This article was originally published by BusinessThink May 2022
Risks of cyber attacks
“Company directors need to assess cyber security, just as they would any risk, making competent decisions to understand the nature of the risk and how their level of (under) investment in cyber security controls will impact customers and stakeholders,” said Mr Phair. Pervasive, Director (Enterprise) for the UNSW Institute for Cyber.
Cyber attacks are one of the most crucial factors threatening the Australian economy, with cyber crime costing the Australian economy $42 billion per year. Cyber attacks can impact all sizes of organisations, and threats range from highly sophisticated state-sponsored attacks, through to phishing, ransomware and business email compromise.
And with more than 300,000 cyber attacks in Australia in 2021, he said company directors need to factor this growing crime trend into their broader risk management policies and processes. The Australian Cyber Security Centre has provided an advisory for all Australian organisations to urgently adopt an enhanced cyber security posture, which stated: “Following the attack on Ukraine, there is a heightened cyber threat environment globally, and the risk of cyber attacks on Australian networks, either directly or inadvertently, has increased."
Cyber security and ASX 100 company directors
There are significant skill gaps around cyber security awareness and resilience among ASX 100 company directors, according to a recent research study conducted by Mr Phair together with UNSW Institute for Cyber research associate Hooman Alavizadeh. They analysed 798 director positions (including managing directors and non-executive directors) across all ASX 100 companies. This analysis was based on information provided on ASX 100 company websites and LinkedIn profiles of individual directors.
Of these 707 are non-executive director positions, and the research focused on this cohort of directors. Some of these directors sit on more than one ASX 100 board, leaving only 613 directors providing oversight of companies that Mr Phair said account for the large majority of Australia’s share market capitalisation.
The research study, Cyber security skills of company directors – ASX 100, found that of the non-executive directors responsible for the overall governance and strategic direction of ASX 100 companies, less than 1% have cyber experience and 16% of directors have general technology experience. However, 80% of boards have neither cyber nor technology background.
Skills backgrounds of ASX 100 directors
The skillset and background of ASX 100 directors was classified into nine major categories, and about half of all directors have a background with finance, business and management skills. However, only 4 per cent of directors have an information technology (IT) background. Some other statistics around ASX 100 non-exclusive directors are summarised as follows. The research also found:
- 0.8% have cyber experience
- 16% have technology experience
- 9% hold an MBA
- 7% hold a law degree
- 0.05% hold an engineering degree
- 55% have a career history in finance and management
- On average, they sit on four boards
- 30% are female
- The average age (where age could be determined) of board directors is 62 years old
Common cyber security challenges for company directors
With directors sitting on four boards (on average), Mr Phair observed “over-boarding” makes it more difficult for Australian company directors to learn new skills, adopt best practices and keep on top of an ever-evolving cyber environment. “There is no accepted time commitment for an ASX 100 board level role, needless to say, preparing for meetings, keeping on top of key issues and travel all take time,” he said.
The cut-off for the ASX 100 is a market capitalisation of about $1.7 billion, and he explained organisations of this size are bigger and require a lot of time and effort to govern. “Yet, with ASX 100 directors holding an average of four company directorships it has to be wondered how they can keep on top of business-as-usual issues, let alone keeping abreast of new issues such as cyber security,” he said.
Potential risks to companies and directors
Building on well-established requirements under the Corporations Act and as highlighted by the aforementioned Department of Home Affairs discussion paper, cyber security is considered an increasingly important responsibility for company directors. To illustrate, Mr Phair said a court judgement (Australian Securities and Investments Commission (ASIC) v Healey, commonly referred to as the Centro case) highlighted the responsibility of all directors to pay appropriate attention to the business of the company, and to give any advice received due consideration and exercise judgement in the light thereof.
“This is important jurisprudence for all company directors, and when discussing information security they should dig deeper to become more informed in their decision-making,” said Mr Phair. He also highlighted the importance of continuous disclosure rules and the recent introduction of safeguards for entities and officers against civil penalty proceedings where there is a knowing failure to comply or recklessness or negligence.
“A cyber attack which reduces or degrades the ability of an organisation to function could have share market price implications, and as such, would need to be disclosed,” he said. The concept of company director responsibility in cyber security was acknowledged in the 2020 Cyber Security Strategy as follows: “The Australian Government will also work with businesses to consider legislative changes that set a minimum cyber security baseline across the economy. This consultation will consider multiple reform options, including duties for company directors and other business entities.”
What can company directors do?
Mr Phair explained the best way to address the deficiencies of ASX 100 listed companies with regards to cyber security knowledge and practice is through a boards skill matrix. ASX Listing Rule 4.10.3 recommends the same, and says that “for listed entities, it is good governance to disclose the skills matrix or a summary of it. Disclosure will also meet the recommendation in the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations for companies to have and disclose a board skills matrix that sets out the mix of skills and diversity that the board has in place or is looking to put in place.”
Interestingly, in 2020, AICD research found 38% of all boards said they were introducing specialist technology and/or innovation roles to the board skills matrix. “Yet, this thinking is yet to parlay into action with respect to the ASX 100,” said Mr Phair.
“The adoption of technology by organisations will continue to grow at a rapid pace. In concert with this, is the dynamic role cyber security needs to play to protect the organisation, the data it creates and the people who access it. Since the ‘tone starts at the top’, having appropriately skilled company directors is a fundamental requirement.”
Nigel Phair is Director (Enterprise) for the UNSW Institute for Cyber and was previously Director, UNSW Canberra Cyber. He is an influential analyst on the intersection of technology, crime and society, and serves as a non-executive director on a number of Australian boards.
This article was originally published by BusinessThink.
Find out more about our Security and Risk Management for Boards Program starting 20 October 2022 HERE