
security controls, as they typically have limited
processing capacity, memory and power. Manufacturers
can be inclined to leave security features out to drive
down production costs.
› Often numerous IoT service providers have contributed
to the manufacture of IoT devices. These complex supply
© 2021 - The Institute of Internal Auditors - Australia
chains make it difficult to receive software updates. Some
components might be discontinued, meaning there is no
owner responsible for providing updates.
› The dynamic and evolving nature of IoT means standards
and regulation will struggle to keep pace with technology.
› The flow of data from IoT devices can interface to various
cloud platforms in both private and public instances which
can introduce vulnerabilities.
› Latency issues caused by large amounts of sensors
trying to send data to the cloud can, in turn, require an
architecture that allows for computing to occur at the
edge and not in the cloud. The challenges this creates in
enforcing security protocols have been documented.
› It is difficult for security teams to manage risks to and
from devices when they are unaware of their existence,
as these devices are often installed by non-IT personnel
for example air conditioning systems, lighting systems
and building management systems.
The NSW Government ‘Internet of Things Policy Guidance’
refers to the IoT Security Foundation’s (IoTSF) popular ‘IoT
Security Compliance Framework’.
ARCs need to explore the extent to which technology has, or
will, impact on their organisation and develop an appreciation
of the associated cyber risks, in particular:
› Technical systems (building and factory control systems).
› IoT.
› AI.
Cyber Insurance
History
Wikipedia defines Cyber-insurance as:
A specialty lines insurance product intended to protect
businesses and individuals providing services for such
businesses, from internet-based risks, and more generally
from risks relating to information technology infrastructure,
information privacy, information governance liability,
and activities related thereto. Risks of this nature are
typically excluded from traditional commercial general
liability policies or at least are not specifically defined
5
 Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
in traditional insurance products. Coverage provided by
cyber-insurance policies may include first-party coverage
against losses such as data destruction, extortion, theft,
hacking, and denial of service attacks; liability coverage
indemnifying companies for losses to others caused, for
example, by errors and omissions, failure to safeguard
data, or defamation; and other benefits including
regular security-audit, post-incident public relations and
investigative expenses, and criminal reward funds.
There is a growing market in cyber insurance and policies,
costs and conditions may vary widely.
Discussion
ARCs will want to enquire if their organisation has:
› Considered and properly examined the business case for
cyber insurance.
› Examined cyber insurance policy offerings (scope,
conditions, costs) to determine the most appropriate
products.
› Determined an appropriate value for coverage.
If an organisation takes out cyber insurance:
› The amount of cover should be sufficient to cover the
costs of a full system rebuild if that was necessary, plus
additional costs that may flow from a major outage.
Such costs can vary a lot depending upon current
arrangements. Some cyber insurance policies have fairly
low fixed limits which may not be sufficient.
› They must examine and understand claim conditions,
especially any culpability clauses, for example did the
organisation’s actions or flawed arrangements such as
failing to apply promptly a software patch constitute
sufficient due diligence?
Cyber Ransom
History
The Australian Cyber Security Centre (ACSC) explains that:
› Ransomware is a type of malicious software (malware).
› When it gets into your device, it makes your computer or
its files unusable.
› Cyber criminals use ransomware to deny you access to
© 2021 - The Institute of Internal Auditors - Australia
your files or devices – they then demand you pay them to
get back your access and data.
› Ransomware attacks are on the rise in Australia.
Discussion
ARCs will want to question if their organisation has a policy on
paying ransom.
Some advisers advocate that paying a ransom is a business
decision like any other and should be approached from a
business-case perspective. Others, including bodies such as
the ACSC and the FBI advocate against paying ransom.
Interestingly, cyber insurance policies sometimes specifically
include aspects such as ransom payments and costs to hire
ransom mediators.
It is not an issue that should be left undecided until an
event occurs, because then the organisation will be under
pressure and reasoned decision-making may be impeded. In
considering this issue:
› There is no guarantee paying the ransom will fix your
devices.
› It is not purely an operational or cost issue – there are
serious reputational aspects.
› There are both stakeholder and legal issues to consider.
With regard to stakeholders and reputational damage, the
organisation needs to consider:
› How does this fit with our corporate ethics and our values
statements?
› What would our owners and investors think?
› What would our customers think?
› What would our employees think?
› What would our suppliers think?
› What would be the view and reaction of our regulators?
For the public sector this would include watchdogs such
as the Auditor-General and relevant integrity bodies.
Ethical, reputational and stakeholder aspects aside, would
paying such a bribe itself be illegal? The statute law position
on this is currently evolving around the world and in the
various Australian jurisdictions.
6
 Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
While this White Paper offers no legal advice, the most
relevant offences which could apply to Australian
organisations irrespective of the sector in which they operate
are the ‘instrument of crime’ provisions in Division 400 of
the ‘Criminal Code Act 1995’ (Commonwealth). Under these
provisions it is a serious criminal offence:
If a person deals with money or property where there
is a risk that the money or property will become an
“instrument of crime” – money or other property is an
“instrument of crime” if it is used in the commission of,
or used to facilitate the commission of, an indictable
offence (Australian or foreign); AND the person making
the payment is reckless or negligent as to the fact that
there is a risk that the money or property will become an
instrument of crime.
There are also anti money-laundering and counter-terrorism
laws that may need to be considered.
If consideration of paying a ransom is permitted under the
organisation’s policy, it is essential that:
› The legal position applying at the specific time is fully
understood and documented.
› Disclosure requirements are understood and actioned.
› Optional disclosures to staff, stakeholders, customers and
the community are carefully considered.
The ACSC recommends that:
› Organisations DO NOT pay a ransom.
› You restore your files from backup and seek advice.
The ACSC provides practical guides for:
› Protecting your organisation against Ransomware
attacks.
› What to do if you’re held to ransom.
Conclusion
Summary
Cyber risk is a fast-moving tide and ARCs are charged with
staying abreast of the risk frontier to be able to make relevant
enquiries of their organisations. This White Paper:
› Considers some current angles where existing guidance
may be limited.
© 2021 - The Institute of Internal Auditors - Australia
› Seeks to stimulate thinking and discussion on these
emerging issues.
Conclusion
This White Paper assists ARCs to enquire about their
organisation’s:
› Cyber risk control environment.
› Cyber incident response preparedness.
› Scope of technology risks.
› Cyber insurance.
› Cyber ransom policy.
Bibliography and References
Bibliography
GTAG – Assessing Cyber Security Risk, IIA Global
Factsheet – ICT Governance and Assurance, IIA-Australia
The Essential Eight, Australian Cyber Security Centre
International Standard ISO/IEC 27001:2013 Information
security management, ISO/IEC
Cybersecurity Framework, National Institute of Standards and
Technology (NIST, USA)
NSW Cyber Security Strategy, Digital.NSW
NSW Government Internet of Things Policy Guidelines, Digital.
NSW
IoT Security Compliance Framework, IoT Security Foundation
References
GTAG – Assessing Cyber Security Risk: https://na.theiia.org/
standards-guidance/recommended-guidance/practice-guides/
Pages/GTAG-Assessing-Cybersecurity-The-Three-Lines-Model.
aspx
IIA Cyber Security Resource Exchange: https://na.theiia.org/
standards-guidance/topics/Pages/Cybersecurity-Resource-
Exchange.aspx
ICT Governance and Assurance (Members only): https://iia.org.
au/technical-resources/knowledgeitem.aspx?ID=347
The Essential Eight: https://www.cyber.gov.au/acsc/view-all-
content/publications/essential-eight-explained
The Essential Eight Maturity Model: https://www.cyber.gov.au/
acsc/view-all-content/publications/essential-eight-maturity-
model
7
 Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
ISO 27001: international standard ISO/IEC 27001:2013 (ISO This White Paper edited by:
27001)
Andrew Cox MBA, MEC, GradDipSc, GradCertPA,
NIST Cybersecurity Framework: https://www.nist.gov/ DipBusAdmin, DipPubAdmin, AssDipAcctg, CertSQM, PFIIA,
cyberframework CIA, CISA, CFE, CGAP, CSQA, MACS Snr, MRMIA
NSW Cyber Security Strategy: https://www.digital.nsw.gov.au/ Stephen Coates BCom(Acc), CertSQM, PFIIA, CIA, CISA, CGAP,
transformation/cyber-security/cyber-security-strategy CRMA, CSQA, JP(Qual)
NSW Government’s Internet of Things Policy: https://www. About the Institute of Internal Auditors–Australia
digital.nsw.gov.au/policy/internet-things-iot
The Institute of Internal Auditors (IIA) is the global professional
IoT Security Compliance Framework: https://www. association for Internal Auditors, with global headquarters in
iotsecurityfoundation.org/iotsf-issues-update-to-popular-iot- the USA and affiliated Institutes and Chapters throughout the
security-compliance-framework/ world including Australia.
Ransomware Guidance: https://www.cyber.gov.au/ransomware As the chief advocate of the Internal Audit profession, the IIA
Purpose of White Papers serves as the profession’s international standard-setter, sole
provider of globally accepted internal auditing certifications,
A White Paper is a report authored and peer reviewed by and principal researcher and educator.
experienced practitioners to provide guidance on a particular
subject related to governance, risk management or control. It The IIA sets the bar for Internal Audit integrity and
seeks to inform readers about an issue and present ideas and professionalism around the world with its ‘International
options on how it might be managed. It does not necessarily Professional Practices Framework’ (IPPF), a collection of
represent the position or philosophy of the Institute of Internal guidance that includes the ‘International Standards for the
Auditors–Global and the Institute of Internal Auditors– Professional Practice of Internal Auditing’ and the ‘Code of
Australia. Ethics’.
The IIA-Australia ensures its members and the profession
Author’s Biography as a whole are well-represented with decision-makers and
This White Paper written by: influencers, and is extensively represented on a number of
global committees and prominent working groups in Australia
Stephen Horne BBus, GradCertMgtComm,
and internationally.
GradCertFraudControl, CertPublicAdmin, PFIIA, CIA, CGAP,
CRMA, FGIA, GAICD, MIPAA The IIA was established in 1941 and now has more than
200,000 members from 190 countries with hundreds of local
As a Non-Executive Director since 2015, Stephen has
area Chapters. Generally, members work in internal auditing,
developed a portfolio of audit committee experience spanning
risk management, governance, internal control, information
the Commonwealth, NSWG, NSW Local Government and
technology audit, education, and security.
Victorian Local Government sectors, with a diverse range of
entity types.
Stephen previously served for 38 years in the NSW public
sector, including roles of Assistant Auditor-General for NSW,
looking after Performance Audits, and the Chief Executive of
the NSW Internal Audit Bureau (IAB), a Government Trading
Enterprise undertaking internal audits and misconduct
investigations in the State and Local Government jurisdictions.
Stephen was Australian President of the Institute of Internal
Auditors 2013–2015; Australia’s delegate on the IIA Global
Board 2015–2019, and Global Chair of the IIA Public Sector
Guidance Committee 2016–2019. With Bruce Turner AM,
in 2020 Stephen co-authored the IIA-Australia publication
‘Effective Internal Auditing in the Public Sector’.

© 2021 - The Institute of Internal Auditors - Australia 8

 Cyber Risk Readiness, Response
& Ransom: An Audit Committee
Perspective
Copyright
This White Paper contains a variety of copyright material.
Some of this is the intellectual property of the author, some
is owned by the Institute of Internal Auditors–Global or the
Institute of Internal Auditors–Australia. Some material is
owned by others which is shown through attribution and
referencing. Some material is in the public domain. Except
for material which is unambiguously and unarguably in
the public domain, only material owned by the Institute of
Internal Auditors–Australia–Global and the Institute of Internal
Auditors–Australia, and so indicated, may be copied, provided
that textual and graphical content are not altered and the
source is acknowledged. The Institute of Internal Auditors–
Australia reserves the right to revoke that permission at any
time. Permission is not given for any commercial use or sale of
the material.

Disclaimer
Whilst the Institute of Internal Auditors–Australia has
attempted to ensure the information in this White Paper is
as accurate as possible, the information is for personal and
educational use only, and is provided in good faith without
any express or implied warranty. There is no guarantee given
to the accuracy or currency of information contained in this
White Paper. The Institute of Internal Auditors–Australia does
not accept responsibility for any loss or damage occasioned
by use of the information contained in this White Paper.

© 2021 - The Institute of Internal Auditors - Australia 9