COMPUTERWORLD, 20 April, 2017 – The boards of many Australia’s biggest companies lack sufficient understanding of cyber security, according to the ASX Cyber Health Check Report which was published today.
The Australian Securities Exchange – with backing from the Australian Securities and Investments Commission – invited the 100 largest listed companies to participate in a voluntary assessment of their cyber security posture late last year.
Of the 76 companies that opted to respond, the leadership of 20 per cent were found to have limited understanding of cyber security and had no plans to include such expertise on the board.
More than half (51 per cent) had a board with a “moderate” understanding of the area, while 29 per cent had at least one “well versed” board member.
Nevertheless, 12 per cent of Australia’s richest listed companies said they were “doing enough” to protect themselves against cyber threats. The majority (80 per cent) said they were doing enough but had more to do.
Boards were found to be better at understanding the potential impact of the loss or disruption of data assets. Most had a “clear understanding” of the impacts, although 45 per cent had only a reasonable or limited understanding. Four per cent of boards had never been presented with an impact assessment.
In his foreword to the report, Prime Minister Malcolm Turnbull noted: “For every board that talks about cyber security as a real and pressing business risk, there are many more yet to take that step.”
Responses to the survey remain confidential, and the participating companies are not named in the report.
The majority of boards were found to receive management reports on cyber security incidents (88 per cent) with more than a fifth establishing this procedure within the past year. However, the quality of reporting can be improved, the report found, with 54 per cent of directors saying that the description in the corporate risk radar of cyber risks is basic.
A significant number (63 per cent) also say they don’t yet have a set of standard cyber security metrics or don’t know if they do.
“Giving directors the information they need to monitor key risks and make wise decisions is critical,” the report states.
Increasingly, the C-suite was recognising cyber security to be a significant issue to their organisations. More than two-thirds of directors (68 per cent) consider cyber risks to be extremely important. Almost 40 per cent of directors rate cyber risk in the highest category relative to other business risks.
–
(2017), Boards don’t get cyber security (but fear the risks), ASX health check finds, Computerworld, viewed 20 April 2017, <https://www.computerworld.com.au/article/617971/boards-don-t-get-cyber-security-fear-risks-asx-health-check-finds/>.