Cyber risk is uniting the Australian business community, regulators and government alike, as is reflected in the high response rate of 76% to the inaugural Australian Securities Exchange's ASX 100 Cyber Health Check, demonstrating a strong commitment to put aside competitive differences and work together for a common cause.
The survey shows that more than two-thirds of directors (68%) of respondent companies consider that cyber risks are extremely important and 80% expect the likelihood of cyber risk to increase within the short-term.
Almost 40% of directors rate cyber risk in the highest category relative to other business risks. Its inclusion in corporate risk registers, which enable risks and opportunities to be defined and discussed within the broader organisation, is substantial (92%).
While internal awareness is high, there is potential to boost external engagement on cyber risk. Currently, only 11% of companies proactively reassure customers and investors about their approach.
There also remain opportunities to reduce potential vulnerability where external access to company systems is granted. Almost a third of companies (30%) haven’t yet evaluated the cyber resilience of suppliers, customers and other key external parties that connect to them. A similar level (32%) have only a limited understanding at board level of the extent of information shared with third parties. Indeed, only 37% have a clear understanding of their own key information assets. Boosting this understanding is likely to precipitate greater action.
Directors, management and staff
Awareness has increased too, supported by evidence of increasing attacks. Almost two-thirds (62%) of directors say that the level of attempted malicious cyber activity against their company has gone up over the past year.
A majority of directors (78%) encourage staff to engage in formal information-sharing to help benchmark, learn from others, and identify emerging cyber threats. Not only does cyber risk need a united effort externally, it also requires an enterprise-wide approach with leadership by the top levels of management. At almost every ASX 100 company (99%), the ultimate owner of cyber risk is either the CEO (29%) or another member of the C-suite.
Three-quarters of companies (75%) have implemented ongoing staff training programmes in cyber awareness, with the majority of the remainder planning to do so in the next year. This high level of penetration shows that companies are serious about addressing cyber risk as a whole-of-business concern that is no longer the sole purview of the IT department.
Boards are uniquely positioned to help management tackle cyber risk. They set the tone from the top, can provide a broader viewpoint, and support wider engagement beyond the organisation. Directors are embracing this responsibility: 93% say that their board colleagues take cyber risk very seriously. The board (or one of its committees) is directly responsible for holding management to account on cyber risk in the vast majority of ASX 100 companies, with only 3% delegating this role to an executive committee. Cyber risk is often the domain of either the board’s audit or risk committees (64% of respondents), allowing a subset of directors with the relevant skills to focus on cyber risk issues and discuss them with management and external advisers. However, in a significant minority of cases (28%), the main board considers cyber risk, reflecting its significance as a strategic business risk. The majority of boards receive management reports on cyber security incidents (88%) with more than one-fifth (21%) establishing this procedure within the past year.
Over two-thirds (70%) review their cyber security strategy at least once a year. However, the quality of reporting can be improved, with 54% of directors saying that the description in the corporate risk radar of cyber risk’s implications is basic. A significant number also say they don’t yet have a set of standard cyber security metrics or don’t know if they do (63% in total). Just 7% of directors say they clearly understand the cyber security of the broader ecosystem in which the company operates and almost two-thirds (63%) say their understanding of the biggest IT security exposures is limited or non-existent.
The ASX 100 Cyber Health Check is the first attempt to gauge how the boards of Australia’s largest publicly listed companies view and manage their exposure to the rapidly evolving cyber world. The Cyber Health Check forms part of the Australian Government’s Cyber Security Strategy, which encourages government, regulators and businesses to work together to tackle cyber risk.
The survey was conducted between November 2016 and January 2017. It addressed six key areas: 1. Understanding the threat 2. Leadership 3. Risk management 4. Awareness of help 5. Cyber incidents 6. Investment and customer data.