Skip to content
Journal

Learnings from MediBank: Protecting your AGMs and company meetings against threats

By Marc Harper, Chief Technology Officer, Lumi Global

  • Australian Cyber Security Centre (ACSC) received over 76,000 cyber crime reports in the 2021-22 financial year.
  • Recent cyber attacks have highlighted the need for more transparency and urgency from companies to protect shareholder data; both in general and at AGMs.
  • Companies that implement digital meeting safeguards will be able to enjoy peace of mind and build better relations with more engaged and protected shareholders.

Cyber attacks have become far too common among major companies in Australia, going from a rarity to a regularity in today’s digital-first world. In fact, the Australian Cyber Security Centre (ACSC) received over 76,000 cyber crime reports in the 2021-22 financial year alone, representing a 13 per cent year-on-year increase, or one report every seven minutes.

Data privacy has been dominant in the media agenda over the last couple of months. Most recently, the Medibank breach — occurring just weeks before its Annual General Meeting (AGM) — has highlighted the need for more transparency and urgency from companies to protect shareholder data; both in general and at AGMs.

A question frequently raised by Medibank’s customers and shareholders in the lead up to its AGM was: what additional layers of protection were being put in place to ensure the security of their data? And these discussions around cyber security were again front and centre at the AGM, especially so after hackers threatened to target Medibank’s AGM itself. Fortunately, the meeting passed without incident or breach.

However, threats are out there, and they will likely grow in regularity as companies continue to adopt hybrid meetings. Due to the sensitive nature of these AGMs, the issues discussed and the votes cast, maintaining tight security is critical in ensuring all shareholders can join and have their say, safely. So as threats to companies and their AGMs increase, what must companies do?

Keep it secure

In feedback from a recent satisfaction survey, one client admitted they: ‘had less visibility over how shareholder data was being stored when working through a registrar.’ This is a trend we are seeing across the board, as more clients look to trim processes and enhance transparency and trust.

The security of AGMs — and any company conference or Investor Relations meeting, for that matter — is of utmost importance; not only due to the potentially sensitive nature of the discussions, but to ensure the robustness and accuracy of voting and participation from attendees. Companies must use technology that has a comprehensive security framework to protect data confidentiality and integrity.

Whether it is the Commonwealth Privacy Act 1988 in Australia or General Data Protection Regulation (GDPR) obligations and sovereignty requirements in Europe, companies holding virtual and hybrid meetings must ensure that they are adhering to the regional data privacy requirements of their jurisdictions. Companies are required to securely transmit data and create a dedicated and segregated database for each meeting. This data then can be further protected by the implementation of best-practice encryption.

When identifying a technology provider for these meetings, companies must ensure the highest standards of access management and control of data is enforced. This is so they can be confident of its security and trust that their data, and that of their shareholders and investors, are processed in accordance with the global legislative requirements.

Ensure DDOS Protection and IT expertise

When selecting a virtual or hybrid meeting software, businesses should look for solutions that have been independently approved and penetration tested by third parties, as well as running from a secured, encrypted network. This reduces the risk of a cyber security issue arising at a meeting.

Companies must ensure that the latest technology, armed with up-to-date security software, is deployed for any AGMs and company meetings. This is so these meetings are not vulnerable to targeted distributed denial-of-service (DDOS) attacks which often lead to breakdowns of internal servers and networks. By doing so, any unusual network traffic can be blocked and investors and shareholders can continue to participate and place critical votes with no disruption.

At the Medibank AGM, shareholders made calls for adding more IT and cyber expertise to the board. This is critical in ensuring that companies do not have a knowledge gap in IT security and can identify threats quickly. However, this also applies to the technology provider of their meetings to make sure that these meetings are equipped with the highest level of security, and that there is a plan in place should a threat occur.

Steady and consistent approach to security

Continuous security validation provides companies and their shareholders the assurance that the technology provider places the security of their data at the very heart of their solution design and development. Companies must ensure that their technology providers are responding and adapting their technology to current developments and threats.

A comprehensive audit and reporting suite that allows for voting activity to be validated and verified can also help companies proceed with full confidence that the results are complete and accurate. This is because security is an ongoing process that requires a constant focus and continuous refinement. Cyber attacks are becoming harder to detect and contain, so the protections against them must become more sophisticated.

As cyber security becomes a more pressing public concern, companies must safeguard their AGMs. No company can become 100% immune to an attack, but those who implement safeguards will be able to enjoy peace of mind and build better relations with more engaged — and protected — shareholders.

March Harper can be contacted on marc.harper@lumiglobal.com.

Material published in Governance Directions is copyright protected and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.

Navigating chaos: How Australian directors can enable systemic resilience for their organisations

Next article