Deep awareness is needed from the top to ensure companies are prepared for the complex risks of the future. A new survey and report explores where they are positioned and what needs to be done.
In our rapidly changing world, organisations face new cyber security threats and opportunities. Cyber security is a top business risk that requires board focus and the Australian government has elevated it to the national agenda with a cyber security strategy .
To better understand how cyber security is viewed at the board level, KPMG and other industry leaders conducted the ASX 100 Cyber Health Check. The research investigated the board’s perspective on cyber security awareness, preparedness and resilience within Australia’s top 100 companies. The health check examined seven key areas which align with a similar survey performed by the UK government of the FTSE 350, the Cyber Governance Health Check 2015/16.
With 76 of Australia’s top 100 businesses (96 percent of respondents were directors) participating in the voluntary survey, cyber security is definitely top of mind. The study identified five key trends:
Insights from the survey show Australian boards recognise that cyber security is no longer the domain of ‘IT risk’ and is now considered one of the top business risks that requires focus, leadership and governance.
The survey asked business leaders whether they had explicitly defined a risk appetite for cyber security. More than one-third (34 percent) confirmed their organisation defined a risk appetite; however, a high 38 percent stated they had not. The remaining 27 percent stated it was partially defined.
Organisations with a defined cyber security risk appetite tend to have boards with a clearer understanding of their critical assets and data. Boards of these organisations are regularly updated and have increased confidence in the controls and in the organisation’s ability to respond and recover from a cyber security incident.
The survey highlighted a sound level of general understanding by boards of the importance of cyber security, but also uncovered a significant gap in education and training. More than two-thirds (67 percent) of boards have not undertaken cyber security (or information security) training in the last 12 months. Given the pace of change of cyber security threats, keeping abreast of challenges through training programs is vital for developing and supporting a culture of preparedness.
Managing cyber security risks must also have the full support from the board. The survey found four in five business leaders acknowledge more needs to be done to protect against cyber security threats with two-thirds (66 percent) planning to invest more in cyber security defences. And risk management is making its way to the share market with 35 percent of respondents indicating that ‘shareholder value’ is significantly dependent on securing critical information assets.
Prudent risk management must include a strategy for dealing with a crisis should one arrive. About half of Australian organisations are ‘somewhat confident’ in their ability to respond to a cyber security incident; however, 40 percent of organisations do not have a documented and tested resumption plan in place.
At the time of survey the recent amendments to the Privacy Act regarding mandatory breach disclosure had not been passed. With 43 percent of boards reviewing and challenging reports on the security of customer data (a similar figure to the FTSE 350 at 39 percent), this needs to improve now the changes have passed through parliament. The focus on how mandatory disclosure relates to crisis management planning will also need to change.
If an organisation, or any third-party it deals with, stores personal information and there is a breach, people have a right to know. If a company is caught out deliberately holding back communication it makes any incident worse.
The inaugural ASX 100 Cyber Health Check has demonstrated that boards in Australia’s top companies have a maturing awareness of cyber security threats, but there are still gaps when it comes to building organisational preparedness and resilience.
KPMG has taken the lead in supporting this industry initiative and is well placed to assist boards and senior executives of Australian businesses to assess and benchmark their cyber security capability against the ASX 100. If you would like to find out more details on how your company can benchmark itself against the ASX 100 please send an email enquiry to Cyber Health Check.
KPMG has recognised that cyber security is a business risk and also a business enabler. Our industry paper, Connecting the dots: A proactive approach to cyber security oversight in the boardroom, provides detailed guidance on the role boards should play in managing cyber security.