Cybersecurity and data privacy are long standing familiar topics for the technology and communications sectors. However, the expansion of smart technology, generative artificial intelligence (AI), endless data collection and all types of online and digital practices, make cybersecurity an imminent risk (as well as an opportunity) for every company across all industries.

Recent major data breaches still affecting top Australian corporations underscore the critical importance of making cybersecurity a priority topic on board members’ agenda. The fact that consumer trust is currently low cannot be ignored, with a recent report from the Office of the Australian Information Commissioner (OAIC) showing that only 15% of Australians believe that their personal information is protected against hackers whilst 92% would like businesses to do more to protect them. In addition, the ongoing government evaluation of the Privacy Act, underpins the need to “lift the game” and enhance standards. This review is expected to introduce key changes, such as a revised definition of “personal information”, introduction of civil penalty provisions for mid/low-tier breaches, tighter transparency obligations for organisations collecting personal data, and empowering consumers to make informed decisions.

This fast paced and complex field is transforming the role and responsibility of leaders to protect the security of all Australians, with consumers and government increasing pressure on corporations and board members.

 
Cybersecurity

Cybersecurity is an ESG issue

Cybersecurity and data privacy are largely considered under the “S” of Environmental Social and Governance (ESG) issues. This is because it mainly affects the wider community and more specifically consumers, who, in providing data to corporations, are exposed to identity theft and financial fraud amongst other problems.

In consequence, companies face a fear that cyber, or data privacy incidents can not only affect the company’s operations as well as loss of trust from clients but also their reputation in the long term. This is combined with risks of cyber threats of extortion and ransomware that can ultimately undermine solvency.

On top of these risks, there are sub-issues within the corporate governance space which make cybersecurity a wicked problem:

  • Investors, proxy advisors, clients and other stakeholders expect cyber security responsibilities to be placed on directors given their duty to act with care and diligence.
  • Board members are also expected to understand cyber risks and possess specific skills. This pressure is particularly stronger within the technology and communications industries.
  • However, there is a skill shortage on this field making these expectations challenging to fulfill.
  • Issuers find it hard to disclose information and ensure investors that their cyber risks are being adequately managed without disclosing too much, as this could potentially reveal critical information that can be exploited by hackers.

However, this pressuring context can also represent an opportunity to improve and build cyber resilience. Cybersecurity could be an opportunity to showcase for those businesses who already have robust cybersecurity policies and due diligence processes in place but do not disclose this in their annual reports. Doing so could be beneficial to improve overall ESG performance and ratings, particularly if this is a material topic for the company.

 
Data

What Georgeson recommends

At the corporate governance level, it is important to consider the following:

  • Assume that because you collect data from clients and other stakeholders your systems are vulnerable. Hence, be proactive and ensure there is an incident response plan in place, do not wait until it happens to respond.
  • Given the sensitivity of the topic it is recommended to have a draft announcement to the market ready because there could be further negative impacts if the media tells the story first.
  • In the case of an incident, your message should be focused on the event itself. Avoid the things you do not know about it and provide updates to the market along the way. Remember that you can request a trading halt under these circumstances.
  • Be aware that major proxy advisor Glass Lewis includes BitSight cybersecurity rating in their proxy reports, so investors know how resilient your cyber strategy is.
  • Board members and key management personnel should not only do their due diligence but also enforce proceedings. The Australian Securities and Investment Commission (ASIC) will look at the root cause of the incident, assess what was in place for risk management and resilience and how boards respond to cyber risks.
  • Communicate with your IT and risks teams to ensure robust cybersecurity and data privacy measures are in place.
      • Some questions for directors to ask: Are we performing regular data stocktakes to avoid holding on to information that we do not need? Can we downsize the level of data we collect to minimise risks and exposure? Can we de-identify data to protect consumers? In the event of a data breach what is the Business Continuity (BCP) or Disaster Recovery (DRP) plan? Do we have backup facilities? Are we performing regular testings? Do we need external support?

At the sustainability, operational and strategy levels:

  • Do a materiality assessment to determine how important are cybersecurity and data privacy for your business.
  • Integrate cybersecurity into the overall company strategy.
  • Align to both national and international standards such as AS 27701 and ISO/IEC 27701.
  • Know your supply chain – including third party data centres – and have due diligence process in place.
  • Have an updated Data Privacy policy and be transparent at what data you collect, why you do so and how you manage it.
  • Promote cyber education and good practices amongst management and all staff levels.
 
Georgeson can help

How can we help you?

Understandably, board members and management can feel overwhelmed by cybersecurity threats.

At Georgeson, we can help you:

  • Conduct a Materiality Assessment to understand how relevant cybersecurity for your organisation is, and what other ESG topics are material so you can more effectively manage time and resources.
  • Analyse your current disclosures to ensure you are up to date with investors and other stakeholders’ expectations around this topic.
  • Help you understand what your latest cyber security rating is and how you compare to peers.
  • In case of an incident, we can help you prepare your responses and message to the market to ensure it is aligned investors and proxy advisors’ expectations.
  • Engage with your investors using specific insights and detailed understanding of their objectives.
 

Contact us to learn more. Our expert team will assist you with all your ESG-related questions and concerns.

View our Privacy Policy for details on use and storage of your data.
You have the ability to unsubscribe from future mailings at any time.