The Cyber Risk & Strategy Landscape in Australia
Technology has been proliferating at an astounding rate, as evidenced by recent projections that over 75 billion devices around the world will be connected by the year 2025.
Companies have capitalized on this trend in light of the COVID-19 pandemic by utilizing digital connectivity to allow employees to work remotely. Though this flexibility allowed many companies to remain operational during the pandemic, it must be noted that this digital connectivity comes at a cost, specifically, a significant increase in cybersecurity risk.
Australia alone is reported to account for approximately AUD 42 billion a year in economic losses due to cybercrimes. While these statistics are alarming, experts suggest that only 20 of cybercrime incidents are reported in Australia with reporting rates dropping to as low as 10 for the world average. Victims fear reputational harm and many companies state that law enforcement will not be able to retrieve stolen data or funds. Cyber-attacks have far-reaching effects on companies as they not only suffer financial harm but also interruptions to their operations and ultimately risk driving their customers to find more secure businesses.
Recent Corporate Data Breaches in Australia
Eight in ten small to medium enterprises (SMEs) believe that they are at risk of experiencing cyber-attacks. However, SMEs are not the only ones at risk of cyber-attacks. Towards the end of 2022, three large and high-profile Australian companies experienced security and data breaches that led to damaging consequences and led many other organizations to reassess their own cybersecurity capabilities. The following section details these breaches.
In September 2022, Optus, one of Australia’s leading telecommunications companies, experienced a ransomware attack where 9.8 million current and former customers’ personal information were breached by hackers that threatened to leak said data unless the company pays USD 1 million in cryptocurrency. The compromised personal information may have included customers’ email addresses, driver’s licenses, Medicare details, passport numbers, and dates of birth. Fortunately, no passwords or financial information were released and accessed by the hackers. The data breach was only discovered when approximately 10,000 customer data were published on the internet. The cybercriminals responsible since then retracted their threats and posted an apology.
Optus has contacted affected customers and guaranteed to remedy this incident by offering a one-year free Equifax Protect subscription to those most affected by the breach. The Australian Federal Police (AFP) and other legislative bodies have been notified and are currently investigating the cyber-attack. The Office of the Australian Information Commissioner (OAIC) received an AUD 5.5 million federal budget to investigate the data breach.
Just one month after the Optus attack, Medibank, one of Australia’s largest health insurance companies, faced a data and security breach, with 9.7 million customers’ personal information leaked, most likely by Russian cybercriminals. Patients’ record claims along with their personal information were posted on a file server while the cybercriminals responsible demanded a USD 10 million ransom to take down the site.
The breach started on October 12 when the Australian Signals Doctorate (ASD), a spy agency, notified Medibank of rumors of an upcoming ransomware attack. The day after, the company detected suspicious activity but no signs of data being stolen. However, in the coming days, the insurance company started receiving communication from the hackers stating they have obtained 200GB worth of customer data and plan to delete customer data from Medibank’s systems. The hacker group threatened to leak customers’ dates of birth, email addresses, phone numbers and health claims by the 7th of November unless they pay a ransom.
On that same day, Medibank publicly announced their refusal to pay the ransom amount, so the hackers responsible began leaking sensitive data on the dark web. The blog has since been shut down as Medibank refused to pay the ransom, but there is no confirmation of the site going permanently offline. Three leading law firms have pursued class action lawsuits against Medibank, seeking compensation for customers who were affected by the breach. Similarly, with Optus, the OAIC has started an official investigation into the security practice of Medibank and ensuring their procedures are following the Australian Privacy Principles.
Not long after, AGL, a leading energy provider, was also attacked by a data breach on its “My Account” platform in December 2022. Although approximately only 6,000 out of their 4.2 million customers were impacted, the company’s investigation indicates that cybercriminals extracted usernames and passwords used in other websites visited by customers to log into their AGL accounts.
The energy provider responded by locking all accounts while the threat was examined and then notified affected customers via post as email addresses were impacted. Customers were encouraged to create stronger passwords and to use two-factor authentication and were also required to reset their passwords. The OAIC and other law enforcement agencies have been notified and are still investigating the incident
Current ASX 300 Boards’ Skills & Expertise in Tech
Considering the growing risk of cybersecurity threats, companies must form leadership teams focused on mitigating these risks and putting cybersecurity and prevention tools in place. Moreover, this growing threat should push companies to appoint competent and experienced board of directors and executives to manage these risks.
Board of Directors
A Diligent study provides a deeper look into the level of technology skills and experience on ASX 300 boards (including executive board members) from 2020-2022:
- On average, only 17 % of ASX 300 directors had some form of technology experience. This is well below the 43 % of directors in the S&P 500 with technology backgrounds.
- 21 % of ASX 300 directors hold a discipline in technology throughout 2020-2022.
- 21 % of ASX 300 directors have technology industry experience throughout 2020-2022.
- There were only 6 Chief Information Officers (or similar/equivalent) sitting on ASX 300 boards in 2020, and 7 CIOs in both
Of the 17% of board of directors with some form of technology experience, Diligent provides insight to how these directors are spread across the ASX 300 boards.
This analysis finds that of the 298 companies in the ASX 300, an average of 56 of companies have some form of technological skills in their boards in 2022, . Over the last three years, there has been a in companies with technology expertise in their boards. ASX 300 company boards with technology discipline has also increased by from 2020 and 2022, and a seven percent increase of boards with industry experience with boards. Although small, there is an upward trend in technology experience within ASX 300 boards.
Executives and Key Management Personnel (KMP)
- Among the disclosed ASX 300 Annual Reports, there is a total of 105 KMPs
- There is a total of 104 KMPs with technology-related positions in 2021.
- there is a total of 107 KMPs with technology-related positions in 2022, showing only an increase from 2020.
Diligent separated KMPs in Chief or C-suite roles with the rest to examine the level distribution of KMPs in technology roles. KMPs in C-suite levels are the top-level executives that are responsible for each department, in this case are most commonly known as Chief Technology Officers, Chief Information and Security Officers and the like. Diligent finds that from 2020-2022, a majority of KMPs in technology roles are in the C-suite, and this number has increased by 27 % from 2020-2022. Meanwhile, KMPs or lower-level positions in technology functions decreased by 78 % from 2020-2022. This could be interpreted as a positive trend – meaning that KMPs in lower-level management positions are being quickly elevated to the C-suite, where they can better influence the organization’s overall cybersecurity posture.
Integrating Cybersecurity Targets into Key Performance Indicators
One way of incentivizing executives to build better lines of defense against cybercrime is to integrate cybersecurity targets into executive key performance indicators (KPIs).
Diligent collected data on the amount of technology-related KPIs for ASX 300 companies from 2020 to 2022. Our study did not include non-specific targets such as “individual metrics” or “strategic metrics” in our analysis. According to our findings, there is less than one percent of ASX 300 companies that implement any form of technological metrics in their executives’ KPIs. Further, these technological KPIs are not specific to cybersecurity targets. The most common technology KPIs are technology development and technology and innovation across 2020-2022. This is an unexpected finding as cybersecurity threats are supposedly one of the biggest technological concerns for Australian companies, and the rise in cybercrime should have been the impetus for companies to include cybersecurity targets into executive KPIs. Measuring and tracking specific cybersecurity metrics is paramount not only to assessing the effectiveness of company’s security tools but also incentivizing executives to take cybersecurity protection seriously. Developing cybersecurity-relevant KPIs also allows transparency and better communication to investors on these issues.
Diligent Cyber Risk & Strategy Certification
Training on cybersecurity risk and strategy is essential for the board of directors. Cybersecurity vigilance should be in a company’s long-term objectives, with directors overseeing the organizations overall strategic direction. Diligent Institute’s Cyber Risk & Strategy Certification, developed with industry experts, is designed to give directors and C-suite executives the necessary insights to properly oversee cybersecurity at their organizations.
The program includes perspectives from experts in cybersecurity, data privacy, cyber risk and strategy, cyber forensics and more. It includes of four courses plus a simulated tabletop exercise and a final exam. Each course contains written and video content, interactive exercises, quizzes, case studies and more; and is designed to be completed in about 3 hours. You can learn more about the program here.