Boards need to improve their security postures

Wednesday, 01 November 2023

Elise Shaw
Managing Editor, Company Director magazine

    The Cyber Ready? Australian Businesses Rise to the Challenge survey by law firm Herbert Smith Freehills reveals more work needs to be done by boards to improve their security postures. 

    The report, which was led by Herbert Smith Freehills partner and Australia-Pacific head of cybersecurity Cameron Whittfield, is based on findings from a survey of about 120 legal leaders from Australian businesses, including more than 80 general counsel.

    “Australian businesses and their boards have never been under more scrutiny about their cyber resilience as they respond to cybersecurity threats — compounded when many are responding to a dynamic and shifting business and regulatory environment,” says Whittfield.

    Significant report findings include:

    • 75 per cent of respondents say their boards have been educated about cyber risk in the past 12 months

    • 66 per cent of respondents say their boards have not yet given management formal guidance on their extortion payment views 

    • 48 per cent of respondents say their boards have not yet formed a view on whether they would be open to paying a ransom demand 

    • 32 per cent say their boards now have dedicated cyber expertise

    • 28 per cent of respondents say their boards have not yet held a cyber simulation exercise.

    The report emphasises that for lawyers to effectively respond to cyber-attacks, they need to be empowered and activated to manage digital risks. They also need to be part of the preparatory work and to be prepared for the myriad of legal issues that will unfold at pace.

    “Many companies are preparing for attacks in ways that do not actually reflect the way the attack plays out,” says Whittfield. “The legal and regulatory risks are significant and acute. Boards have the most impact in the preparation phases. Effective preparation enables an organisation to fulfil its legal obligations, limit regulatory and litigation risks, as well as to protect individuals and shield a company from reputational damage.” 

    Tremors subside

    Trade with China is on the rebound.

    According to HSBC chief economist Australia/New Zealand Paul Bloxham, trade with China has climbed to 32 per cent of exports now that the effects of the COVID-19 pandemic, the Russia- Ukraine war and trade disputes with China have largely passed.

    Between 2020–22, tensions with China disrupted Australia’s directions of trade for products such as barley, meat, wine and coal, although these exports were largely redirected to other markets, leaving little macroeconomic effect, notes Bloxham.

    “As these tensions have unwound, trade with China has rebounded to 32 per cent of exports. Australia’s trade remains dominated by North Asia, accounting for 60 per cent of exports. Despite rapid growth in India, Indonesia and the Middle East, and the opportunities these markets present, they account for only four per cent, two per cent and two per cent of Australian exports, respectively.”

    Bloxham also notes that exports of lithium have risen to be four per cent of Australia’s total export values (up from under one per cent in 2020).

    “The energy transition has weakened large- scale investment in coal and gas projects, but motivated investment in ‘green’ metals,” he says.

    Taking care of business

    Main challenges for family companies.

    Grant Thornton’s 2023 Family Business Survey reveals that the top five issues for Australian family businesses are: improving cash flow (91 per cent), recruiting, training and upskilling family members and employees (86 per cent), succession planning (72 per cent), developing and launching new products (70 per cent) and expanding into new markets (69 per cent).

    The top two challenges can be linked to the current economic climate — increasing costs, high inflation, increased interest rates and an uncertain future. Succession planning comes in at number three. The challenges of maintaining family harmony, fairness and ensuring the business continues to prosper can be challenging.

    “Family governance is not set and forget — it’s important the family meets on a regular basis and has an annual review of the business structure, vision and its impact on the community,” says Kirsten Taylor-Martin, partner and national head of family business consulting at Grant Thornton, in the report.

    “When a family business does transition from one generation to the next, a family governance review and realignment is essential. It is important that all family members are on the same page and that there is strong communication through the generations to ensure the longevity of the family business.”

    Weakest links

    Data points the finger at third parties.

    In an address to the Australian Financial Review Cyber Summit on 18 September, Australian Securities and Investments Commission chair Joe Longo said 44 per cent of respondents to ASIC’s latest cyber pulse showed the initial findings make it clear that one of the weakest links in cyber preparedness is third-party suppliers, vendors and managed service providers.

    “Nearly one in two [44 per cent] of respondents indicated that they did not manage third-party or supply chain risk, and more than half have limited or no capability to protect confidential information adequately — whether that information is held within the organisation or by third-party suppliers,” said Longo.

    “For all boards, cybersecurity and cyber resilience must be top priorities,” he continued. “ASIC also expects this to include oversight of cybersecurity risk throughout the organisation’s supply chain. Failure to ensure adequate measures are in place exposes directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.”

    Cyber scamming is also a prevalent worry for many in the general community, according to recent data from the Commonwealth Bank of Australia. The research shows that 73 per cent of Australians have become more concerned about scams in the past 12 months, which is a 16 per cent increase on the data released by CBA in October last year.

    In better news for the financial giant, CommBank data gathered in the first half of 2023 showed customer losses had decreased by 37 per cent, compared with those losses recorded between July and December 2022. 


    Two leading directors are touring Australia with a bracing message: yesterday’s knowledge will not be enough. 

    As this year’s AICD Essential Director Update draws to an end with the Geelong event scheduled for 15 November, we summarise key themes from this year’s roadshow, attended by over 12,000 people.

    Data capital

    In Canberra, the first presenter was Jacqueline Chow GAICD, a non-executive director of Boral, Charter Hall, Coles and NIB Holdings. She said data sits alongside financial, human, social and natural capital as central to economic value creation.

    “As company directors, we have a duty not only to protect the downside of losing that data, but also to harness the data for the upside of innovation and growth. The governance of data capital is central to how organisations approach generative AI, cybersecurity and the associated data privacy protections. These areas are interrelated and continually rank as a top priority in Australian boardrooms.”


    Chow said an organisation’s most crucial digital assets must be protected from theft, but their value must be left unlocked for frictionless, responsive and personalised customer service. “Finding that balance is down to the risk appetite of your board.”

    But cybersecurity measures can be overly technical. “If you find yourself flummoxed by technical jargon, it’s likely the rest of the organisation is also,” she said. “That’s not conducive to building cyber resilience or effective board governance because the behavioural risk controls of our employees are just as critical as the technology risk controls.”

    Social capital

    Chow believes directors expect their firms to take a leadership stance on social/political/cultural issues. “You may personally have conviction on a social issue, but we can’t use our organisation as a platform to externalise our individual views.”

    An increasing focus on the role of stakeholders in governance raises the question how directors should balance non-shareholder stakeholder interests to maximise long-term value.


    Bruce Cowley FAICD is an experienced director and former corporate lawyer. Speaking from Brisbane, he addressed greenwashing. 

    “Both ASIC and the ACCC have significantly increased their regulatory focus on greenwashing, including ASIC’s high-profile actions against a number of prominent superannuation trustees. Although there’s no new law prohibiting what is really little more than the offence of misleading and deceptive conduct, the issue has taken on some prominence because, in the current environment, there’s considerable pressure on companies to promote their products and services as being climate-friendly. Directors need to take care about committing companies to net zero unless they have a clear pathway and a reasonable basis for that ambition.”

    Climate reporting

    Cowley described mandatory climate reporting as a major issue boards will have to confront. “ASIC chair Joe Longo has referred to the proposed changes as a generational change. At the Climate Governance Forum earlier this year, David Thodey AO FAICD emphasised the need for the board to actively engage with management on climate reporting, not just delegate responsibility.”

    The new standards will require companies to report all material information about sustainability- related and climate-related risks and opportunities. “There’s going to be quite a lot for boards to do to ensure that the necessary tasks are complied within a timely way. Most of us will need to undertake a degree of upskilling in order to do this effectively.”

    Interests of stakeholders

    Under Section 181 of the Corporations Act 2001, directors have a duty to act in the best interest of the company. “Historically, that has broadly meant acting in the best interests of shareholders unless the company was insolvent or nearing insolvency,” said Cowley. “The people we refer to today as stakeholders didn’t get much of a look-in.”

    However, in his Financial Services Royal Commission report, Commissioner Kenneth Hayne AC KC suggested directors should consider stakeholder interest in the decision-making process because, over the longer term, the interests of shareholders and stakeholders tend to converge.

    “This is not in any way suggesting that directors owe any duty to stakeholders, but rather that, in determining what’s in the best interests of the company, it’s prudent for them to take stakeholder interests into account,” said Cowley. “The real challenge is to balance all the competing stakeholder interests to reach a decision that will ensure long-term sustainability and prosperity for the company and its shareholders.” 

    This article first appeared under the headline 'Work In Progress’ in the November 2023 issue of Company Director magazine.  

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.