13. Has the company established an incident management plan (including disaster recovery and business continuity)?

14. Has the company disclosed information or cyber security as a key part of its risk assessment/business continuity plan?

Three-quarters of the companies communicated that cyber security is a key business risk and/or have incorporated cyber security in their business continuity plan. However, only half disclosed their disaster recovery and business continuity plans to investors and other stakeholders.

Investor relevance: the ability to recover from a cyber attack and continue operating normally is crucial to a company’s survival. This has been well illustrated by 2017’s WannaCry virus, which impacted over 200,000 across 150 countries – one cyber security firm estimated that the virus may have caused $4 billion in damage. The sophistication of breaches will vary, so it is important that companies have a pragmatic yet comprehensive incident management plan.

Although there is no certainty for any company on when or how a breach might occur, companies must show that they have an incident management plan that can minimise and contain damage, and offer solutions that enable rapid recovery. While it is encouraging that corporate awareness of cyber security risks is growing and companies are actively considering the repercussions on their business, it is worrying to observe poor disclosure on several indicators around policies, governance mechanisms and practices. Investors could probe this dissonance further in their engagement dialogue.

Good practice: in relation to business continuity plans, Medtronic offers a good example. “Our business continuity management programme proactively addresses potential disruptions to our operations or supply chain. Key areas of focus are: business continuity planning: strategies to ensure that we can continue to operate and meet demand in adverse circumstances. IT response and recovery: plans designed to respond to failures in technology and recover the infrastructure that supports business continuity. Emergency response: actions to ensure health and safety, safeguard physical structures, and minimize environmental impact. Crisis management and mobilisation: coordination of our responses to crises.”

Telstra cited data management as a material risk in its 2016 annual report and explicitly acknowledged cyber security risks: “This is a growing risk as our business changes, data volumes grow, cyber-security threats become more sophisticated, and some data sets converge. Emerging technologies and future business models will also further enhance the focus on privacy and information security. Failure to manage our customer and corporate data can result in significant reputational, financial and regulatory implications. It can also damage the trust our customers have in our ability to keep their information secure.”

The company also noted in its plans to manage the risk: “We have implemented a number of company-wide controls to manage this risk. In terms of data security, we have mandatory data security awareness training for our staff and business partners, and have commenced a cyber security awareness programme. We also continually review and update the security controls on our network based on known security threats and the latest intelligence”.