Boards of ASX-listed entities need to include the skills to address new and emerging issues such as cyber security and digital disruption, recommends a proposed new edition of the key publication produced by the ASX Corporate Governance Council.
The council, which was first convened in 2002, brings together a range of business, shareholder and industry groups. Its primary role has been the development of Corporate Governance Principles and Recommendations. As its title implies, the publication seeks to outline good corporate governance practices for entities listed on the ASX.
The current, third edition was released in 2014 and doesn’t mention issues around information security.
The consultation draft for a 4th edition, however, notes that boards of ASX-listed companies “are increasingly being called upon to address new or emerging issues including around culture, conduct risk, digital disruption, cyber-security, sustainability and climate change.”
“The board should regularly review its skills matrix to make sure it covers the skills needed to address existing and emerging business and governance issues,” states the draft.
The council in May 2017 resolved to develop the new draft of Principles and Recommendations — with “cyber-risk” among those areas to be addressed.
The council is accepting submissions on the draft until 27 July. A new version of Principles and Recommendations is expected to come into effect on or after 1 July 2019.
The ASX will be conducting a national roadshow in June to seek feedback on the proposed changes.
The ASX in April last year released its Cyber Health Check Report in collaboration with the Australian Securities and Investments Commission (ASIC).
The exchange invited the 100 largest listed companies to participate in a voluntary assessment of their cyber security posture.
Some 76 companies participated — of those, the leadership of a fifth were found to have limited understanding of cyber security and had no plans to include such expertise on the board.
However, the report found that overall boards and the management of listed companies “increasingly recognise that cyber security is a significant issue.”
The survey found:
• 68 per cent of directors considered cyber risks to be extremely important;
• 80 per cent expect the likelihood of cyber risk to increase within the short-term; and
• Almost 40 per cent “rate cyber risk in the highest category relative to other business risks.”