The ASX has recently released the much anticipated report on the results of its 2016 Cyber Health Check Survey for ASX100 companies. The report seeks to provide Australian organisations with a baseline so that Boards can better understand how their peers are responding to the opportunities afforded by the digital economy and managing their exposure to cyber risks.

The report indicates that most Boards have a high awareness of cyber risk, but suggests that there is more to be done in terms of increasing resilience and managing the risk across organisations. Boards are also taking steps to prepare themselves should an incident occur. The timing couldn’t be better, given that the upcoming mandatory notification obligations under the Privacy Act come into force in February 2018.

Background

The report is the latest development in the drive by government and regulators to foster an increased awareness of cyber risk within Australian organisations, and follows:

  • the Cyber Resilience Assessment on the ASX Group and Chi-X Australia Pty Ltd released by ASIC in March 2016, which focused on whether they had sufficient resources to properly manage cyber security. Both companies were found to have sufficient resources and ASIC drew on their findings to create 11 cyber security good practice standards;
  • the inaugural Australia’s Cyber Security Strategy released by the Australian Government in April 2016, which recommended that it would work with industry to design a series of cyber security ‘health checks’ for companies. The ‘health checks’ were drawn from the UK’s FTSE350 Cyber Governance Health Check Report 2015, which was developed to allow companies to benchmark themselves against their peers; and
  • the Cyber Health Check Survey carried out by ASIC and the ASX in November 2016, in conjunction with the ‘big four’ audit firms.

Report insights

 Some of the key highlights of the report are that:

  • generally, there is a high level of internal awareness that cyber security is a growing risk, with 93% of directors taking cyber risk “very seriously”. This is supported by the finding that 99% of companies give ownership of cyber risk to a C-suite member;
  • the majority of companies have implemented operational cyber risks tests, with 73% engaging external parties to perform vulnerability or penetration assessments; and
  • there is a strong commitment to training across companies. Two-thirds of directors have participated in information security training sessions, and 54% of companies have implemented staff cyber awareness training programs in the last 12 months.

Despite these positive developments, there is still ample opportunity for companies to take further steps in understanding, managing and communicating about cyber risk across the enterprise and with third parties. The report outlines that:

  • only 11% of boards clearly understand how their key data assets are being managed and shared with third parties;
  • more than half of the directors surveyed have a limited or non-existent understanding of their company’s biggest cyber vulnerabilities; and
  • there is potential to increase external engagement on cyber risk, as only 11% of companies have taken steps to reassure customers about the organisation’s cyber security measures.

Our thoughts

The position of regulators is clearly that cyber security risk should be addressed by board members and should not be left to the IT function. A top-down approach is critical to achieving whole-of-business consensus. The survey and resulting report has been successful in bringing the issue to the boardroom of Australia’s largest companies, and demonstrates Australian boards’ current engagement with and readiness to improve cyber security management.

Norton Rose Fulbright has recently launched three fixed-price packages to assist organisations with managing cyber risks. We also operate a 24/7 cyber hotline linked directly to experienced incident response lawyers who can assist with responding to an incident should it occur. Please contact us if you would like to know more.