Cyber security: the role of boards
Cyber security: the role of boards
Deep awareness is needed from the top to ensure companies are prepared for the complex risks of the future. A new survey and report explores where they are positioned and what needs to be done.
Cyber Health Check
In our rapidly changing world, organisations face new cyber security threats and opportunities. Cyber security is a top business risk that requires board focus and the Australian government has elevated it to the national agenda with a cyber security strategy .
To better understand how cyber security is viewed at the board level, KPMG and other industry leaders conducted the ASX 100 Cyber Health Check. The research investigated the board’s perspective on cyber security awareness, preparedness and resilience within Australia’s top 100 companies. The health check examined seven key areas which align with a similar survey performed by the UK government of the FTSE 350, the Cyber Governance Health Check 2015/16.
- Understanding the Threat
- Risk Management
- Awareness of Help
- Cyber Security Incidents
- Customer data.
With 76 of Australia’s top 100 businesses (96 percent of respondents were directors) participating in the voluntary survey, cyber security is definitely top of mind. The study identified five key trends:
- Cyber security is a major and growing risk. Boards and management increasingly recognise cyber security is a significant business issue and that the threat is increasing. A high 80 percent expect cyber security risk to increase in the near future.
- Tackling cyber security risk needs a culture of collaboration. Cyber security risk must unite the business community, regulators, and government. Supply chain security is critical as more data is shared online, but 30 percent of the ASX 100 have still not assessed the security of third-parties. Moreover, 32 percent are not actively engaging with investors or customers about cyber security – vastly different to 3 percent for the UK’s FTSE350.
- Boards take cyber security risk seriously and are improving their skills. Boards are uniquely positioned to help management tackle cyber security risk, however, a high 67 percent of boards have not undertaken cyber security or information security training in the last 12 months. This is changing with 28 percent planning to do so.
- Companies are managing cyber security risk better but realise there’s still more to do. Directors believe companies are making strong progress in their cyber security risk defence. Most (87 percent) believe they have made an appropriate level of investment in cyber security defences, and of those, 66 percent plan to do more.
- Companies that manage cyber security risk effectively define and analyse their exposure. More than a third (34 percent) of ASX 100 companies surveyed have clearly defined their cyber security risk appetite. However, 38 percent of companies are yet to define their risk appetite, which could have implications for how management make decisions around cyber security risk controls.
Cyber security no longer an ‘IT risk’
Insights from the survey show Australian boards recognise that cyber security is no longer the domain of ‘IT risk’ and is now considered one of the top business risks that requires focus, leadership and governance.
The survey asked business leaders whether they had explicitly defined a risk appetite for cyber security. More than one-third (34 percent) confirmed their organisation defined a risk appetite; however, a high 38 percent stated they had not. The remaining 27 percent stated it was partially defined.
Organisations with a defined cyber security risk appetite tend to have boards with a clearer understanding of their critical assets and data. Boards of these organisations are regularly updated and have increased confidence in the controls and in the organisation’s ability to respond and recover from a cyber security incident.
Training crucial to set cyber security ‘tone from the top’
The survey highlighted a sound level of general understanding by boards of the importance of cyber security, but also uncovered a significant gap in education and training. More than two-thirds (67 percent) of boards have not undertaken cyber security (or information security) training in the last 12 months. Given the pace of change of cyber security threats, keeping abreast of challenges through training programs is vital for developing and supporting a culture of preparedness.
Risk management remains a cornerstone of cyber security defence
Managing cyber security risks must also have the full support from the board. The survey found four in five business leaders acknowledge more needs to be done to protect against cyber security threats with two-thirds (66 percent) planning to invest more in cyber security defences. And risk management is making its way to the share market with 35 percent of respondents indicating that ‘shareholder value’ is significantly dependent on securing critical information assets.
Prudent risk management must include a strategy for dealing with a crisis should one arrive. About half of Australian organisations are ‘somewhat confident’ in their ability to respond to a cyber security incident; however, 40 percent of organisations do not have a documented and tested resumption plan in place.
Customer data responsibilities on the rise
At the time of survey the recent amendments to the Privacy Act regarding mandatory breach disclosure had not been passed. With 43 percent of boards reviewing and challenging reports on the security of customer data (a similar figure to the FTSE 350 at 39 percent), this needs to improve now the changes have passed through parliament. The focus on how mandatory disclosure relates to crisis management planning will also need to change.
If an organisation, or any third-party it deals with, stores personal information and there is a breach, people have a right to know. If a company is caught out deliberately holding back communication it makes any incident worse.
Next steps to improving maturity
The inaugural ASX 100 Cyber Health Check has demonstrated that boards in Australia’s top companies have a maturing awareness of cyber security threats, but there are still gaps when it comes to building organisational preparedness and resilience.
KPMG has taken the lead in supporting this industry initiative and is well placed to assist boards and senior executives of Australian businesses to assess and benchmark their cyber security capability against the ASX 100. If you would like to find out more details on how your company can benchmark itself against the ASX 100 please send an email enquiry to Cyber Health Check.
KPMG has recognised that cyber security is a business risk and also a business enabler. Our industry paper, Connecting the dots: A proactive approach to cyber security oversight in the boardroom, provides detailed guidance on the role boards should play in managing cyber security.
©2021 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.