We are increasingly hearing news of cyberattacks on high profile organisations. Most recently, Court Services Victoria, Eagers Automotive and St Vincent Health were all subject to some form of cyberattack, which would have placed pressure on the Board of Directors and senior management to address a range of security and IT issues within their organisations.

According to the Australian Cyber Security Centre’s most recent ASD Cyber Threat Report:

  • The average cost of cybercrime has increased by 14 per cent (small business: $46,000, medium business: $97,200 and large business: $71,600).
  • On average, a cybercrime was reported every 6 minutes (an increase from every 7 minutes in 2021-2022).
  • The top three types of cybercrime affecting businesses were: email compromise, business mail comprise fraud and online banking fraud.

With these alarming statistics in mind, it has become apparent that the threats of a cyberattack are real and present for organisations of all sizes. Sadly, the risk of falling victim to a cybercrime victim is a matter of “when” rather than “if”.

It is our considered view that businesses and their respective Boards can no longer continue to treat cyber threats and risks as mere IT issues. Cyber risks should be a priority and need to be addressed by the Board with the same level of rigor and diligence as any other business risks impacting the organisation.

The Australian Securities and Investments Commission’s (ASIC) position on cyber security is evident in its latest release (23-300MR), whereby ASIC chair Joe Longo stated:

“For all organisations, cyber security and cyber resilience must be a top priority. ASIC expects this to include oversight of cyber security risk throughout the organisation’s supply chain – it was alarming that 44% of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks.”

ASIC’s findings identified that smaller organisations are lagging behind larger organisations in third-party risk management, data security, consequence management and adoption of industry standards.

With the speed at which changes are occurring in the information technology and cyber space, it is important that Boards ensure that their businesses continue to invest adequate resources and capabilities in:

  1. Identity and access management;
  2. Governance and risk; and
  3. Information asset management.

Importantly, they also need to turn their attention to building up IT and cyber resilience to ensure they are prepared, ready to respond and recover from an incident. This also includes testing the recovery plan with a degree of regularity.

Separately, ASIC has also stated it expects directors to ensure their company’s risk management framework is able to address cyber security risk, and adequate controls are implemented to protect the company’s key assets and enhance cyber resilience.

Failing to do so could result in directors falling short of their responsibilities and regulatory obligations with respect to acting with reasonable care and diligence.

In the context of the ASX Corporate Governance Principles and Recommendations, Principle 7: Recognise and manage risk, it is expected that publicly listed entities establish a sound system of risk oversight and management and internal control designed to identify, assess, monitor and manage risk, and inform investors of material changes to the company’s risk profile. This would equally extend to the issue of IT and cyber risk.

Next steps for small caps

IT and cyber risks, as well as resilience, are key business risks that must be managed with the same rigor as other critical business risks. The Board’s buy-in is essential.

IT and cyber risks should be included in the risk register along with an appropriate treatment plan. A security gap analysis should form the basis for assigning risks and adopting a treatment strategy. Assign responsibilities, set deadlines and allocate resources for any remediation efforts.

Companies should also establish a security framework to manage cyber security risks and benchmark this framework against security standards, such as those available from the National Institute of Standards and Technology. This will help identify any gaps in IT security systems.

In addition, conducting vulnerability assessment and penetration testing on a regular basis will help identify cyber security exposures in the IT environment. Multi-factor authentication and adequate passphrase protocols is essential, as are secure cloud-based technology, and encryption methods, particularly if any staff work from home on a regular basis.

It is, in our experience, no longer acceptable for small cap companies to claim that “our IT functions are managed by a third-party IT vendor”. Companies must actively manage contractual relationships and ensure that any third-parties are working to industry better standards (i.e. ISO 27001 and Microsoft security standards). Boards should familiarise themselves with the assistance and resources available such as the AICD’s Cyber Security Governance Principles.

Directors are ultimately responsible for IT and cyber management within the organisations they govern. They carry the responsibility of cultivating a culture where security becomes second nature. By doing so, the company and the Board can evolve and foster trust among their shareholders, stakeholders and the broader community.