ASX 100 Cyber Health Check Report released: How Australia's largest companies are tackling online risk

Cyber eBulletin - 24 April 2017


Last year, ASX and ASIC invited the 100 largest listed companies in Australia to participate in a study to assess their awareness of and preparedness to tackle cyber risk — and the results are now in.

In this eBulletin we look at the findings of the report and the learnings that businesses can take to protect themselves from cyber crime.

Quick links

The new report

In November last year, ASX and ASIC invited the 100 largest listed companies in Australia to participate in a study to assess their awareness of and preparedness to tackle cyber risk — the results are now in.

On 20 April 2017, the ASX released the Cyber Health Check Report, the first attempt to gauge how the largest listed companies assess and manage their exposure to the constantly shifting threats associated with online business.

One thing is certain, awareness of cyber risk is on the rise and supported by evidence of increasing numbers of attacks.  62% of directors say that the level of attempted malicious cyber activity against their company has gone up over the past year and 80% expect a further increase in cyber risk over the next year.  These findings are mirrored in the Australian Cyber Security Centre Survey Report released this month, which found that large public and private sector organisations face numerous malicious cyber threats on a daily basis.

But awareness of the risk is not the same as understanding.  63% of boards say that their understanding of the biggest IT security exposures is limited or non-existent, and only 11% have a clear understanding of where the company's key information or data assets are shared with third parties.

Similarly, while the ASX Report suggests that news of the recently passed mandatory data breach notification scheme has found its way into boardrooms, 24% of companies have still not considered how they will notify customers of a data breach once the new law comes into effect (see our recent Privacy eBulletin on the new data breach law for more information). 

Take up of cyber insurance continues to increase at a slow pace and is reported at only 38%, notwithstanding findings in the global Ponemon Institute 2016 Cost of Cyber Crime Study that cyber attacks cost Australian businesses an average of US$4.3 million per incident. 

Key messages for companies

The take away message from the ASX Report is that companies which have assessed and clearly defined their cyber resilience are more likely to have a greater understanding of the vulnerabilities in their critical information assets and data, a higher level of employee education regarding cyber threats, a designated budget for cyber risk management, and specific cyber insurance.

It is clear from the results that some businesses, and particularly those in financial services, have made considerable progress in their cyber risk defence, while others still have a long way to go.  In our view, until there is an improvement in the figures regarding the level of understanding of where critical data vulnerabilities lie, it is difficult to be confident in the response of 80% of companies that believe that they are doing enough to protect themselves against cyber threats.

It will be interesting to see how these figures develop over the next 12 months, particularly once the mandatory data breach notification scheme comes into effect.  In the meantime, the ASX Report provides a useful guide for small and medium sized businesses that are looking for examples of what they can do to ensure that they are ready to meet the growing threat of cyber crime, and comply with their cyber resilience obligations.



Edward Smith, Lawyer

Further information

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.