New ASX entrants failing to detail cyber efforts

The vast majority of newly listed Australian companies are failing to adequately detail their cyber resilience efforts in their inaugural annual reports, according to new research from RSM Australia.

Less than 20% of the 147 companies listed on the ASX in FY21 even referenced cybersecurity in their inaugural annual reports, the research found.

This was an improvement on the 18% in the prior year and 11% in the year before that, but the quality and depth of reporting remains low.

According to RSM National Head of Cyber Security and Privacy Risk Services Darren Booth, only 61% of the annual reports analysed over the three-year period displayed a comprehensive commitment to mitigating cyber risks. This is leaving new ASX entrants at risk of alienating potential investors, he said.

“Investors are increasingly aware that companies choosing not to invest in cybersecurity are at higher risk of significant financial and reputational loss,” Booth said.

“By omitting evidence of cyber resilience from annual reporting, or simply acknowledging an awareness of the risks without detailing proactive mitigation measures, the perception could be that the company has not adequately considered the risk of cybersecurity-driven litigation, claims, fines, penalties and reputational damage.”

This perception may not always line up to reality, with well-capitalised startups often cybersecurity-conscious from early in their development, Booth noted. But without detailing their security efforts in their annual reports, the reputational risk remains.

The impact of a successful breach could be even more severe. Internationally, research has found that NASDAQ-listed companies that suffered a breach underperformed the market by -15.6% for the following three years, Booth said.

In light of the threat, RSM’s Director of Corporate Finance Andrew Clifford urged company boards to “identify and treat cybersecurity as a business risk” instead of merely an IT risk.

“For example, making cybersecurity a priority might mean making ‘maintaining industry-leading cybersecurity’ one of the CEO’s KPIs, establishing a cyber risk committee or making strong data protection one of your startup’s ESG commitments,” he said.

Image credit: ©stock.adobe.com/au/anyaberkut