Stocks Special Reports LICs Credit Funds ETFs Tools SMSFs
Video Archive Article Archive
News Stocks Special Reports Funds ETFs Features SMSFs Learn


Is your data safe with ASX 100 companies?

Glenn Freeman  |  26 Apr 2017Text size  Decrease  Increase  |  

Page 1 of 1

More than 80 per cent of company directors anticipate an increase in online security risks over the next year or more, but many have no clear plan on how to mitigate the threat, an Australian Securities Exchange study has found.


The study, "ASX 100 Cyber Health Check," was conducted between November 2016 and January 2017, surveying senior executives or board members from Australia's largest ASX-listed companies. Of the 100 who were invited to participate, 76 responded.

Perhaps some of the most worrying findings relate to the overlap between companies and their external stakeholders. Almost one-third of respondents have not yet evaluated the cyber-security of suppliers, customers, and other key external parties they connect with.

This finding highlights a key disconnect in some of these companies' cyber readiness systems, with only around 11 per cent of respondents clear on where their organisation's key information assets are, says James Nunn-Price, Asia-pacific cyber-risk leader, Deloitte.

Deloitte partnered with the ASX in conducting study, along with other top-tier consulting firms KPMG, Ernst & Young, and PwC.

"We know that most of these organisations have quite complex supply chains, and when you get into the stats for this [cyber security awareness], not many have a clear understanding of their own information assets," Nunn-Price says.

Having been involved in earlier iterations of the study in the UK, which polled board members from FTSE 350 companies, he suggests the finding wasn't particularly surprising.

The awareness of information assets, "is one of the things that I found was the same in the UK. There's this awareness evolution: first, you make the board aware of the problem, ask the questions, and then repeat the process a year or two later".

"Investors and shareholders should be asking these questions [about this disconnect]."

A similar level (32 per cent) have only a rudimentary understanding of the extent of information they share with these external parties, and only 37 per cent have a clear understanding of their own key information assets.

While the level of attempted malicious cyber activity against these companies has increased over the past year--according to 62 per cent of directors surveyed--only one-third of them have assessed their cyber security culture.

The same proportion of respondents are confident management can detect, respond to, and manage an incident with minimal impact on the business.

David Owen, a Deloitte cyber-risk advisory partner, says it finds the issue of information-sharing between large companies and third parties as particularly problematic for its clients.

"Some have more than 10,000 different stakeholders ... if maybe 1 per cent are material, and 3 per cent or 4 per cent are still very important, you're still talking about 100 or 200. Understanding the scale of the risk is quite a big undertaking. It's an area that's getting a lot of focus," he says.

Historically, issues around cyber-security were addressed purely in the context of information technology, but this is changing gradually among Australian company boards.

"We've been doing quite a number of board awareness rating exercises over the last few years, on how cyber isn't really an IT issue ... I would say that the trend is improving," Owen says.

He emphasises this is the first such study conducted in Australia, while it has been held three times in the UK.

"There is already a higher level of awareness. But we're still just on the start of that journey. Just by shareholders asking questions, boards asking questions, that will filter through, and they will be far more aware."

Amanda Harkness, ASX group executive, believes the ASX cyber health check will increasingly bring together government, regulators, and industry "on an issue of critical importance to Australian business and the millions of investors who hold shares in Australian companies".

"The better informed boards become, the more effectively they can assess their cyber security risks and opportunities, including identifying areas where improvement is required."

More from Morningstar

Contrasting outlooks for these 2 resource stocks

Should you sell your Coke Amatil shares?

Make better investment decisions with Morningstar Premium | Free 4-week trial


Glenn Freeman is a Morningstar senior editor.

© 2017 Morningstar, Inc. All rights reserved. Neither Morningstar, its affiliates, nor the content providers guarantee the data or content contained herein to be accurate, complete or timely nor will they have any liability for its use or distribution. This information is to be used for personal, non-commercial purposes only. No reproduction is permitted without the prior written consent of Morningstar. Any general advice or 'class service' have been prepared by Morningstar Australasia Pty Ltd (ABN: 95 090 665 544, AFSL: 240892), or its Authorised Representatives, and/or Morningstar Research Ltd, subsidiaries of Morningstar, Inc, without reference to your objectives, financial situation or needs. Please refer to our Financial Services Guide (FSG) for more information at Our publications, ratings and products should be viewed as an additional investment resource, not as your sole source of information. Past performance does not necessarily indicate a financial product's future performance. To obtain advice tailored to your situation, contact a licensed financial adviser. Some material is copyright and published under licence from ASX Operations Pty Ltd ACN 004 523 782 ("ASXO"). The article is current as at date of publication.