Boards don't get cyber security (but fear the risks), ASX health check finds

The boards of many Australia’s biggest companies lack sufficient understanding of cyber security, according to the ASX Cyber Health Check Report which was published today.

The Australian Securities Exchange – with backing from the Australian Securities and Investments Commission – invited the 100 largest listed companies to participate in a voluntary assessment of their cyber security posture late last year.

Of the 76 companies that opted to respond, the leadership of 20 per cent were found to have limited understanding of cyber security and had no plans to include such expertise on the board.

More than half (51 per cent) had a board with a “moderate” understanding of the area, while 29 per cent had at least one “well versed” board member.

Nevertheless, 12 per cent of Australia’s richest listed companies said they were “doing enough” to protect themselves against cyber threats. The majority (80 per cent) said they were doing enough but had more to do.

Boards were found to be better at understanding the potential impact of the loss or disruption of data assets. Most had a “clear understanding” of the impacts, although 45 per cent had only a reasonable or limited understanding. Four per cent of boards had never been presented with an impact assessment.

In his foreword to the report, Prime Minister Malcolm Turnbull noted: “For every board that talks about cyber security as a real and pressing business risk, there are many more yet to take that step.”

Responses to the survey remain confidential, and the participating companies are not named in the report.

Reporting risk

The majority of boards were found to receive management reports on cyber security incidents (88 per cent) with more than a fifth establishing this procedure within the past year. However, the quality of reporting can be improved, the report found, with 54 per cent of directors saying that the description in the corporate risk radar of cyber risks is basic.

A significant number (63 per cent) also say they don’t yet have a set of standard cyber security metrics or don’t know if they do.

“Giving directors the information they need to monitor key risks and make wise decisions is critical,” the report states.

Increasingly, the C-suite was recognising cyber security to be a significant issue to their organisations. More than two-thirds of directors (68 per cent) consider cyber risks to be extremely important. Almost 40 per cent of directors rate cyber risk in the highest category relative to other business risks.

Everyday reality

Rick Holliday-Smith the chair of two companies participating in the survey – the ASX and Cochlear – said cyber security had become an 'everyday reality' worthy of board attention.

"Cyber was not a word heard very often when I began my business career several decades ago. Nor was it a topic boards spent much time discussing when I became a director in the 1990s. Then, cyber was the stuff of science fiction. Now, it is an everyday reality," he said at the health check's launch event in Sydney this morning.

"It is reassuring that the health check found that the boards and management teams of Australia’s leading companies are spending more time and resources developing their understanding of cyber risk and addressing its challenges. But this is just the beginning of a long journey."

ASIC Commissioner Cathie Armour added: “Cyber risk must be addressed by all levels of an organisation, and form an integral component of a business’ enterprise governance and risk management framework.”

The health check is based on the UK’s Cyber Governance Health Check for the FTSE 350, which has run since 2013.

“Companies are taking cyber security seriously and they recognise the importance of continual improvement — if you are standing still on cyber security you are going backwards,” added Minister Assisting the Prime Minister for Cyber Security Dan Tehan.

Speaking last month, the ASX’s head of technology governance Daryn Wedd said company boards must be involved in cyber security.

“There is no point having an IT or tech team that is sitting buried in a room with technology, with all of the equipment and all of the gadgets and all of the kit you could possibly imagine, if that [security] information does not get used to inform the organisation as to what the threats are, and potentially what you need to do to combat them,” he told a cyber security event in Sydney.