At a glance
- Data security risks, awareness and investment will continue to increase as economies become more digitised and interconnected.
- Organisations must start managing cyber security as part of their environmental, social and governance (ESG) strategy rather than relying on insurance providers.
- Cyber security risk affects all parts of an organisation, and should be considered a boardroom concern similar to other ESG risks.
By Dr Jana Schmitz ASA, CPA Australia’s digital economy policy lead and Patrick Viljoen, CPA Australia’s senior manager, ESG
In recent years, the world has experienced an increasing number of cyber attacks on critical infrastructure, financial networks, telecommunications, healthcare and other networked systems. Despite this, rather than implement robust governance policies for cyber security and data privacy, businesses often leave these issues to regulators and the insurance industry to tackle.
Cyber security across the pillars of ESG
Environmental: Cyber attacks on critical infrastructure such as energy, transportation, telecommunications, financial services, energy production and transmission, manufacturing and chemical production and marine systems can lead to the unplanned disruption of the operations of important industries and, in turn, environmental damage.
According to insurance company AXA, cyber crimes and cyber terrorism can cause fires, explosions and the release of hazardous material, which in turn can result in bodily injury, property damage, environmental remediation expense and significant legal liability claims.
Societal: Sophisticated cyber breaches can affect organisations’ relationships with their employees, the communities they serve and political decision-makers. Breaches of the safety mechanisms that organisations deploy and the compromising of sensitive data can lead to customers being exposed to identity theft and fraud. The public wants to know that the data shared with, or collected, by organisations is protected, and the implications of poor corporate cyber security management are increasingly viewed as market failures.
Governance: Businesses’ resilience against cyber attacks is largely dependent on senior management’s “buy-in” on cyber security. Data breaches due to a failure of corporate governance potentially expose directors to legal action. It is important that organisations’ governance structures and strategies for value creation and risk management evolve to reflect the growing importance of incorporating data security and cyber security metrics within an ESG framework.
CPA Australia's cyber security hub
The value of data
According to the World Economic Forum, the value of intangible assets has more than tripled in the Standard and Poor’s 500 Index (S&P 500) over the past 35 years. Intangible assets now represent 90 per cent of organisations’ total asset value. Data is arguably one of the most valuable intangible assets today, although it is not defined by accounting standards as such.
Businesses of all sizes, as well as governments, hold a wealth of highly sensitive personal data on customers, former employees and other stakeholders.
Organisations need to start looking at cyber security as part of ESG, recognising that cyber risk poses the most immediate and financially material sustainability risk that organisations face today.
Those who fail to use the appropriate tools and metrics and implement good governance on cyber security will be less resilient and less sustainable. This has an impact on the other organisations on which they rely, and ultimately on the stability of companies, communities and governments.
Regulatory compliance
Jurisdictions across the globe are enacting new laws and amending existing regulations to protect the data privacy of their citizens and to mitigate potential cyber security risks.
However, keeping track of and preparing for the continually evolving regulations and legislation around data privacy and cyber security is proving to be daunting for many businesses.
Some data privacy and cyber security regulations that businesses should be aware of are as follows:
Australia’s Privacy Act 1988 (Privacy Act): The Privacy Act regulates the collection, use, storage and disclosure of personal information by private sector organisations (with some exceptions) and federal government agencies (but not state agencies). In particular, the Privacy Act sets out 13 Australian Privacy Principles, which entail specific obligations in respect of personal information.
The European Union’s General Data Protection Regulation (GDPR): Under the GDPR, the EU’s data protection authorities can impose on companies fines of up to up to €20 million (A$31.2 million) or 4 per cent of worldwide turnover for the preceding financial year – whichever is higher.
Some Australian businesses covered by the Privacy Act may need to comply with the GDPR if they have an establishment in the EU (regardless of whether they process personal data in the EU), or do not have an establishment in the EU but offer goods and services or monitor the behaviour of individuals in the EU.
Given the increasing frequency and impact of cyber incidents globally, data privacy and security should be taken seriously by all boards and senior management.
The recent data breach at Optus, Australia’s second-largest telecommunications provider, has made real the high cost and damage of data hoarding. Attorney-General Mark Dreyfus emphasises that businesses need to “look at data not as an asset, but as a liability or a potential liability”.
This is a timely call considering the planned rollout of the Consumer Data Right (CDR) to additional sectors. In its recently published Statutory Review of the Consumer Data Right, the Australian Treasury notes that, with the introduction of participants from the energy and telecommunications sectors, it is timely to revisit cyber security settings across the CDR ecosystem.
