Australian boards slow to invest in cyber risk despite rising threats

Australian organisations continue to regard third-party vulnerabilities as the foremost cyber risk; however, these concerns have not translated into corresponding investment priorities over the past year, according to the latest Cyber Risk Survey from Herbert Smith Freehills Kramer.

The survey, now in its third edition, gathered perspectives from general counsel and similar legal leaders across diverse sectors, including finance, health, energy, resources, and consumer services. The findings highlight a growing disconnect between awareness of cyber threats and targeted investment aimed at addressing them.

Three-quarters of surveyed leaders reported their organisations had experienced an incident involving third-party cyber vulnerabilities within the last two years. Despite this, third-party threats did not feature prominently among the cyber priorities that received investment boosts over the past year.

Emerging threats

The survey reveals growing concern about the sophistication of cyberattacks, particularly those involving artificial intelligence and social engineering. Cameron Whittfield, Partner and APAC Cyber Security Head at HSF Kramer, stated the results must be considered in the context of wider geopolitical and economic challenges, as well as the evolving cyber threat landscape.

"The human side of cyber risk management is being stress-tested like never before. We are seeing highly sophisticated social engineering techniques, exacerbated by the use of AI and attacks perpetuated by criminals whose first language is English," Whittfield explained.

Whittfield noted that criminals are employing advanced techniques to access systems and monetise stolen data, with cybercrime targeting individuals at all levels, from board directors and senior executives to front-line and procurement staff.

According to the survey, 75% of respondents believe that the increase in perceived cyber risk is largely due to new technologies and emerging attack vectors.

"In the face of these adversaries, corporate Australia is confronted with two material challenges. How do we maximise our cyber risk investments? How do we avoid 'cyber fatigue'? We find these challenges are exacerbated when cyber-attacks fall out of the headlines and return on cyber investment is hard to quantify," Whittfield said.

Data governance and investment patterns

Investment in data governance is often reactive rather than proactive, with 63% of leaders indicating that a significant cyber-attack would be necessary before their organisation would meaningfully address data risk management. This approach may reflect economic uncertainty and limited regulatory clarity on best practices, leading to cyber investments often being outpaced by other priorities, such as IT infrastructure upgrades.

The regulatory environment is also shaping responses. Of those subject to the Security of Critical Infrastructure Act 2018, nearly 90% confirmed that the regime had influenced their cybersecurity strategies, suggesting legislation continues to drive risk management improvements.

"The management of cyber risk needs to be democratised across the business. It is as much a risk for the Chief Information Security Officer, as it is for leaders dealing with data governance, human resources, procurement, legal and finances," according to Whittfield.

"We need our people to no longer feel vulnerable and instead be empowered to act as a front line of defence."

Governance and board engagement

The survey highlights that risk ownership has a direct influence on how cyber preparedness is reported to boards. Increased scrutiny from regulators and the media has not necessarily improved board capability, with 45% of respondents indicating that their boards were not 'cyber mature'. Additionally, almost a third did not believe their boards understood the respective roles and responsibilities of the board and management during incidents.

One area of ongoing uncertainty remains decisions relating to extortion demands, with a third of boards yet to form a firm position on whether to pay or refuse such demands. Whittfield emphasised the importance of boards to engage with this issue proactively, not reactively.

Simulations are viewed as an effective means to foster board engagement and informed decision-making during incidents. Peter Jones, Partner and cyber and financial services expert at HSF Kramer, commented on the increasing regulatory focus on testing response plans.

"There's an expectation, whether it's explicit or implicit, that organisations should be testing incident response plans and undertaking simulation activities, particularly in and around cyber risk and resilience," he added.

Despite this expectation, the survey found that there had been no material increase in the number of boards participating in cyber simulations over the past year. Around half of the boards have never participated in such exercises, despite guidance from industry bodies and regulators attesting to their importance.

The survey results further show that 38% of respondents remain unsure about their organisation's preparedness for managing and mitigating cyber risk. A lack of clarity also persists, with 26% of leaders unaware of their obligations under operational resilience requirements.