Newly-listed start-ups missing out on investment due to cyber security reporting shortfalls

data, privacy breaches, cyber incidents

RSM Australia’s latest thinkBig Cyber Security report reveals that only 18 per cent of the 147 companies that have been newly listed on the ASX over the 2020-21 financial year referenced cyber security in their inaugural annual reports.

The report also notes that while this figure is an increase from the six per cent of inaugural annual reports by ASX debutants in 2018-19 and 11 per cent in 2019-20, the quality and depth of reporting have been consistently low, thus potentially discouraging current and potential investors from investing in these newly-listed companies.

RSM’s National Head of Cyber Security and Privacy Risk Services Darren Booth highlighted the fact that only six per cent of the 271 annual reports analysed over that three-year period displayed a comprehensive commitment to mitigating cyber risks.

“Investors are increasingly aware that companies choosing not to invest in cyber security are at higher risk of significant financial and reputational loss,” Booth said. “By omitting evidence of cyber resilience from annual reporting, or simply acknowledging an awareness of the risks without detailing proactive mitigation measures, the perception could be that the company has not adequately considered the risk of cyber security-driven litigation, claims, fines, penalties and reputational damage.

“This perception might not reflect reality and in fact, well-capitalised startups are often cyber security conscious from early on, especially if experienced directors and investors are on the founder’s case about cyber resilience before they even launch,” Booth added. “Less well-capitalised start-ups however often mistakenly assume they are of little interest to cyber criminals, but this is simply not the case.”

It was earlier revealed that 67,500 cybercrimes were reported to the Australian Cyber Security Centre (ACSC) in 2020-2021, and a 310 per cent increase in calls to its cyber security hotline were recorded compared from the previous year,

“Cyber threats, such as viruses, have been around since the dawn of the digital age, however the idea that organisations might have a legal responsibility to safely store and responsibly use the data they collect has been slow to take hold,” RSM’s Director of Corporate Finance Andrew Clifford, who has worked extensively with businesses looking to list or IPO and understands the severe impact cyber threats, said.

“With the enormous shift of business online and the increase in the collection and storage of personal data, organisations are now responsible for disclosing any cyber breaches to customers and must alert the Office of the Australian Information Commissioner (OAIC),” Clifford added.

“It is evident that managing these risks goes beyond the IT department as real shareholder value is at stake in both the short and long term. Boards should identify and treat cyber security as a business risk not just an IT risk,” Clifford continued. “For example, making cyber security a priority might mean making ‘maintaining industry-leading cyber security’ one of the CEO’s KPIs, establishing a cyber risk committee or making strong data protection one of your startup’s ESG commitments.

Clifford also warned about overseas trends that suggest that directors here could also soon be personally liable for failing to appropriately manage cyber security risks, pointing out that this is already the case in Germany, the USA, Canada, South Africa and the UAE.

The report estimated the cost of implementing measures to prevent cyber-attacks combined with the financial losses from cybercrime will climb to around A$15 trillion globally by 2025.