The Australian Stock Exchange (ASX) and the Australian Securities and Investments Commission (ASIC) have launched a new cyber health check for its top 100 listed companies. An industry-led initiative designed to benchmark the levels of cyber security awareness, capability, and preparedness of Australian businesses.
The 2016 Cyber Health Check voluntary survey is an initiative under the government’s $230 million Cyber Security Strategy that was launched earlier this year. The intent of the survey is to raise awareness of cyber security at the board level and share best practice approaches. This is to improve the cyber security defenses of Australia’s largest companies and ensure that boards are more informed as they assess their own security capabilities and plans.
Companies participating in the survey will be asked to respond to a series of multiple choice questions that will determine if they have a clear understanding of their company’s data and whether they receive high-level intelligence from their CIO.
Companies will be given a confidential report for assessing their own cyber security practices. The themes emerging from the report is expected to be released to the public in March 2017. The Survey was developed by ASX and ASIC in cooperation with representatives from the Department of PM&C, CERT Australia, and audit firms: KPMG, Deloitte, Ernest & Young and PwC. A similar task was implemented in the UK with the FTSE 350.
ASX group executive Amanda Harkness said the sharing of best practice approaches was critical to businesses. Harkness added,
The ASX 100 Cyber Health Check has brought together the government, regulators and industry on an issue of critical importance to Australian business and the millions of investors who hold shares in Australian companies. The better informed boards become, the more effectively they can assess their cyber security risks and opportunities, identifying areas where improvement is required.
The initiative comes as the government has introduced a bill to bring in the long-awaited mandatory data breach notification rules, which will mean companies that have been breached or have lost data will need to report the incident as well as notify customers that have been directly affected.
If a company fails to do this, they will face fines of up to $1.8 million for organizations and $360,000 for individuals, but the laws only apply to companies turning over $3 million or more. Harkness further stated,
The sharing of best practice, and increased awareness and engagement by directors of listed companies are important steps in building the cyber resilience of Australian businesses.