WA start-ups lax on cybersecurity, says RSM
WA start-ups could be missing out on investors funds because they are largely ignoring the threat of cybercrime, a study by RSM Australia has found.
The professional services firm’s new thinkBIG report, which tallied the mentions of cybersecurity in the inaugural annual reports of newly listed companies, found very few tackled the issue and for those that did, the quality and depth of reporting was consistently low.
In the case of WA listings in the 2020/21 financial year, just 4 of 58 (representing 7 per cent) mentioned cybersecurity in their annual reports. NSW was the best state with 10 of 30 (33 per cent) new listings giving the threat a mention.
RSM’s cybersecurity and privacy risk services principal, Riaan Bronkhorst, said investors were increasingly aware that companies choosing not to invest in cyber security were at higher risk of significant financial and reputational loss.
“By omitting evidence of cyber resilience from annual reporting, or simply acknowledging an awareness of the risks without detailing proactive mitigation measures, the perception could be that the company has not adequately considered the risk of cyber security-driven litigation, claims, fines, penalties and reputational damage,” he said.
:This perception might not reflect reality and in fact well-capitalised startups are often cyber security conscious from early on, especially if experienced directors and investors are on the founder’s case about cyber resilience before they even launch.
“Less well-capitalised startups however often mistakenly assume they are of little interest to cyber criminals, but this is simply not the case.”
With 67,500 cyber crimes reported to the Australian Cyber Security Centre in 2020-2021, and a 310 per cent increase in calls to the Centre’s cyber security hotline from the previous year, the risks are very real for Australian businesses of all sizes.
Internationally, NASDAQ-listed companies that suffered a breach underperformed the market by -15.6 per cent for the following three years.
The estimated cost of implementing measures to prevent cyber-attacks combined with the financial losses from cybercrime is expected to climb to around $15 trillion globally by 2025.
Nationally, the majority of newly-listed Australian companies are failing to convey their cyber resilience strengths, potentially discouraging current and potential investors, according to this new analysis.
Less than 20 per cent of the 147 companies which listed on the ASX over the 2020-21 financial year referenced cyber security in their inaugural annual reports.
While mentions of cyber security have increased over the past three years, rising from 6 per cent of inaugural annual reports by ASX debutants in 2018-19 to 11 per cent in 2019-20 and 18 per cent in 2020-21, the quality and depth of reporting has been consistently low.