FAILING TO REPORT ON CYBER SECUIRTY MEASURES COULD COST COMPANIES VITAL INVESTOR FUNDING

The majority of newly-listed Australian companies are failing to convey their cyber resilience strengths, potentially discouraging current and potential investors, according to new analysis.

Less than 20 per cent of the 147 companies which listed on the ASX over the 2020-21 financial year referenced cyber security in their inaugural annual reports, according to RSM Australia’s new report thinkBig Cyber Security.

While mentions on cyber security have increased over the past three years rising from 6% of inaugral annual reports by ASX debutants in 2018-19 to 11% in 2019-20 and 18% in 2020-21, the quality and depth of the report has been consistently low.

RSM's head of Cyber Security and Privacy Risk Services Darren Booth said only 6% of the 271 annual reports analysed over the three year period displayed a comprehensive commitment in mitigating cyber risks. 

“Investors are increasingly aware that companies choosing not to invest in cyber security are at higher risk of significant financial and reputational loss,” Mr Booth said.

“By omitting evidence of cyber resilience from annual reporting, or simply acknowledging an awareness of the risks without detailing proactive mitigation measures, the perception could be that the company has not adequately considered the risk of cyber security-driven litigation, claims, fines, penalties and reputational damage,” he said.

“This perception might not reflect reality and in fact well-capitalised startups are often cyber security conscious from early on, especially if experienced directors and investors are on the founder’s case about cyber resilience before  they even launch.”

“Less well-capitalised startups however often mistakenly assume they are of little interest to cyber criminals, but this is simply not the case.

RSM Director of Cyber Security and Privacy Risk Services Ashwin Pal said pressure was building on small and medium businesses to demonstrate their cyber security credentials.

Nowadays, many small businesses engage with large ones and do this mainly or exclusively online. That means cybercriminals can penetrate the cyber defences of a poorly protected small player that sells to or buys from a large company, then use the small company’s systems as a beachhead to worm their way into the larger company’s IT infrastructure,’’ Mr Pal said.

‘’Reasonably enough, large companies don’t want to find themselves potentially millions of dollars out of pocket due to one of these ‘backdoor’ attacks. Accordingly, they are increasingly insisting all their suppliers and, in some cases, even their customers demonstrate they have the correct cyber security posture.’’

RSM has appointed Alasdair Whyte as the next Office Managing Partner

With 67,500 cyber crimes reported to the Australian Cyber Security Centre (ACSC) in 2020-2021[1], and a 310 per cent increase in calls to the Centre’s cyber security hotline from the previous year[2], the risks are very real for Australian businesses of all sizes.

Internationally, NASDAQ-listed companies that suffered a breach underperformed the market by -15.6% for the following three years[3].

RSM’s Director of Corporate Finance Andrew Clifford works extensively with organisations looking to list or IPO and understands the severe impact cyber-attacks can have on companies, particularly startups.

Cyber threats, such as viruses, have been around since the dawn of the digital age, however the idea that organisations might have a legal responsibility to safely store and responsibly use the data they collect has been slow to take hold” Mr Clifford said.

With the enormous shift of business online and the increase in the collection and storage of personal data, organisations are now responsible for disclosing any cyber breaches to customers and must alert the Office of the Australian Information Commissioner (OAIC),” he said.

“It is evident that managing these risks goes beyond the IT department as real shareholder value is at stake in both the short and long term. Boards should identify and treat cyber security as a business risk not just an IT risk.

The partnership between RSM and Avertro will allow Australian organisations to access a complete offering encompassing the personnel and platform needed to do just this, all delivered onshore.

“For example, making cyber security a priority might mean making ‘maintaining industry-leading cyber security’ one of the CEO’s KPIs, establishing a cyber risk committee or making strong data protection one of your startup’s ESG commitments.

“Looking at overseas trends, directors could also soon be personally liable for failing to appropriately manage cyber security risks, as is already the case in Germany, the USA, Canada, South Africa and the UAE.”   

The estimated cost of implementing measures to prevent cyber-attacks combined with the financial losses from cybercrime is expected to climb to around A$15 trillion globally by 2025[4].

 

To read more, download a copy of the report here.

Download Report >>

 

  

[3] Bischoff, P 2021, ‘How data breaches affect stock market share prices’, comparitech,  9 February

[4] Morgan, S 2020, ‘Cybercrime To Cost The World $10.5 Trillion Annually By 2025’, Cybercrime Magazine,  13 November