Australia’s first ASX 100 Cyber Health Check

Australia’s Cyber Security Strategy, announced earlier this year, is well under way. One of the first items on the agenda is a “Cyber Health Check” for ASX Top 100 companies. It’s a survey designed to probe the cyber security knowledge of key executives and board members.

Similar to the UK FTSE 350 Cyber Governance Health Check (now in its 3rd year), Australia’s first Cyber Health Check announced by ASX and intended for Top 100 companies has a response deadline of 16 December 2016.

If you’re sitting on the board of an ASX 100 member company, odds are you’ll be discussing the Health Check in the next Audit Committee meeting. Here’s some background, and some things to know.

The “highest performing businesses lead a national effort towards best practice cyber security”, states the Cyber Security Strategy paper. Thus Government not only expects the private sector to become cyber resilient, but they’re starting at the top end of town first. All ASX 100 member companies will be expected to lead the way for all Australian businesses.

ASX100 Health Check Overview

The Sense of Security team has already examined the ASX 100 Cyber Health Check survey in detail. Here are some of the top-level areas that respondents will need to know about their enterprise.

  • Ability to Demonstrate Cyber Knowledge at Board-Level
  • Level of understanding of Threats, Assets and Risks
  • Estimation of net Cyber Risk and Governance practices
  • Examines the maturity of Risk Management processes
  • Probes on awareness of key providers and issues
  • Consideration and handling of cyber incidents

As an overview, there are four key areas that are important to consider with the Cyber Health Check, not just for the immediate response but looking forward longer term.

If you’re a CISO or CIO you might find the following information helpful when supporting responses to future surveys.

  • Board Level & Executive Knowledge – regular briefings at board/c-level are going to be critical to ensure proper governance and awareness of top cyber issues of importance.
  • Governance & Cyber Risk Management – expanding on existing cyber security frameworks and standards will be key to ensuring your policies are up to scratch and compliant.
  • Technical Due Care & Diligence – securing your enterprise (let alone an ASX 100 member) requires technical discipline and adherence to efficient process like never before; make sure security is a consideration in all process design.
  • Operational Awareness & Training – true cyber resilience doesn’t happen in a vacuum – it requires internally and externally facing communication, as well as quality cyber security training for all staff and stakeholders.

One of the organisations driving the need for cyber assessments and industry benchmarking has been the Reserve Bank of Australia. They have an obligation under the Corporations Act 2001 to assess their licensees, including market operators ASX and Chi-X.

As early as 2013, the RBA was already signposting the growing need for cyber resilience practices across our financial system. By late 2015 the RBA reported that the ASX had completed a self-assessment of its own practices based on the NIST Cybersecurity Framework.

In March 2016, ASIC published the cyber resilience assessment findings of the ASX and Chi-X stating they will “work to assist other organisations in our financial markets to enhance their cyber resilience”.

With the announcement from Prime Minister Turnbull on 21 April 2016, Australia’s Cyber Security Strategy includes the need to “co-design voluntary cyber security ‘health checks’ for ASX 100 listed businesses”.

While aimed initially at the ASX 100 there’s no doubt that Government are looking to pioneer the model to broaden the scope in the future.

Either way, the scrutiny and expectations for cyber resilience that ASX 100 companies will face in the coming years will continue to intensify.

The Future of Enterprise Cyber Resilience

In the face of almost daily data breaches in the news, the critical importance of enterprise-wide cyber resilience is slowly becoming better understood by executive management.

With data breach notification laws imminent, and if the UK example is a reliable witness, we may see the future emergence of Data Breach surveys for ASX 100.

How can Sense of Security help?

We’re actively engaged with our existing ASX 100 member clients, assisting them with persistent long-term improvements to security programs, as well as short term items like understanding their obligations such as the Cyber Health Check.

If you’re a board member of an ASX 100 member company wanting to learn more about cyber security in general from an independent source, we invite you to contact us.