33. surviving agm threat

By Marc Harper, Chief Technology Officer, Lumi
7 December 2022

In October, Medibank became just the latest in a long list of Australian companies to fall victim to a cyber breach. Cyber attacks are increasing in both severity and regularity, with The Australian Cyber Security Centre (ACSC) receiving over 76,000 cyber crime reports in the 2021-22 financial year. That was a 13% increase compared to the year before, and represents one report every seven minutes.

What was particularly notable about Medibank was not just the scale of the breach – which affected the personal details of a staggering 10 million current or former customers – but its timing; coming just weeks before its Annual General Meeting (AGM). AGMs are a forum for shareholders to hold organisations accountable – on, for example, cyber security. On top of the already fierce scrutiny Medibank was expecting, the stakes were raised when hackers signalled their intent to target the AGM itself.

At the AGM, the issue of cyber security was discussed passionately, but the meeting passed without incident or breach. However, threats are out there, and will grow in the context of AGMs as hybrid meetings drive record attendance. Lumi data reveals that the 2,756 meetings it conducted in H1 2022 were attended by a total of 180,360 shareholders and 80,604 guests. That is 181% more meetings, 658% more shareholders and 32% more guests than in 2020. Ultimately, that is more people, more data and more potential for cyber breaches.

No company can become 100% immune to cyber threats at their AGM, but through powerful technology, they can implement powerful safeguards – just as Medibank did at its AGM.

Making data protection top priority 
As companies welcome more shareholders and investors to engage with, and vote at, their AGM through virtual channels, their data and its protection must be their top priority. To build data protection into their AGM, organisations must deploy technology that has comprehensive security frameworks that protect data confidentiality and integrity.

In Australia, for example, it must be in compliance with the Commonwealth Privacy Act 1988, and all the obligations and data sovereignty requirements the act contains. For example, organisations are required to securely transmit data and create a dedicated and segregated database for each meeting. This data can be protected further through the implementation of bestpractice encryption.

We enforce the highest standards of access management and data control. That ensures companies can trust that their data – and, perhaps more importantly, their shareholders’ data – is processed in accordance with the strictest global and local legislative requirements, and be confident in its security.

Greater engagement at AGMs must be celebrated, and has huge benefits, but their data must be treated as sacred and guarded stringently. Data protection is the first step, but not the only one.

Safeguarding DDOS vulnerabilities 
Distributed denial-of-service (DDOS) attacks – malicious attempts to disrupt the normal traffic of a targeted server, service or network – are among the most common cyber attacks. To guard against vulnerabilities, technology safeguards meetings and blocks any unusual network traffic, ensuring shareholders can continue to participate and place essential votes with peace of mind and without disruption.

After all, to create true democracies – one of the foundational purposes of AGMs – shareholders must be not only allowed to vote, but comfortable that their vote will not compromise their data or security online. At Lumi, for example, we host AGM voting on the Amazon Web Services (AWS) data centre in multiple global locations, with each jurisdiction selected to meet regional data privacy requirements.

Assessments, audits and an alwayson approach to security 
In 2021 we saw the number of hybrid meetings – and the shareholders and guests attending them virtually – skyrocket. In response, nine comprehensive security penetration tests were conducted by six different independent security third parties against our global voting platform. What is more, through Qualys – a leading automated vulnerability platform – we conduct periodic and ondemand security assessments and code reviews against Open Web Application Security Project (OWASP) standards. The purpose of this is to maintain the highest levels of the security posture of coding.

And by developing a comprehensive audit and reporting suite that allows for voting activity to be validated and verified, organisations can proceed with full confidence that the results are complete and accurate. This is because security isn’t a set-and-forget. It requires a constant focus and ongoing refinement. Cyber attacks are becoming harder to detect and contain, so the protections against them must become more sophisticated too.

After a torrid few months, Medibank safely navigated the threats levelled towards its AGM. There will be more threats for more companies and their AGMs – they must be ready. Unfortunately, 100% cyber security is not possible, but with powerful safeguards behind them, companies and shareholders can enjoy the full benefits of hybrid AGMs and increased engagement and participation with peace of mind that measures are being taken.

Back to Insights