Now that the 28 September reporting deadline under the Security of Critical Infrastructure Act 2018 (SOCI Act) has passed, many Australian businesses are bracing for a challenging year ahead, with the severity of risk and security issues expected to increase significantly. A recent report by McGrathNicol Advisory surveyed over 300 C-Suite executives and Board-level directors across Australian businesses, revealing that 89 percent of executives expect risk and security issues to worsen over the next 12 months, compared to 58 percent in 2023.
Cybersecurity Tops Risk Concerns
Cybersecurity has emerged as the leading concern for Australian businesses in 2024, with 68 percent of organisations listing it among their top five risks. The increasing frequency of cyberattacks, particularly on supply chains, has made cybersecurity a critical focus for many companies. However, the report found that 71 percent of organisations are not conducting due diligence on their key suppliers' cybersecurity practices, leaving themselves vulnerable to third-party risks. Furthermore, more than three-quarters (77 percent) do not require mandatory reporting of cyber or data breaches from their suppliers.
This lack of oversight presents a significant risk, as cyber incidents can rapidly escalate throughout the supply chain, affecting customers, employees, and business operations. "Following a data breach, a cyber incident can quickly turn into a regulatory and financial issue, with severe reputational consequences," said Matt Fehon, Head of Advisory at McGrathNicol. He added that many organisations only react after a risk event occurs, which can prove costly in an interconnected business environment.
Geopolitical Risks and Trade Concerns
The report also highlights that Australian businesses are underestimating the broader impacts of geopolitical risks, despite an increasingly volatile global landscape. Only 9 percent of executives believe the outcome of the US presidential election will significantly impact their business, even though trade issues are a concern for 37 percent of organisations. If re-elected, a second Trump administration has proposed introducing tariffs on Chinese-made goods, which would almost certainly reignite trade disputes and directly affect Australian businesses reliant on international trade.
The ongoing Russia-Ukraine conflict and the Israel-Hamas war serve as reminders of how geopolitical events can disrupt global supply chains. Yet many Australian companies are struggling to connect these risks with other areas, such as cybersecurity and insider threats. The report stresses the importance of understanding how geopolitical instability can impact various risk categories, leading to significant disruption if not properly managed.
Insider Risks: A Human Problem
Insider risk remains another critical area for Australian businesses, particularly as organisations continue to grapple with employee-related threats. The survey revealed that while 87 percent of businesses believe they have a comprehensive insider risk management programme, less than a third have implemented essential controls. Only 28 percent use a risk-based vetting and due diligence framework for employees, suppliers, or contractors, and just 18 percent have appointed an authority responsible for insider risk management.
The report underscores that insider risk is inherently a human problem and requires businesses to invest in employee training, awareness programmes, and the implementation of robust internal controls to mitigate potential threats.
Supply Chain Vulnerabilities Persist
Supply chain risks have become a central concern for many organisations, with 80 percent now incorporating supply chain risk as a core component of their enterprise risk management programmes. However, internal issues such as a lack of expertise, inadequate data visibility, and budgetary constraints continue to impede progress in addressing these challenges. As a result, 74 percent of organisations acknowledge difficulties in managing supply chain risks, which can be exacerbated by geopolitical events and cyber threats.
The SOCI Act introduces new requirements for businesses operating in critical sectors such as communications, defence, healthcare, and financial services, requiring them to submit a Critical Infrastructure Risk Management Programme by the 28 September deadline. Failure to comply could result in significant legal and regulatory consequences.
Financial Pressures and Regulatory Complexities
In addition to cyber and supply chain risks, businesses are also facing mounting financial pressures, driven by high inflation, wage increases, rising interest rates, and increased energy costs. The report found that financial risk ranked second among the top five concerns for businesses, with 66 percent of executives highlighting it as a significant issue. This trend is expected to continue into 2025, with CFOs increasingly tasked with finding ways to reduce costs.
Moreover, the legal and regulatory landscape has become more complex, with recent changes to payment times reporting, wage underpayment laws, the Privacy Act, and the SOCI Act. These new regulations are adding layers of complexity for businesses, and 55 percent of surveyed leaders view legal and regulatory risk as a top concern for their organisation.
Looking Ahead
"As the SOCI reporting deadline approaches, many Australian organisations will be required to submit risk management programmes addressing cyber, geopolitical, regulatory, and supply chain risks for the first time," said Fehon. "We would prefer to arm businesses with the tools to face the changing landscape of risk head-on rather than reacting after an incident occurs."
With businesses facing a complex web of interconnected risks, McGrathNicol's report underscores the need for proactive risk management strategies that account for the growing challenges in cybersecurity, geopolitics, supply chains, and financial stability.
