Changes to AICD's guidance on AI
03 December 2024In a world where artificial intelligence (AI) is rapidly transforming business operations, staying ahead of regulatory and governance updates is critical for directors. The Australian Institute of Company Directors (AICD) and Cyber Security Cooperative Research Centre (CSCRC), recently updated the Principles we discussed in our previous article. These updates reflect the evolving landscape of AI use, associated risks, and cybersecurity threats.
Below, we outline the key changes and actionable steps for boards to enhance their oversight and risk management.
Key updates
Digital supply chain
Businesses should take into account their third-party relationships, such as SaaS suppliers, when assessing their use of AI. This includes mapping key suppliers and understanding their cyber security controls. It is also important to have supplier diversification and maintain backups of critical systems to build a level of redundancy within your digital supply chain. This approach can help mitigate risks if a third party provider’s security is compromised in a cyber incident.
Data governance
Effective management of both operational and individual data is critical for protecting against cybersecurity threats. Boards are encouraged to take proactive steps such as:
- Establishing clear and comprehensive policies, procedures and training on how data is collected, used, stored, shared, and destroyed.
- Documenting accountability for data management responsibility.
- Implementing a classification system for different data types.
- Ensuring that security and controls are implemented to allow access only to authorised personnel.
- Maintaining the accuracy, completeness, and currency of the date.
Cyber incident report
The Principle emphasises the importance of a Board considering the human impact of a cyber incident on both its employees and customers in its response. By understanding the human impact, businesses will be better positioning to rebuild their reputation and regain trust within the community following a cyber security incident.
Cross references to recent Cyber Security laws
The Principles refer to the need to ensure compliance with the new Cyber Security Legislative Package (discussed here).
Closing thoughts
The update again signals the rapid rate of change in AI usage, along with its associated risks and the need for effective risk management.
Key takeaways for Boards
- Be proactive: regularly review your supplier relationships and cybersecurity frameworks.
- Strengthen policies: ensure you have robust data governance practices in place.
- Prioritise human impact: incorporate considerations for employees and customers into your incident response plans.
- Stay compliant: align your governance practices with evolving cybersecurity legislation.
If you would like more information on how to implement these principles or require assistance in reviewing your AI and cybersecurity frameworks, please don’t hesitate to reach out.