Most newly listed Australian companies are failing to convey their cyber resilience strengths, potentially discouraging current and potential investors, according to new analysis released today.
Less than 20 per cent of the 147 companies which listed on the ASX over the 2020-21 financial year referenced cyber security in their inaugural annual reports, according to RSM Australia’s new report thinkBig Cyber Security.
While mentions of cyber security have increased over the past three years, rising from six per cent of inaugural annual reports by ASX debutants in 2018-19 to 11 per cent in 2019-20 and 18 per cent in 2020-21, the quality and depth of reporting has been consistently low.
RSM’s National Head of Cyber Security and Privacy Risk Services Darren Booth said only six per cent of the 271 annual reports analysed over that three-year period displayed a comprehensive commitment to mitigating cyber risks.
“Investors are increasingly aware that companies choosing not to invest in cyber security are at higher risk of significant financial and reputational loss,” Mr Booth said.
“By omitting evidence of cyber resilience from annual reporting, or simply acknowledging an awareness of the risks without detailing proactive mitigation measures, the perception could be that the company has not adequately considered the risk of cyber security-driven litigation, claims, fines, penalties and reputational damage,” he said.
“This perception might not reflect reality and in fact well-capitalised startups are often cyber security conscious from early on, especially if experienced directors and investors are on the founder’s case about cyber resilience before they even launch.
“Less well-capitalised startups however often mistakenly assume they are of little interest to cyber criminals, but this is simply not the case.’’
With 67,500 cybercrimes reported to the Australian Cyber Security Centre (ACSC) in 2020-20211, and a 310 per cent increase in calls to the Centre’s cyber security hotline from the previous year, the risks are very real for Australian businesses of all sizes.
Internationally, NASDAQ-listed companies that suffered a breach underperformed the market by -15.6% for the following three years.
RSM’s Director of Corporate Finance Andrew Clifford works extensively with organisations looking to list or IPO and understands the severe impact cyber-attacks can have on companies, particularly startups.
“Cyber threats, such as viruses, have been around since the dawn of the digital age, however the idea that organisations might have a legal responsibility to safely store and responsibly use the data they collect has been slow to take hold,” Mr Clifford said.
“With the enormous shift of business online and the increase in the collection and storage of personal data, organisations are now responsible for disclosing any cyber breaches to customers and must alert the Office of the Australian Information Commissioner (OAIC),” he said.
You can read the full report here.
