The federal government is set to offer voluntary cyber-security ‘health checks’ for Australia’s top 100 ASX-listed companies, in partnership with the Australian Securities and Investments Commission (ASIC).
A voluntary survey, The ASX 100 Cyber Health Check, was promised in the government’s $230 million Cyber Security Strategy, to gauge cyber security “awareness, capability and preparedness” among Australia’s big businesses.
The appraisal process, based on the UK’s Cyber Governance Health Check for the FTSE 350, features an online questionnaire and an examination by Australia’s big four audit firms KPMG, EY, PwC and Deloitte.
Responses are anonymous and all participating companies will be given a confidential report gauging their progress, upon the assessment completion in mid-December.
In March next year, a public report exploring the trends emerging from the data will be released.
“The ASX 100 cyber health check has brought together government, regulators, and industry on an issue of critical importance to Australian business and the millions of investors who hold shares in Australian companies,” ASX group executive, Amanda Harkness, said in a statement.
“The better-informed boards become, the more effectively they can assess their cyber security risks and opportunities, including identifying areas where improvement is required.
Participation will reassure shareholders and the broader community that boards are actively engaged in addressing cyber issues.”
According to the government’s Cyber Security Strategy, similar cyber security health checks will be open to other public and private companies, customised appropriately for organisation size and sector.
The ASX 100 Cyber Health Check was developed by the Australian Securities Exchange, with the Australian Securities and Investments Commission, the Attorney-General’s Department and private firms KPMG, PwC, Deloitte and EY.
The ASX 100 Cyber Health Check proposal follows findings of study by the Australian National University’s National Security College (NSC) and Macquarie Telecom Group that found just 29 per cent of private sector business respondents would report cyber attack if they lost client data.
Meanwhile, only 21 per cent of respondents cited legal obligations as a reason to report an attack, the report found.