As more Australian companies rely on digital technology to grow their businesses, the risk from cybersecurity breaches has increased. Regulation and business standards now aim to address cyber risk, and investors are more concerned with assessing such a threat.
The ISS ESG Corporate Rating and ISS Cyber Risk Score both provide insights into how some ASX-listed companies are responding to cyber risk. The metrics provided by these tools are useful for subject firms as well as investors and other stakeholders and can provide a lingua franca for both technical and non-technical parties with a stake in cyber outcomes.
The Problem of Cyber Risk
Cyber incidents are expensive. NetDiligence, a firm that analyzes cyber insurance claims data, reports in its 2024 Cyber Claims Study that the average incident claim cost for small and medium enterprises (SMEs), firms with <$2 billion in annual revenue, over 2019–2023 was $205,000. The average incident claim cost for large firms, with ≥$2 billion in annual revenue, over the same period was $12.7 million.
For the last several years, ransomware incidents have been on the rise. These can be particularly problematic for businesses because they carry not only direct costs such as ransom payments and system recovery costs, but also business interruptions and loss of revenues.
The same NetDiligence study finds that 64% of SME claims costs paid by insurers over 2019–2023 were for ransomware incidents. Claims data points to even larger cost figures in these instances, with an average business interruption cost of such an incident of $995,000 for SMEs and over $36 million for large firms.
In Australia, the Australian Signals Directorate’s (ASD) Annual Cyber Security Report for FY2023-24 identified the top three self-reported cybercrime threats for businesses as email compromises resulting in no financial loss (20%), online banking fraud (13%), and business email compromise fraud resulting in financial loss (13%). NetDiligence finds the average cost of business email compromise incidents for SMEs to be over $100,000.
Responses to Cyber Risk
With the passing of the first Australian Cyber Security Act last November, mandatory security standards and obligations have been laid down for business owners to ensure the creation of resilient digital infrastructures and secure IT products and services moving forward. Crucial updates on the Cyber Security Governance Principles set by the Australian Institute of Company Directors were also introduced to assist companies in enhancing existing strategies, with a focus on increasing board oversight; highlighting cybersecurity in risk management frameworks, particularly in relation to third-party suppliers; promoting a culture of resilience through on-going training on best practices and recent threats; and building clear response and mitigation approaches in cases of security incidents.
Given these evolving standards and the prevalence and costs of cyber incidents, companies, their management teams, board members, and shareholders are paying increasing attention to cyber risks and to corporate responses to the challenges presented by them. The relevance of cybersecurity has been at the forefront of many corporate ESG and sustainability plans.
Stakeholders, including insurers and investors, may look for both quantitative and qualitative risk assessment inputs that enable better decision making (related to, for example, the underwriting and pricing of cyber risk insurance policies) and that inform a more productive engagement dialogue with subject companies.
Board members tasked with overseeing cyber risk are being briefed by management more frequently than in the past. ISS data gathered as part of the ISS Governance Quality Score indicates that the number of U.S. firms (constituents of the Russell 3000 Index) disclosing that they are providing annual or more frequent board briefings on cyber security increased by more than 50% between 2022 and 2024. Firms are also increasingly seeking externally sourced and independently developed metrics that provide an informed “second opinion” on cyber risk exposure and a company’s response to the cyber risks that it faces.
ESG Rating Performance Scores of ASX Companies
A company’s performance on the Data Protection and Information Security indicator within the ISS ESG Corporate Rating product may reflect the company’s vulnerability to cyberattacks and capacity to adapt to such attacks. A review of the average topic scores for this indicator in ASX 300 companies within the ISS ESG Corporate Rating universe (Figure 1) shows that the average letter grade ranges from a C to B- (companies are rated from poor [D+/D/D-] to excellent [A+/A/A-]), representing a numerical grade equivalent of 2 to 2.75.
Figure 1: Average Data Protection and Information Security Scores for ASX 300 Companies, by Sector
Note: Not all sectors monitor data protection and information security within their rating structures. The topic may not be considered as material in comparison with the other social or environmental sustainability risks that the sector may face. The Energy, Materials, and Utilities sector is not included because cybersecurity is not considered particularly material as compared to other sustainability risks for the sector.
Source: ISS ESG
This average score indicates that most ASX companies in this group have some form of privacy policy that ensures customer data protection or an information security management system that identifies potential threats or mitigates the impact of security breaches.
Technology, Media, and Telecommunications companies score higher among the different sectors, as cybersecurity is often seen as a key issue leading to more disclosures on relevant mitigation measures. Other sectors, such as Healthcare and Consumers, process large amounts of sensitive information from patients and customers, respectively, so comprehensive cybersecurity measures are also required.
Companies generally manage and protect their sensitive information through the establishment of policies, procedures, and security controls, including training, risk assessments, and technical safeguards that encompass their operations. International standards, such as the ISO/IEC 27001: 2022, provide further guidance for establishing, maintaining, and continually improving an information security management system.
The presence of management controls does not always fully ensure that a company’s defenses are completely impenetrable. For example, a hacker perpetrated a major cybersecurity attack in 2022 that exposed vulnerabilities within an Australian telecommunications company’s security systems, leading to a re-evaluation of national regulations to better protect consumers.
ISS Cyber Risk Scores of ASX Companies
The measurements outlined above are based on corporate disclosures of policies, practices, and management engagement on cybersecurity as a risk management topic. They provide useful data on a company’s focus and intent.
Cyber risk can also be measured by how well a company manages its Internet-facing Information Technology (IT) assets. The ISS Cyber Risk Score provides insight, through an outside-in technical assessment, into how well corporate focus and intention translate into sound risk management, as measured through a technical lens. The score determines the likelihood that the subject firm will experience a significant cyber incident over the next 12 months and provides additional insight on the key categories of technical risk exposure.
The ISS Cyber Risk Score is generated by a predictive model engineered to measure the likelihood that an organization will suffer a material cybersecurity event in the subsequent 12-month period. The model is empirically derived, meaning it considers only the measured correlations between signal and outcomes, and the model is trained on reported and victim-acknowledged cyber incidents.
The Cyber Risk Score model does not consider any judgmental factors nor does it penalize a company for past cyber incidents. The model is based strictly on the correlation between technical signals and future cyber incident outcomes.
The Cyber Risk Score is calculated in part from observations of a company’s public Internet-facing properties, which include the set of pay-level domains owned by the organization and the set of IPv4 network prefixes owned (or leased) by the organization. The algorithm considers several categories of technical information, including the extent of assets exposed to the Internet; the configuration of those assets; the exposure of network infrastructure; the presence, condition, and nature of exposed services; the presence of common misconfigurations and security flaws; evidence of endpoint compromise; and the use of best practices in website construction. The size and sector of the subject company also influence the score.
The model is versioned and updated on a regular basis to reflect changes in technology as well as trends in cyber exploits and incidents. The score ranges from 300 (higher risk) to 850 (lower risk). Incident odds double with each 100-point decrease in the score and are cut in half with each 100-point increase. On this basis, the score produces a dynamic range of 32x (the relative outcome odds across the score band), meaning organizations that score 300 are roughly 32 times more likely to suffer a material cyber incident over the subsequent 12-month period than organizations scoring 850. Out-of-band validations and large population back-tests have shown strong performance, with the score effectively differentiating incident from no-incident groups and consistently rank-ordering risk by incident severity.
ASX 300 constituent firms perform well on a comparative basis (Figure 2). The average score of ASX 300 firms is 726, versus an average score of 703 for the US Russell 3000 Index firms and 710 for all companies in the ISS STOXX coverage universe.
Figure 2: Distribution of Cyber Risk Scores for ASX 300 Companies
Note: The Cyber Risk Score ranges from 300 (higher risk) to 850 (lower risk).
Source: ISS Cyber Risk Score
Performance varies widely among ASX 300 firms, with scores ranging between 357 on the low end and 850 at the top. However, most ASX constituent firms score relatively well, with a large concentration of firms in the 700s.
Sector also plays a role. While all firms have digital dependencies and at least some exposure to the Internet, certain sectors have large digital footprints, and their business models depend on broad consumer access to Internet-exposed systems.
Banks are different than bakeries, and mining firms are different than media outlets. This type of variation plays out in the average scores of ASX 300 firms across industry groups. For example, because a score that is 100 points lower indicates double the odds of cyber security incidents, Technology, Media, and Telecommunications firms have more than twice the incident risk of Construction firms (Figure 3).
Figure 3: Distribution of Average ISS Cyber Risk Scores among ASX 300 Companies, by Industry
Note: The Cyber Risk Score ranges from 300 (higher risk) to 850 (lower risk).
Source: ISS Cyber Risk Score
To repeat, cyber risks vary widely by firm. Assessing sector differences is interesting, but the specific ways in which a company exposes, configures, and maintains its IT assets is measurable and highly predictive of future cyber incident performance.
Applying the ISS Cyber Risk Score
The ISS Cyber Risk Score is an easy-to-understand metric that reflects the forward-looking risk of a complex array of cyber signal information. The score provides value for firms looking to understand and mitigate their own risks and/or consider the risks of supply-chain partners. Insurers and re-insurers use it for both risk selection and pricing of cyber policies.
The score also provides value for management teams and board members who may be well briefed by the company’s security team but are also looking for a “belt and suspenders” alternative point of view on cyber risks. Having a second opinion can help organizations confirm good performance or expose blind spots in risk visibility. Internal and external (third-party) assessments provide value through insight, while the latter adds the security of having demonstrated oversight diligence in seeking outside intelligence on a high-stakes governance topic.
Conclusion
As institutional investors and other large shareholders increasingly look for means of understanding forward-looking risk, metrics such as those covered by the ISS ESG Corporate Rating and ISS Cyber Risk Score can serve as an important lingua franca for the common management of complex risks across stakeholder groups. They provide a means for a shared view of these risks and serve an important role in aligning the interest of firms and their stakeholders.
Explore ISS STOXX solutions mentioned in this report:
- Assess and manage cyber risk across your ESG investments with ISS Cyber Risk Score.
- Identify ESG risks and seize investment opportunities with the ISS ESG Corporate Rating.
By:
Douglas Clare, Managing Director for Cyber Strategy, ISS-Corporate
Nat Latoza, Associate, Corporate Ratings Research – Technology, Media, and Telecommunications, ISS ESG
Rachelle Piczon, Senior Associate, Corporate Ratings Research – Technology, Media, and Telecommunications, ISS ESG
