by George Nott

Gov backed cyber survey sent to top 100 Aussie companies

Nov 09, 2016

Invitations to complete an ASX and ASIC backed cyber survey have been sent to Australia’s 100 biggest companies today with an advisory note: don’t let your CIO fill it in.

The ASX 100 Cyber Health Check is a voluntary survey, promised in the government’s $230m Cyber Security Strategy, to benchmark cyber security awareness, capability and preparedness in Australia top listed businesses.

The opening question of the voluntary ASX 100 Cyber Health Check begins with “…we request that this questionnaire is not passed to the Chief Information Officer or others to complete on your behalf…”

“We advise against the CIO or any other representative of the organisation completing the questionnaire,” reads the survey’s FAQs in answer to the question: Would my CIO be the best person to undertake this?

Due to the governance angle of the survey, its completion instructions urge that it is filled in only by “the Chairman, the Audit Committee Chair or the Risk Committee Chair”.

A CIO may “miss a governance link, which exacerbates a specific vulnerability” the advice reads.

A better informed board

The survey’s aim is to build a picture of cyber security awareness and risk appetite at the board or committee chair level.

“The intent of the 2016 Cyber Health Check is to raise awareness of cyber security at the Board level and share best practice approaches so that boards are more informed as they assess their own security capabilities and plans,” the document explains. “Cyber security is a strategic risk management issue for the Board, not one to be left solely to the IT Department.”

Questions cover how regularly the board receives “regular high level intelligence from the CIO” about what cyber actors are targeting the company, and the level of understanding among directors around the cyber security capabilities of vendors and suppliers.

Responses are anonymous and a public report on the themes emerging from the data is expected to be released in March next year.

“The better informed boards become, the more effectively they can assess their cyber security risks and opportunities, including identifying areas where improvement is required. Participation will reassure shareholders and the broader community that boards are actively engaged in addressing cyber issues,” said Amanda Harkness, ASX Group Executive, on the survey’s launch.

“The results will help businesses improve their cyber security which is positive for employees, shareholders and the economy. The lessons learnt as part of this initiative will be used to identify and develop cyber security best practice that can be applied across the broader Australian business community,” said the Minister Assisting the Prime Minister on Cyber Security, Dan Tehan.

In its Cyber Security Strategy, the government said that eventually, similar health checks would be available for public and private organisations, tailored to size and sector.

The ASX 100 Cyber Health Check was developed by the Australian Securities Exchange, with the Australian Securities and Investments Commission, the Attorney-General’s Department and Australia’s largest four auditing firms KPMG, PwC, Deloitte and EY.