Company directors fall short of cyber security skills mark
There are many significant expectations of modern company directors.
There are many significant expectations of modern company directors.
There are many significant expectations of modern company directors. Cyber security awareness is one of a number of responsibilities for directors – and an increasingly important one, if a recent Department of Home Affairs discussion paper is anything to go by. The paper, which received 143 submissions from a wide range of organisations including Facebook, Google, IBM and Telstra, proposes a number of measures – one of which is cyber security governance standards, which could be voluntary or mandatory for organisations. Under the voluntary standard (which the government appears to favour), the government paper says this standard “could be considered by a court when determining whether failures relating to the oversight of cyber risk constitutes a breach of directors’ duties”.
While the government is yet to make a decision on these cyber security standards, this shows how important the government considers cyber security for company directors. “The cyber resilience of the organisation they govern is just one part of the role,” says Nigel Phair, Director (Enterprise) for the UNSW Institute for Cyber. To achieve this, he said company directors need to be asking management the tough questions (and be competent enough to know what answers to expect) about their organisation’s understanding of cyber security risk and potential vulnerabilities to incidents such as data breaches, the investment in creating and monitoring controls, and rehearsed scenarios to be better equipped – should a cyber security incident take place.
Nigel Phair, Director (Enterprise) for the UNSW Institute for Cyber, says cyber threats can range from sophisticated attacks through to phishing, ransomware and email compromises.
“Company directors need to assess cyber security, just as they would any risk, making competent decisions to understand the nature of the risk and how their level of (under) investment in cyber security controls will impact customers and stakeholders,” said Mr Phair. Pervasive cyber attacks are one of the most crucial factors threatening the Australian economy, with cyber crime costing the Australian economy $42 billion per year. Cyber attacks can impact all sizes of organisations, and threats range from highly sophisticated state-sponsored attacks, through to phishing, ransomware and business email compromise. “Cyber incidents caused huge impacts on Australia’s central government and other essential services including healthcare, education, energy, banking, and critical infrastructure providers, and so forth,” said Mr Phair.
And with more than 300,000 cyber attacks in Australia in 2021, he said company directors need to factor this growing crime trend into their broader risk management policies and processes. The Australian Cyber Security Centre has provided an advisory for all Australian organisations to urgently adopt an enhanced cyber security posture, which stated: “Following the attack on Ukraine, there is a heightened cyber threat environment globally, and the risk of cyber attacks on Australian networks, either directly or inadvertently, has increased."
There are significant skill gaps around cyber security awareness and resilience among ASX 100 company directors, according to a recent research study conducted by Mr Phair together with UNSW Institute for Cyber research associate Hooman Alavizadeh. They analysed 798 director positions (including managing directors and non-executive directors) across all ASX 100 companies. This analysis was based on information provided on ASX 100 company websites and LinkedIn profiles of individual directors.
Of these 707 are non-executive director positions, and the research focused on this cohort of directors. Some of these directors sit on more than one ASX 100 board, leaving only 613 directors providing oversight of companies that Mr Phair said account for the large majority of Australia’s share market capitalisation.
The research study, Cyber security skills of company directors – ASX 100, found that of the non-executive directors responsible for the overall governance and strategic direction of ASX 100 companies, less than 1 per cent have cyber experience and 16 per cent of directors have general technology experience. However, 80 per cent of boards have neither cyber nor technology background.
Less than 1 per cent of ASX 100 non-executive directors have cyber experience and 16 per cent of directors have general technology experience. Image: Shutterstock
The skillset and background of ASX 100 directors was classified into nine major categories, and about half of all directors have a background with finance, business and management skills. However, only 4 per cent of directors have an information technology (IT) background. Some other statistics around ASX 100 non-exclusive directors are summarised as follows. The research also found:
With directors sitting on four boards (on average), Mr Phair observed “over-boarding” makes it more difficult for Australian company directors to learn new skills, adopt best practices and keep on top of an ever-evolving cyber environment. “There is no accepted time commitment for an ASX 100 board level role, needless to say, preparing for meetings, keeping on top of key issues and travel all take time,” he said.
The cut-off for the ASX 100 is a market capitalisation of about $1.7 billion, and he explained organisations of this size are bigger and require a lot of time and effort to govern. “Yet, with ASX 100 directors holding an average of four company directorships it has to be wondered how they can keep on top of business-as-usual issues, let alone keeping abreast of new issues such as cyber security,” he said.
Building on well-established requirements under the Corporations Act and as highlighted by the aforementioned Department of Home Affairs discussion paper, cyber security is considered an increasingly important responsibility for company directors. To illustrate, Mr Phair said a court judgement (Australian Securities and Investments Commission (ASIC) v Healey, commonly referred to as the Centro case) highlighted the responsibility of all directors to pay appropriate attention to the business of the company, and to give any advice received due consideration and exercise judgment in the light thereof.
A cyber attack which impacts the ability of an organisation to function would need to be disclosed as it could have share price implications. Image: Shutterstock
“This is important jurisprudence for all company directors, and when discussing information security they should dig deeper to become more informed in their decision-making,” said Mr Phair. He also highlighted the importance of continuous disclosure rules and the recent introduction of safeguards for entities and officers against civil penalty proceedings where there is a knowing failure to comply or recklessness or negligence.
“A cyber attack which reduces or degrades the ability of an organisation to function could have share market price implications, and as such, would need to be disclosed,” he said. The concept of company director responsibility in cyber security was acknowledged in the 2020 Cyber Security Strategy as follows: “The Australian Government will also work with businesses to consider legislative changes that set a minimum cyber security baseline across the economy. This consultation will consider multiple reform options, including duties for company directors and other business entities.”
Mr Phair explained the best way to address the deficiencies of ASX 100 listed companies with regards to cyber security knowledge and practice is through a boards skill matrix. ASX Listing Rule 4.10.3 recommends the same, and says that “for listed entities, it is good governance to disclose the skills matrix or a summary of it. Disclosure will also meet the recommendation in the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations for companies to have and disclose a board skills matrix that sets out the mix of skills and diversity that the board has in place or is looking to put in place.”
Interestingly, in 2020, AICD research found 38 per cent of all boards said they were introducing specialist technology and/or innovation roles to the board skills matrix. “Yet, this thinking is yet to parlay into action with respect to the ASX 100,” said Mr Phair.
“The adoption of technology by organisations will continue to grow at a rapid pace. In concert with this, is the dynamic role cyber security needs to play to protect the organisation, the data it creates and the people who access it. Since the ‘tone starts at the top’, having appropriately skilled company directors is a fundamental requirement.”
Nigel Phair is Director (Enterprise) for the UNSW Institute for Cyber and was previously Director, UNSW Canberra Cyber. He is an influential analyst on the intersection of technology, crime and society, and serves as a non-executive director on a number of Australian boards. For more information please contact Mr Phair directly.