As a matter of priority, the councils should:

1. integrate the assessment and monitoring of cyber security risks into corporate governance processes by:
   1. implementing clear governance arrangements for cyber security, including a mechanism for regular reporting to management, ARIC and councillors
   2. ensuring the Council’s enterprise risk management framework is being applied to cyber security risks, including through maintaining risk registers
       
2. complete a self-assessment against the foundational requirements in the Cyber Security Guidelines – Local Government and:
   • ensure that the outcomes of the self-assessment are reflected in other relevant documentation including risk registers and insurance documentation
   • report the results to management, ARIC and councillors
      
3. implement a plan and structured program of activities to improve the Council's cyber security that considers and addresses current cyber security maturity, a comprehensive assessment of cyber security risks, and gaps identified in this report and by the Council through implementation of recommendations 1 and 2 above. 

       At a minimum, the plan and program of activities should:

           a) define the Council’s cyber security objectives
           b) set out roles and responsibilities for oversight and implementation
           c) establish implementation timeframes, and processes for regular review and reporting on how cyber security activities and
           controls are supporting risk management
           d) establish a plan to re-assess the Council’s cyber security maturity in the future
           e) establish a regular schedule of testing of the cyber security of systems and the network

4. ensure that the plan and program of activities (recommendation 3) are underpinned by:
   1. a catalogue of all information and systems held by the Council
   2. an assessment of cyber security risks informed by the business value of the information and systems, including for systems used to support important infrastructure services 
   3. consideration of required resources and capability 
   4. a structured program of regular training and awareness activities 
   5. policies and procedures that support staff and third party providers to understand their roles and responsibilities for cyber security 
   6. clearly defined roles and responsibilities and documented risk assessments for third party arrangements
       
5. develop, implement and test a cyber incident response plan.

By June 2024, the Department of Planning, Housing and Infrastructure (Office of Local Government) and Department of Customer Service (Cyber Security NSW) should:

6. implement and maintain a schedule of regular consultation between the agencies to share information on cyber security risks facing the local government sector and identify opportunities for collaboration to: 
   1. highlight the importance of cyber security risk management, including through sharing case studies that demonstrate good practice within local councils 
   2. promote guidance and support available from the NSW Government and other sources that may assist councils to improve their cyber security risk management.

By September 2024, the Department of Planning, Housing and Infrastructure (Office of Local Government) should:

7. update the draft procurement guidelines for local councils to include relevant guidance on identifying and managing cyber security risks in procurement processes and third party arrangements.

By September 2024, Department of Customer Service (Cyber Security NSW) should:

8. implement an annual review of the Cyber Security Guidelines – Local Government (the Guidelines) and related resources. The review should include consideration of: 
   1. updates made to the NSW Cyber Security Policy 
   2. the usefulness, relevance and effectiveness of the Guidelines and related resources based on local councils' feedback.

Cyber security risk management is an increasingly important consideration for governments, entities, regulators and the public. Cyber security comprises measures used to protect the confidentiality, integrity and availability of systems, devices and the information residing on them.

The threat from cyber attacks continues to rise. The Australian Cyber Security Centre (ACSC) in its Annual Cyber Threat Report 2022–23 noted 94,000 cybercrime reports, an increase of 23% on 2021–22. The average cost of each reported cybercrime has increased by 14% from 2021–22. That report noted that 12.9% of incidents reported to the ACSC related to State, Territory and Local Government agencies.

Source: US National Institute of Standards and Technology Glossary.

Common cyber security risks identified by NSW Government agencies in 2021–22 included:

• data breaches relating to unauthorised access to financial reporting applications, data and electronic assets
• failures in preventive and detective controls to safeguard digital assets
• misappropriation of digital assets
• unauthorised access to the IT network
• potential loss of data or inability to access data as required
• IT system failure affecting the agency's primary business
• risks arising from lack of policies and procedures in place related to cyber security.

Inadequate oversight of third parties has been a contributing cause to some major Australian cyber incidents in the past year, with malicious actors exploiting control deficiencies at service providers, and using that to gain access to systems and data. The ACSC Annual Cyber Threat Report (2022–23) states the increasingly complex ICT supply chains and advances in fields like artificial intelligence require a positive cyber security culture across business and the community. The ACSC recommends a focus on cyber supply chain risk management:

Cyber supply chain risk management can be achieved by identifying the cyber supply chain, understanding cyber supply chain risk, setting cyber security expectations, auditing for compliance, and monitoring and improving cyber supply chain security practices.

Source: ACSC Cyber Supply Chain Risk Management, May 2023.

A range of consequences to councils' strategic objectives and operations may stem from a cyber security incident (Exhibit 2).

Councils use various systems and software to manage significant amounts of information and data relevant to corporate and service delivery functions, including sensitive and valuable data about their community and staff.

Increasing use of digital services in local government, including following the COVID-19 pandemic, has resulted in greater volumes and types of information and data being held by councils and an increased dependence on IT systems for council operations and service delivery. The need for local government to be able to effectively identify and manage cyber security risks is therefore more important than ever.

Cyber security incidents can directly impact governments, organisations and the public through compromise and distribution of sensitive personal information, identity theft, denial of service, and data loss. Governments and businesses that experience a cyber security incident may face financial and reputational damage.

In recent years, high profile cyber security incidents have increased community awareness and expectations that information and data is appropriately protected from cyber security incidents.

Source: Audit Office of New South Wales based on publicly available information.

The following NSW Government and the Australian Government agencies provide guidance and support to local councils for cyber security risk management.

NSW Office of Local Government

The Office of Local Government (OLG) is responsible for strengthening the sustainability, performance, integrity, transparency and accountability of the local government sector. It does this through a range of activities including monitoring sector-wide and council-specific risks, issuing guidance, engaging with councils to build capacity and supporting the Minister for Local Government’s discretionary intervention powers under the LG Act.

The OLG was part of the Department of Planning and Environment during this audit. On 1 January 2024, DPE was abolished and the OLG became part of the Department of Planning, Housing and Infrastructure.

Cyber Security NSW

Cyber Security NSW, part of the Department of Customer Service, aims to support NSW Government departments, agencies and local councils in continually improving their cyber resilience, and provide strategic cyber security leadership.

Cyber Security NSW’s Local Government Engagement Plan (2023) states that it is focused on delivering services to support the vision of a cyber-secure NSW Government by:

• delivering products, services and best practice advice and guidance to NSW Government entities, including those in the local government sector
• coordinating whole-of-government cyber security strategies
• leading the NSW Government response to significant cyber security incidents and crises.

Australian Government agencies

The Australian Department of Home Affairs supports the Minister for Cyber Security's development of cyber security policy and implementing the Australian Government cyber security strategy. The National Office of Cyber Security within the Department of Home Affairs was established on 1 May 2023 to support the National Cyber Security Coordinator to lead this work.

The Australian Cyber Security Centre (ACSC), within the Australian Signals Directorate (ASD), leads the Australian Government’s cyber security activities. The ACSC’s services include cyber threat monitoring and publishing alerts, technical advice, advisories and notifications on significant threats. This audit did not examine operations performed by Australian Government agencies.

The NSW Government has not set mandatory cyber security requirements for local councils in legislation or other policy.

However, there is a range of guidance available to councils, including recommended standards set out in the Cyber Security Guidelines – Local Government and the NSW Cyber Security Policy, developed and managed by Cyber Security NSW.

Cyber Security Guidelines – Local Government

In December 2022, the OLG issued the Cyber Security Guidelines – Local Government (the Guidelines). The Guidelines were developed by Cyber Security NSW in consultation with the OLG, following recommendations from the Audit Office of New South Wales that the OLG develop a cyber security policy to ensure cyber security risks over key data and IT assets are appropriately managed across councils, and key data is safeguarded.

Source: Cyber Security Guidelines – Local Government 2022 (December 2022), Introduction.

The Guidelines set out 'foundational requirements' for councils based on the NSW Cyber Security Policy (see Appendix four). This includes implementation of the ACSC Essential Eight Strategies to Mitigate Cyber Security Incidents (Essential Eight).

The ACSC developed the Essential Eight controls to serve as a baseline set of protections for organisations to make it more difficult for adversaries to compromise a system. The ACSC's Essential Eight Maturity Model uses a four-point scale (levels zero to three) to assist organisations to implement the controls in a graduated manner.³ The ACSC periodically updates the model in response to the observed techniques in use by malicious actors.

The Guidelines establish that compliance is 'strongly encouraged' but voluntary. Councils are not required to complete or report on self-assessments of their maturity against the Guidelines. Cyber Security NSW has advised that the Guidelines will be updated in 2024 in accordance with the recent review of the NSW Cyber Security Policy (see below).

NSW Cyber Security Policy

The NSW Cyber Security Policy sets out mandatory requirements for NSW Government agencies.

Each year, NSW Government agencies are required to self-assess against the NSW Cyber Security Policy and report that assessment to Cyber Security NSW.

The NSW Cyber Security Policy is not mandatory for local councils, but Cyber Security NSW recommends its adoption by councils as a foundation of strong cyber security practice.

Cyber Security NSW issued the latest version of the NSW Cyber Security Policy on 19 February 2024 which updates the minimum baseline requirements expected of agencies, and the way in which agencies are required to report to Cyber Security NSW.

Relevant legislative requirements

Privacy legislation

Under New South Wales privacy laws, Councils have legal obligations relating to the security of personal and health information.

Source: Section 12 of the Privacy and Personal Information Protection Act 1998 and clause 5 of Schedule 1 of the Health Records and Information Privacy Act 2002.

Privacy legislation in New South Wales is overseen by the NSW Privacy Commissioner, supported by the NSW Information and Privacy Commission (IPC). The IPC issues resources and guidance to support councils and other relevant entities to understand their privacy obligations, including guidance relevant to cyber security risk management such as data breach guidance and a fact sheet on compliance obligations relevant to Microsoft 365 platforms.

Mandatory data breach notification scheme

From 28 November 2023, local councils are required under the Privacy and Personal Information Protection Act 1998 to notify the NSW Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm.

Prior to 28 November 2023, a voluntary data breach notification scheme was in place.

Australian Security of Critical Infrastructure Act 2018

The Australian Government’s Security of Critical Infrastructure Act 2018 (the SOCI Act) regulates critical infrastructure nationally and provides for mandatory cyber security incident reporting to the ACSC for critical infrastructure assets in certain circumstances. The SOCI Act defines what constitutes a critical infrastructure asset for the purposes of the Act, which includes assets that may be relevant to councils.

The SOCI Act is overseen by the Australian Government’s Cyber and Infrastructure Security Centre, part of the Department of Home Affairs.

Other cyber security risk management guidance and frameworks

Other sources of good practice may inform councils’ approaches to identifying and managing cyber security risks. These include:

• ACSC resources, including guidance on implementing the Essential Eight mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents and an Information Security Manual which outlines a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats.
• US National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.
• Relevant Australian and International Organization for Standardization standards, including ISO 27001 ‘Information security, cybersecurity and privacy protection– Information security management systems – Requirements’.

In addition to the NSW Cyber Security Policy, these sources were available to local councils to inform their cyber security risk management practices prior to the release of the Guidelines. The Audit Office of New South Wales Local Government 2022 report, published in May 2023, found that some councils had started developing their cyber security plans based on these sources in 2021–22.

3 ACSC webpage on the Essential Eight: Essential Eight | Cyber.gov.au.

The councils selected for this audit were City of Parramatta Council, Singleton Council and Warrumbungle Shire Council.

Source: Audit Office of New South Wales based on internal and publicly available information.

These councils were selected to provide coverage of cyber security risks across different council sizes, characteristics, location, demographics and kinds of services provided – including whether the council manages important infrastructure services.

This audit report has deidentified findings for each council, but the specific findings have been directly shared with each council to enable them to remediate and improve cyber safeguards. The findings and recommendations in this report are likely relevant to most local councils in NSW and they are encouraged to ensure they have sufficient cyber safeguards.

This audit assessed how effectively the selected councils identified and managed cyber security risks from 1 July 2021 to 31 October 2023. The audit assessed this with the following questions:

• Does the council effectively identify and plan for cyber security risks?
• Does the council have controls in place to effectively manage identified cyber security risks?
• Does the council have processes in place to detect, respond to, and recover from cyber security incidents?

The audit focused on council risk management frameworks, processes and practices. Sound risk management processes and practices can assist councils to identify potential system vulnerabilities, reduce the likelihood of an incident occurring, and mitigate the severity of consequences where an incident occurs. These processes do not prevent an incident from occurring.

The audit did not conduct simulated cyber security exercises on the selected councils, or undertake detailed assessment or testing of the effectiveness of specific cyber security controls.

This audit did not assess the effectiveness of responses to cyber security incidents experienced by the selected councils, or the support provided to them during an incident response.

This audit also included Cyber Security NSW within the Department of Customer Service and the OLG within the Department of Planning and Environment (DPE) due to their roles in providing guidance and support to local government. The OLG was part of DPE up to 1 January 2024, when DPE was abolished and the OLG became part of the Department of Planning, Housing and Infrastructure.

Ineffective identification of cyber security risks can leave councils exposed to unmanaged risks which can lead to unnecessary costs, disruptions to services and reputational risk.

Two of the three councils identify cyber security as a strategic risk, but gaps in risk management processes across all three councils limit effective risk management

Obtaining an effective understanding of strategic and operational risks requires robust and documented risk assessments, determining a risk appetite, identifying mitigating actions, and clear timeframes and accountabilities for addressing the risks.

Council A has not undertaken a risk assessment to identify and assess cyber security risks to the Council and has significant gaps in its risk management approach. Council A did not have an enterprise risk management policy and framework until April 2023. The Council has not ensured that important elements of the risk management framework have been implemented in a timely way, including developing and finalising its enterprise risk register, and maintaining operational risk registers to apply the Council's risk appetite to strategic and operational risks.

Council B identifies cyber security as a risk in its strategic risk register, but listed controls refer to activities that are not being implemented in practice. The Council did not have an approved risk appetite statement throughout the audit period and therefore could not demonstrate whether risks were being managed within its risk appetite. Council B adopted a new enterprise risk management policy and risk appetite in December 2023. The Council did not effectively maintain operational risk registers to identify and manage cyber security risks (see Chapter 2.3).

Council C's strategic risk register identifies cyber security as a risk to its information and systems. The Council reviewed its risk appetite in February 2023 and defined its risk appetite in relation to technology and systems. Although Council C identifies a cyber-attack as a potential cause of risk in operational risk registers for most business units across the Council, some relevant risk registers have gaps such as controls not identified, risk ownership not defined, and some 'existing' controls are not in place.

None of the councils have assessed the business value of their information and systems to inform cyber security risk identification and management

To effectively identify and manage cyber security risks, councils need to understand the information and systems being used across their corporate and service delivery functions. This should include an assessment of the business value of the information and systems by considering how their availability, integrity, confidentiality, and reliability may be affected during or after a cyber security incident.

None of the councils have compiled a comprehensive list of the types of information and data they collect and store, or the systems and applications they use to collect and store information and data to inform cyber security risk assessments. Nor have they classified the business value or operational importance of their information and systems. This limits their ability to prioritise their activities to ensure that their most valuable information and systems are adequately safeguarded and secure.

None of the councils have identified and assigned responsibility for cyber security risks in relation to all core systems

The three councils use various IT systems and assets, including some supplied and managed by third party providers, to support their corporate and service delivery functions.

None of the councils have ensured that they have identified cyber security risks and assigned relevant risk management responsibilities for all core systems relevant to their corporate and service delivery functions, including systems used to manage important infrastructure services.

This has resulted in gaps in the coverage of the councils' cyber security activities and controls, and unclear cyber security risk management roles and responsibilities between council staff and third party IT providers which manage some of these systems. This may expose the councils to unknown or unmanaged vulnerabilities. See Chapter 2.3 for further findings on managing third party risks.

Councils should develop, implement and maintain a cyber security plan to ensure cyber security risks to their information systems and IT assets are appropriately managed and key data is safeguarded.

Building effective cyber resilience requires leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture.

Two of the three councils do not have a formal plan to improve their cyber security

Having a formal cyber security plan or strategy can support an entity to clearly understand and monitor its priorities and apply a systematic and strategic approach to the identification and management of cyber security risks.

Council A has not reviewed or assessed its cyber security capabilities to inform its approach to cyber security risk management. Council A started developing an IT strategy in 2020, but did not yet have a final and approved strategy by the end of the audit period. The most recent draft strategy (October 2022) referred to data security as a high risk to the Council but did not set out how the Council would address this risk. Council A advised in October 2023 that it intended to self-assess its maturity against the ACSC Essential Eight by December 2023. However, it has no structured plan for the completion of this self-assessment, such as by identifying the resources and expertise it requires to complete the self-assessment.

Council B does not have an approved plan to support improvements in its cyber security maturity. The Council assessed it had a low level of maturity against the ACSC’s Essential Eight in July 2021, but the process and evidence behind this assessment were not clearly documented. The Council reported updates on an 'IT Cyber Security Program' in September and October 2022. However, it could not produce evidence of an approved plan or a strategic and structured approach to improving its cyber security maturity during the audit period. The Council advised in October 2023 that it intends to develop a plan to improve its cyber security.

Council C developed an IT strategy in August 2022 which includes ‘Information Security’ as one of four strategic priorities and set out key improvement initiatives in a cyber security roadmap. The roadmap sets out the Council's plan to address gaps identified and recommendations made by a third party provider and Cyber Security NSW in reviews of the Council's cyber security maturity and controls in 2021 and 2022. The Council’s 2022–23 and 2023–24 operational plans include a deliverable of continual review and enhancement of cyber security capabilities linked to implementation of the roadmap.

Two of the three councils have not assessed the adequacy of cyber security resourcing and expertise to support effective cyber security risk management

Each NSW council has a unique resourcing profile in terms of their staffing, as well as their income and expenditure. This was reflected in the resourcing of cyber security activities across the selected councils.

Councils B and C have an IT team with cyber security responsibilities and also use third party systems and services to varying degrees. Council A does not have any staff with IT or cyber security roles and responsibilities and relies on third party arrangements, including a managed service provider arrangement with another NSW council, to manage its IT network and infrastructure.

Councils A and C have not undertaken workforce planning to identify the cyber security expertise, systems, processes or services required (internally and externally) to meet their desired level of cyber security maturity based on an assessment of the council's operating environment, cyber security risks and risk appetite. This creates challenges for the councils to demonstrate that they are effectively planning for and managing cyber security risks. For example:

• Council A has not ensured that cyber security roles and responsibilities for its managed service provider and other third party IT providers are defined and understood to ensure accountability for identifying and managing cyber security risks.
• Council C advised that limited resourcing is a factor in its ability to meet targets under its cyber security roadmap because relevant staff also have broader IT responsibilities. The Council’s IT strategy also identifies resourcing gaps within its IT operations. However, the Council has not formally assessed the cyber security expertise and resources it requires to deliver its cyber security roadmap.

Council B dedicates resources and budget to cyber security activities and restructured its IT team in 2023 to reflect an increased use of third party arrangements. However, gaps in its record keeping and planning documentation limit accountability and transparency around how resource allocation is contributing to improved cyber security within the Council. For example, the Council lacked documentation to demonstrate that the engagement of a cyber security expert between March 2021 and November 2022 contributed to improving the Council's cyber security resilience.

None of the councils have implemented effective governance arrangements to ensure accountability for managing cyber security risks

None of the councils have effective governance arrangements to ensure accountability for cyber security risk management, planning and reporting during the audit period. This limits executive oversight of cyber security risks and the measures being taken to manage those risks.

Council A introduced a process for quarterly reporting to its executive leadership team on IT security in around 2021, but this formal reporting only occurred once in 2021. The Council provided updates on cyber security activities at executive leadership team meetings in May and August 2023, but did not have a mechanism for regularly reporting on cyber security risks. The Council advised in October 2023 that cyber security quarterly reports would be provided to its executive leadership team.

Council B regularly reported on IT activities, including cyber security updates and risk reports, to its executive leadership team between September 2021 and November 2022. However, the Council does not maintain records of relevant executive leadership team meetings and therefore cannot demonstrate how these reports were considered and related outcomes.

Council C developed a mechanism to track the progress of actions in the cyber security roadmap under its IT strategy, but has not yet implemented roles and responsibilities to oversee the strategy and roadmap to ensure accountability for its delivery. The Council has not regularly reported progress of the implementation of its roadmap to its executive leadership team. The Council advised in December 2023 that it intends to use its corporate reporting system to improve executive leadership team visibility of actions in the roadmap.

In 2023, Councils B and C each developed terms of reference for committees to improve corporate and executive oversight of their IT and cyber security activities. These committees were yet to be established and commence meetings at the end of the audit period in October 2023. These committees present an opportunity for the councils to improve executive-level accountability for timely and effective cyber security risk management, planning and reporting.

All three councils' reporting on cyber security to their ARICs lacked a consistent and risk-focused approach

The councils' reporting on cyber security activities to their ARIC during the audit period varied in frequency and content. None of the councils have developed a consistent and risk-focused approach to reporting to support their ARIC's role in reviewing risk management relevant to the council’s operations.

Council A’s ARIC requested in November 2022 that the Council develop a management mechanism for regular reporting on cyber security. Only one instance of such reporting occurred over the audit period. Council A advised in October 2023 that cyber security had been added as a standing item on the ARIC meeting agenda.

Council B included some information on cyber security controls implementation and effectiveness in reports to its ARIC during the audit period. However, these reports did not follow a consistent approach to assessing, monitoring and reporting the effectiveness of cyber security controls, and the Council has not documented how it implemented actions to address identified control weaknesses or gaps. Discussions and requests were recorded in ARIC meeting minutes. However, Council B does not have a process to monitor and report on the implementation of requests made by the ARIC relevant to cyber security. The Council did not provide evidence that ARIC requests from 2022 had been addressed.

Council C provided regular cyber security updates to its ARIC during the audit period, including progress updates on the implementation of its roadmap, but did not link relevant actions to the mitigation of identified cyber security or operational risks. This limits accountability for whether the prioritisation of activities under the roadmap is supporting the Council to manage cyber security risks.

Management of cyber security risks should be proportionate to, and situated within the context of, the council's risk appetite, resources and governance arrangements.

Gaps in the framework for managing cyber security, and failures to implement prevention strategies can increase councils' exposure to cyber threats.

None of the councils have effective cyber security policies and procedures

All three councils each have a cyber security policy, but the audit identified gaps and issues with their policies and related procedures that limit their usefulness to support effective cyber security risk management.

Key gaps and issues identified include:

• high level cyber security policy expectations are defined but not supported by procedures and processes to support staff implementation (all three councils)
• lack of clearly assigned responsibilities for core cyber security functions (all three councils) including:
  • managing cyber security risks
  • identifying, implementing and monitoring the effectiveness of cyber security controls information and system backups
  • monitoring systems to detect and respond to cyber security incidents and events
• policies and procedures assign roles and responsibilities, but these are not being implemented in practice (Council A)
• policy had not been recently reviewed (Council B)
• lack of procedures to define expectations for documenting controls implementation and monitoring (all three councils)
• third party roles and responsibilities not defined (all three councils).

Council B was in the process of developing new policies and procedures during the audit period and advised that these were being implemented in October 2023.

None of the councils have a clear and consistent approach to monitoring the effectiveness of controls to mitigate identified cyber security risks

None of the councils were able to demonstrate that they were effectively monitoring the implementation of cyber security controls to manage cyber security risks.

Council A advises that it relies on third parties, including its managed service provider, to implement cyber security controls on its behalf such as multi-factor authentication, endpoint protection, and patching applications and systems. However, the Council has no processes to oversee and obtain evidence of the implementation of cyber security controls on its behalf. Some of the Council's statements about controls or practices in place (for example in insurance documentation) were not supported by evidence. Gaps in a council's self-assessment of the state of their cyber resilience and controls implementation may undermine effective decision making and risk management in responding to cyber risks.⁴

Council B used IT-specific risk registers between September 2021 and May 2022 to report on IT risks and related controls, including some relevant to cyber security. However, without an approved risk appetite statement, or an approved cyber security plan or strategy, it is unclear whether the Council was managing risks within its risk appetite and consistent with the Council's security objectives. Council B has not provided evidence that it has used IT or cyber-specific risk registers to identify, manage and report on cyber security risks since May 2022, and has not implemented an alternative mechanism to ensure it is taking a risk-based approach to prioritising its cyber security controls implementation.

Council C is implementing cyber security controls through its cyber security roadmap. In August 2023, the Council reported that it had completed ten of the 27 actions under the roadmap, including six actions identified as a high priority and actions relevant to Essential Eight mitigation strategies for patching applications, configuring macros, application hardening and patching operating systems. The Council's risk registers identify cyber-attack as a risk to its operations across various business units, but the Council does not clearly link its actions under the roadmap to the mitigation of cyber security risks.

None of the councils are ensuring timely, risk-based responses to recommendations to address weaknesses and vulnerabilities in their cyber security controls

None of the councils have processes to ensure that recommendations from internal and external reviews that identified weaknesses or vulnerabilities in their cyber security controls are assessed and implemented in a timely, risk-based manner.

Examples of the councils not ensuring a timely and risk-based approach include:

• Council A has not yet developed an IT security risk assessment process, despite a recommendation that this be done in Audit Office financial audit management letters since 2016–17.
• Council B assessed its cyber security maturity as low in 2021 but provided limited evidence of progress to address identified weaknesses. The Council has advised that it has been reviewing and updating cyber security controls to address gaps and improve effectiveness since November 2022, including through external reviews of its network and operating environment. In October 2023, the Council provided a 'remediation action plan' which outlines actions relevant to implementation of recommendations made in cyber-related reviews of the Council's network and operating environment.
• Council C monitors timeframes for implementing cyber security controls recommended in external reviews under its roadmap, but timeframes have been extended without clearly documenting reasons for delay or assessing risks caused by failure to meet target timeframes.

All three councils could improve their record-keeping and reporting on actions taken to address relevant recommendations.

All three councils are not effectively identifying or managing third party cyber security risks

As discussed in Chapter 2.1, the three councils each engage third party providers to varying degrees to provide IT and cyber security systems and services to support their service delivery and corporate functions. None of the councils have processes to ensure that cyber security risks relating to third party engagements are being identified and managed.

All three councils do not include guidance on cyber security risk assessments in their procurement policies and procedures. The procurement policy and guidance in Councils B and C note the importance of identifying and managing risks in procurement, but do not make specific reference to cyber security risks. Council A's procurement policy does not define procurement procedures or provide guidance on managing risks, including cyber security related risks, relevant to third party arrangements. None of the councils have provided evidence of risk assessments being undertaken for third party engagements relevant to cyber security.

All three councils did not ensure the following steps were undertaken and documented for each third party IT provider:

• defining cyber security expectations, roles and responsibilities in contracts and agreements
• checking the cyber security qualifications and certifications of third party providers
• assessing and documenting the risk management and controls of third parties
• seeking assurance to ensure cyber security expectations were being met.

The lack of clearly defined roles and responsibilities relating to cyber security for the councils and their third party providers reduces the likelihood that the councils' cyber security risks are being managed. It also limits the councils' ability to hold third party providers to account if their cyber-related service provision is not consistent with the councils’ expectations.

Two of the three councils required all staff to complete cyber security training, but all three councils lacked a plan for regular cyber security training during the audit period

Cyber Security NSW reported in 2022 that people continue to play a large part in cyber security incidents and data breaches, with 82% of all breaches involving the use of stolen credentials, phishing or simply an error. Regular cyber security awareness training can ensure staff remain up-to-date on the types of cyber security attacks they should be alert to, and ensure that staff know what to do if they are involved in an incident.

Councils A and C required all staff to complete mandatory cyber security training during the audit period, but had not implemented a regular schedule of training.

• Council A introduced mandatory cyber security training for staff in May 2023. In October 2023, the Council advised that this training had been included in its staff induction program and that it will implement mandatory, annual cyber security training for all staff from 2024. The Council provided no cyber security training to staff until May 2023.
• Council C introduced mandatory cyber security training for staff in 2022 and for its councillors in 2023. However, the Council has not yet developed a regular or planned schedule of cyber security training.

Council B did not require all staff to complete cyber security training during the audit period, and only a small number of staff completed optional training. Council B implemented a mandatory program of regular cyber security training in October 2023.

⁴ The Audit Office of NSW's performance audit report on Compliance with the NSW Cyber Security Policy (2021) includes further discussion of risks relating to inaccurate self-assessments.

The ACSC defines a 'cyber incident' as an unwanted or unexpected cyber security event, or a series of such events, that have a significant probability of compromising business operations.

Cyber security incidents have the potential to damage the council concerned and spread to and impact other entities.

All three councils use third party tools to monitor for cyber incidents, but have not ensured that relevant roles and responsibilities are well defined and documented

Councils should ensure that their ICT systems and assets are monitored to identify cyber security events and verify the effectiveness of protective measures.

All three councils use third party tools to monitor for cyber incidents and events. However, the councils have not clearly defined the scope of their monitoring and detection activities, or the roles and responsibilities of council staff and third parties in monitoring and detecting incidents. This limits the councils' ability to demonstrate that these activities are effectively mitigating cyber security risks.

Council C's risk registers identified testing and monitoring of systems as partially effective controls against risks relevant to cyber security, but the Council had not documented the relevant testing and monitoring mechanisms, or how they were being used to mitigate risks across its various systems. Councils A and B do not assess the adequacy of monitoring and detection activities in risk management documentation.

All three councils tested their network resilience during the audit period, but do not have processes to ensure vulnerabilities are identified and managed effectively

All three councils do not have processes to ensure a timely and risk-based approach to identifying and managing vulnerabilities in their systems and networks.

All three councils receive vulnerability scanning reports and alerts from Cyber Security NSW, but roles and responsibilities for actioning these are not clearly defined.

All three councils each engaged a third party to test their network resilience during the audit period, which resulted in recommended actions for the councils to take to improve relevant cyber security controls. The three councils advised their ARIC of the outcome of the testing and the steps being taken to address the recommendations, but lacked clear processes to track and record activities to demonstrate the timely mitigation of identified risks. Council C has not considered and actioned a suggestion by its ARIC that further testing may be appropriate.

None of the councils have a formal plan for future testing of their systems or network.

None of the councils have a cyber incident response plan to ensure an effective response to and prompt recovery from cyber incidents

None of the councils have a cyber incident response plan. According to the ACSC:

All organisations should have a cyber incident response plan to ensure an effective response and prompt recovery in the event security controls don’t prevent an incident occurring. This plan should be tested and regularly reviewed.

To be effective, a cyber incident response plan should align with the organisation's incident, emergency, crisis and business continuity arrangements, as well as jurisdictional and national cyber and emergency arrangements. It should support personnel to fulfill their roles by outlining their responsibilities and all legal and regulatory obligations.

Source: ACSC Cyber Incident Response Plan Guidance.

Council A advised that it relies on its managed service provider for incident response and recovery, but has not formally established relevant roles and responsibilities for managing and reporting on cyber security incidents in the managed service agreement or other documentation.

Councils B and C advised that their IT or corporate incident management processes apply to cyber security incidents. However, these processes do not define expectations, roles and responsibilities specific to cyber security incidents.

Council B was developing new cyber security policies during the audit period, including a policy specific to cyber security incidents.

Council C advised that it did not intend to develop a specific cyber incident response plan in addition to its business continuity plan and data breach policy. Although these documents are relevant to the Council's cyber incident response processes, they do not serve the same purpose as a cyber incident response plan.

None of the councils have up to date business continuity and disaster recovery planning documentation that includes cyber security

Cyber security should be included in business continuity and disaster recovery planning. The three councils do not have up to date business continuity and disaster recovery planning documentation. Two of the councils include cyber security in relevant documentation.

Council A's business continuity plan was last updated in 2015 and does not set out actions, roles and responsibilities in the event of a cyber security incident. The Council's managed service provider started to draft an IT disaster recovery plan in 2019 but this was not finalised and approved.

Council B’s 2022 business continuity plan includes some guidance on responding to a cyber attack, but gaps in the plan limit its utility in guiding an incident response. The plan is under review, and related plans and policies are not in place or up to date. An internal audit found a lack of a disaster recovery plan or testing program was a significant risk for the Council and the Council was updating its IT disaster recovery arrangements in 2023. By the end of the audit period, the Council had not yet addressed all recommendations made in the internal audit, including development of a disaster recovery plan that defines all critical systems, roles and responsibilities.

Council C’s business continuity plan and related sub plans include processes for responding to cyber security incidents. However, there were some gaps in these documents, which do not clearly define roles, responsibilities and expectations for responding to and reporting on cyber security incidents. Council C's disaster recovery procedure was last reviewed in May 2021 and does not reflect current disaster recovery arrangements which were being updated in 2023. Council C’s roadmap and internal audit plan include items relevant to reviewing, updating and testing its IT disaster recovery and business continuity arrangements in 2023–24 and 2024–25.

None of the councils have clearly defined expectations for reporting cyber security incidents

Knowing who to notify about a cyber security incident is important so the right people can be involved at the right time to mitigate damage, and ensure councils comply with reporting requirements.

All three councils have not clearly defined processes and expectations for reporting cyber security incidents to ensure council staff understand what types of incidents should be reported and to whom, and that the council is effectively managing relevant business and operational risks.

All three councils do not maintain a register of cyber incidents to record information about the sources and types of incidents experienced and relevant responses

All three councils do not implement clear and consistent processes to record information about cyber security incidents that enable the council to track the sources and types of incidents experienced, and demonstrate the remediation actions taken, including whether the incidents were reported (internally or externally) and whether there was any post-incident evaluation to review the effectiveness of controls or the council's response.

Councils A and B did not have a cyber incident register or similar process to record cyber security incidents during the audit period. In December 2023, Council A advised it had developed a cyber incident register.

Council C provided a copy of a cyber security incident register, but the register only recorded one incident which occurred in 2021 and did not include other incidents that the Council advised had occurred since then. Council C advised that cyber security incidents are recorded in its corporate incident management system, but it has not defined what types of incidents should be reported and to whom to ensure a consistent and effective approach.

Two of the three councils developed policies to reflect the requirements of the new mandatory notification of data breach scheme in 2023

On 28 November 2023, amendments to the Privacy and Personal Information Protection Act 1998 came into effect which require local councils to notify the NSW Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm.

Councils are also required to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy.

Councils A and C developed data breach policies in 2023 to reflect the new requirements under the mandatory notification of data breach scheme.

Council B did not ensure it was ready to comply with the new requirements. Council B’s Privacy Management Policy and Plan were last updated in December 2022. Council B advised in December 2023 that it intends to develop a data breach policy and consider how it will comply with the mandatory notification of data breach scheme by June 2024.

The NSW Government issued cyber security guidelines specific to the local government sector in December 2022

Since 2020, Audit Office reports on the results of the local government sector financial statements have identified that councils need to strengthen their cyber security. Gaps identified in councils’ basic governance and internal controls to manage cybersecurity include councils not having a cyber security framework.

The Audit Office’s Report on Local Government 2019 recommended that the OLG develop a cyber security policy by 30 June 2021 to ensure cyber security risks over key data and IT assets are appropriately managed across councils, and key data is safeguarded.

Up to December 2022, there was no cyber security policy or guidelines specific to local councils. However, since 2019, Cyber Security NSW has recommended that councils adopt the NSW Cyber Security Policy, which sets out mandatory requirements for NSW Government departments and Public Service agencies. It is not mandatory for local councils.

The OLG advised Cyber Security NSW in late 2020 that voluntary guidelines would be more appropriate for the local government sector.
Between early 2021 and December 2022, Cyber Security NSW developed guidelines for the local government sector in consultation with the OLG and the local government sector.

The Cyber Security Guidelines – Local Government (the Guidelines) were issued to the sector via an OLG circular in December 2022.

The NSW Government recommends that councils implement the Guidelines, but could do more to monitor whether the Guidelines are enabling better cyber security risk management in the sector

The Guidelines outline cyber security standards recommended for NSW local government by Cyber Security NSW. Compliance with the Guidelines is voluntary, but strongly encouraged. In summary, the Guidelines:

• are designed to be read by General Managers, Chief Information Officers, Chief Information Security Officers (or equivalent) and Audit and Risk teams
• state that the Guidelines should form the basis of an internally developed cyber security policy for individual councils
• list requirements focused on enhancing planning and governance, developing a cyber security culture, safeguarding information and systems, strengthening resilience against attacks and improved reporting
• recommend that councils implement the ACSC Essential Eight mitigation strategies as a baseline.

The Guidelines also refer to self-assessment templates developed by Cyber Security NSW that councils can use to understand their level of cyber security maturity, and track progress against the foundational requirements and Essential Eight mitigation strategies.

Councils are not required to report their progress in implementing the Guidelines to Cyber Security NSW or the OLG.

The Audit Office’s Local Government 2023 report, tabled in March 2024, recommends that all councils should prioritise planning and governing cyber security to ensure cyber security risks over key data and IT assets are appropriately managed and key data is safeguarded. It states councils should refer to the Guidelines in fulfilling this recommendation.

While the roles of Cyber Security NSW and the OLG involve identifying and responding to specific sector risks, neither is monitoring the uptake of the Guidelines by local councils to identify whether they are enabling better cyber security risk management. Cyber Security NSW and the OLG have advised that they are not resourced to undertake such monitoring. This audit has not included detailed assessment of the resourcing of Cyber Security NSW or the OLG.⁵

Cyber Security NSW's Local Government Engagement Plan (November 2023) states that Cyber Security NSW will annually update the Guidelines in line with reviews of the NSW Cyber Security Policy and feedback from the OLG, Local Government NSW and local government entities.

Cyber Security NSW encourages councils to report cyber security incidents to Cyber Security NSW

The Cyber Security Guidelines – Local Government include a foundational requirement for councils to report cyber security incidents to their Chief Information Security Officer and/or Cyber Security NSW.

Cyber Security NSW advised that cyber security incident reporting is important because risks within some incidents may apply to other councils or government agencies, and that they encourage councils to report through existing channels of engagement with councils (see below on Cyber Security NSW's Local Government Engagement Plan).
This audit has found that the selected councils did not have procedures in place to define when cyber security incidents should be reported to Cyber Security NSW, although some councils did report incidents to Cyber Security NSW during the audit period.

⁵ The Audit Office of New South Wales considered the resourcing of Cyber Security NSW and the OLG in performance audits tabled in 2023: Cyber Security NSW: governance, roles, and responsibilities (February 2023) and Regulation and monitoring of local government (May 2023).

Cyber security poses a risk to councils and their communities, and it is a matter for each council to identify relevant business and operational risks and determine how to manage these risks.

Cyber Security NSW and the OLG have a role to engage with the sector to understand the extent and nature of these risks to ensure the support they provide to councils is tailored and proportionate to the risk context.

Cyber Security NSW provides a range of services to support local councils to strengthen their cyber security

Cyber Security NSW has no formal authority to mandate cyber security requirements for local councils but has a remit to assist local government to improve cyber resilience. Cyber Security NSW provides initiatives to strengthen councils’ cyber security and assist with uplift.

Cyber Security NSW published a Service Catalogue in February 2023 which sets out the range of products, services and guidance available to NSW Government entities, including local councils. Cyber Security NSW does not charge for these services. Key products and services listed in the Service Catalogue include security assessments, awareness and training, advice and guidance, threat intelligence and incident response through advice and assistance on triage and containment. Each of the selected councils had some engagement with Cyber Security NSW during the audit period, but the scope of engagement varied from council to council, which is consistent with Cyber Security NSW's services being opt-in.

Cyber Security NSW also published its Local Government Engagement Plan in 2023 which outlines its methods of engagement with local government entities and the services that it provides. The Plan states ‘Services offered by Cyber Security NSW will be prioritised on an as-needed basis. In consultation with local government entities, the plan states that Cyber Security NSW will assess risk and help determine what entities are most in need of support and which services will be most beneficial’.

NSW Government agencies are planning to do more to coordinate key messages, advice and expected maturity levels for local councils

Cyber Security NSW and the OLG advised that the focus of their engagement in relation to the local government sector during the audit period was to develop the Cyber Security Guidelines – Local Government and implement the DMARC email authentication solution to better protect councils' internet domains.⁶

Cyber Security NSW and the OLG did not have a mechanism for regularly sharing information about cyber security risks within the local government sector or to ensure that their roles and responsibilities and actions relevant to cyber security management were coordinated and complementary to support improved sector awareness and resilience.

Cyber Security NSW's Local Government Engagement Plan was updated in November 2023 to include information about its approach to stakeholder collaboration to support a cyber secure NSW Government, including through engagement with the OLG. The Plan states that Cyber Security NSW has established a schedule of engagement with the OLG to ensure their input into local government sector cyber security uplift. This will include the commencement of quarterly Executive meetings in 2024 and a series of webinars on thematic areas such as risk management and incident response, to complement Cyber Security NSW's Local Councils Forum.⁷

The OLG is developing procurement guidelines for local councils, but the draft guidelines do not include guidance on managing third party cyber security risks

Managing third party risks is an important element of cyber security management. Councils use third parties to provide systems, software and services to support their IT infrastructure. Councils also use third parties for cyber security management activities such as monitoring vulnerabilities, scanning for unusual activity and endpoint protection.

Third party engagement brings additional risks since councils remain accountable for ensuring that their information and systems are adequately protected even when relying on third parties. Councils should consider such risks during procurement and third party engagement processes.

The OLG has not updated its procurement guidelines for local government since 2009.

An Audit Office performance audit on procurement management in local government in December 2020 recommended that by June 2022, the OLG8 should publish comprehensive and updated guidance on effective procurement. The OLG accepted this recommendation but did not meet the timeframe for implementation. At October 2023, the new guidelines were still in draft. The draft guidelines do not provide specific guidance on managing cyber security risks in the procurement process. However, they include general guidance which may be relevant to councils when engaging with third parties for ICT and cyber security services, such as on risk management, supplier due diligence and unsolicited proposals.

^{6 See Appendix 2 – Glossary for definition of DMARC.
7 The Local Councils Forum creates a community for local councils to exchange information relating to cyber security issues, trends and threats encountered in local government (Cyber Security NSW Service Catalogue, 2023).
8 Part of the former Department of Planning, Industry and Environment at the time the recommendation was made.}