Boards fail to formalise cybersecurity measures

A new study by the Australian Institute of Company Directors and the Australian Information Security Association has revealed that while most Australian directors see cybersecurity as a high priority boards lack formal oversight of the issue.

Gaps in implementing cyber-governance frameworks were found, only half (53 per cent) of directors saying that their organisation had a formal cyber-security strategy in place.

Other results indicated that there was still room for improvement in board oversight, included:

  • Only 44 per cent of directors received training in cyber risks, and even fewer (23 per cent) had appointed directors with cyber skills
  • Around 39 per cent of directors said that they had made cybersecurity a specific focus of a board committee
  • 36 per cent of directors said that they received regular reporting on internal training and testing, and
  • Just 21 per cent of directors received reporting on the cyber performance of key third-party suppliers.
  • 89 per cent of directors say their businesses have one or more characteristics that make them especially susceptible to a cyber-attack, such as holding sensitive customer, client, and member data, or providing a service to government
  • Compared with their private-sector counterparts, government and NFP-sector organisations are more likely to have characteristics that make them vulnerable due to the sensitive nature of the data they hold (94 per cent and 92 per cent respectively)
  • Only 36 per cent of SME directors have a formal cyber framework in place, 45 per cent instead opting for an informal strategy. This compares with about three in four listed companies that have formal frameworks
  • 42 per cent of NFP directors report having a formal cyber framework in place, 20 per cent reporting the absence of any cyber framework or strategy (whether formal or informal)
  • Small (63 per cent) and medium (52 per cent) sized organisations are more likely than larger organisations (45 per cent) to have limited resources to dedicate to cyber-resilience
  • Directors of small organisations are five times more likely than their big-business counterparts to believe that their entity will be unable to recover from an attack
  • More than half of directors (56 per cent) state that a lack of resources is impeding the improvement of organisational cyber-practices. This number increases to 64 per cent for NFPs, and
  • More than half (56 per cent) of directors report having a cyber insurance policy in place, and a further 15 per cent are looking for cover, which is increasingly difficult to obtain.

The report can be downloaded from

Guidance on Effective AGMs

As organisations across Australia head towards peak AGM season, the Governance Institute of Australia has issued a comprehensive guide to holding AGMs under laws that now allow hybrid and online options.

This year’s meeting season will be the first significant test of the recently updated Corporations Act, amended to allow organisations to meet in a hybrid or online format (as long as their company constitution allows it).

Effective AGMs is a complete guide to holding an AGM under the new laws. It also counsels on effective member engagement. It’s mandatory reading for directors, senior managers, and governance and risk-management professionals.

The report outlines:

  • The purpose of an AGM
  • What to do – before the AGM, at the AGM, after the AGM
  • A regulatory timeline for AGMs, and
  • An AGM logistics checklist.

The report also offers key tips for using technology to conduct meetings: ‘There are many logistical aspects that need to be worked through in advance of an AGM to ensure the use of technology during the meeting is seamless, particularly in relation to how questions will be conducted’.

The report may be downloaded from

Harassment toolbox launched

Concerned about slow action on workplace sexual harassment, Chief Executive Women (CEW) has launched a digital ‘toolkit’ designed to stamp out poor workplace behaviour.

Respect is Everyone’s Business includes:

  • Frameworks and scripts to help start conversations on workplace behaviour issues
  • Suggested wording that can be used in risk registers and codes of conduct, and
  • Templates

With one in three people experiencing workplace sexual harassment, and, of those who witnessed it, only a third acting, swifter governance measures can’t come soon enough, says CEW’s president Sam Mostyn AO.

The  resources can be downloaded at

Procurement integrity

The Institute of Internal Auditors in Australia has released The 20 Critical Questions Series: What Directors should ask about Procurement Integrity (Probity).  The biggest question is, How does management, the audit committee, and board of directors clearly know that there is sound and transparent integrity around procurements?

The 20 questions may be downloaded at


ACNC urges charities to consult website

The Australian Charities and Not-for-profits Commission is urging charities to consult its website for practical guidance and tips to simplify the filing of annual information statements.

The commission’s director of reporting, red-tape reduction, and corporate services Mel Yates said the hub was especially useful this year as charities needed to understand some recent changes.

Visit the hub at


NFP directors need IDs

Director Identification Numbers are required

The fastest way to apply for a director ID is online. There is a step-by-step video that takes you through what you need to do. You will need a myGovID with at least a standard identity strength to complete the application.

The Australian Business Registry Services is focused on providing support and education to assist directors and is encouraging those appointed unexpectedly to apply for their IDs as soon as possible.

ABRS is contacting directors who haven’t applied before deadlines elapse. It’s a criminal offence to fail to apply and directors may be subject to penalties.