Cyber Contracts Not Meeting Board Expectations: Kaine Mathrick Tech CEO

Cyber Contracts and Board Expectations in Australia

Bradley Kaine, Kaine Mathrick Tech

Quick Overview

• Current cybersecurity agreements fail to align with board expectations.
• Emphasis on cyber resilience and adherence to Australian standards is essential.
• New regulations necessitate improved incident reporting and response.
• Entities must align agreements with overarching strategic objectives.

Status of Cyber Contracts

According to Bradley Kaine, CEO of Kaine Mathrick Tech, Australian cybersecurity agreements are not fulfilling the expectations set by boards. Despite the Commonwealth’s introduction of new cyber risk model clauses, numerous entities continue to neglect integrating cyber resilience across all layers of their procurement and vendor management strategies.

Impact of Regulatory Changes

The enactment of the Cyber Security Act 2024 and the mandate for 72-hour ransomware payment reporting serve as key motivators for organisations to reconsider their incident response clauses. However, approaching these adjustments solely as compliance measures could prove harmful. The 2023–2030 Australian Cyber Security Strategy emphasizes the importance of cultivating trust and resilience within a digital economy, urging organisations to regard cybersecurity as a matter of boardroom importance.

Essential Contractual Elements for Cybersecurity

Incident response and recovery play vital roles in cybersecurity agreements. Kaine recommends that organisations incorporate a “Mandatory Incident Disclosure and Cooperation” clause, compelling vendors to promptly alert clients regarding any ransomware incidents, reveal all interactions with extortionists, and fully cooperate in forensic investigations and governmental reports.

Connecting Cybersecurity with Board Expectations

Boards are facing growing scrutiny from regulators, shareholders, and the public to guarantee cyber resilience. A significant number of cybersecurity contracts remain overly fixated on technical controls rather than strategic integration. To close this gap, Kaine proposes a “Board-Level Cyber Risk Reporting and Assurance” clause that requires regular, board-ready updates on cyber security posture, alignment with frameworks such as the ACSC’s Essential Eight, and provisions for third-party assessments.

Conclusion

Australian organisations must reassess their strategies concerning cybersecurity contracts to align with board expectations. Incorporating resilience, synchronizing with strategic objectives, and adhering to recent regulations are crucial steps to ensure that contracts address not only IT issues but also considerations of risk, governance, and accountability.

Q&A

Q: What are the reasons for the inadequacy of current cybersecurity contracts in meeting board expectations?

A: Numerous contracts remain excessively focused on IT aspects and lack the necessary strategic alignment with the board’s objectives related to governance, risk, and resilience.

Q: What should organisations prioritize when evaluating cybersecurity contracts?

A: Organisations ought to concentrate on embedding resilience, executing risk-based evaluations, and ensuring that contracts encompass incident response, data safeguarding, and compliance with Australian standards.

Q: What consequences does the Cyber Security Act 2024 have for contracts?

A: The Act, in conjunction with the Ransomware Payment Reporting Rules 2025, compels organisations to reevaluate their incident response agreements, focusing on legal and reputational factors in addition to compliance.

Q: How can boards ensure their organisation’s readiness against cyber threats?

A: Boards can insist on provisions that mandate vendors to provide regular updates, align with key frameworks, and incorporate measures for audits and incident simulations.