July 2021 ASX 200 Security Report This report begins to assess the scale and sources of cyber risk in Australia by examining the ASX 200, the index of the top 200 companies in Australia by market capitalization. ASX 200 Security Report Executive Overview

This report begins to assess the scale and sources of cyber risk in Australia by examining the ASX 200, the index of the top 200 companies 36.3% in Australia by market capitalization. For this report, the UpGuard platform collected public 36.3% of companies surveyed had a live data leak in the past year. data to assess risk factors known to contribute to data breaches. These risk factors can be divided into data leaks and system configurations– that is, are companies unintentionally putting sensitive information onto the public internet, and are they configuring their internet-facing systems to reduce the likelihood of being compromised. This information is then aggregated and interpreted by an overall security rating.

Key findings:

• 36.3% of companies surveyed had a live data leak in the past year. Data leaks have increased by 25% in the ASX 200 since 2019.

• Overall, bigger companies are still more likely to have leaks: a company in the most valuable quartile of the ASX 200 is three times as likely to have a leak as one in the least valuable quartile. However, the quartile of the least capitalized companies experienced the greatest growth rate in leaks, more than doubling from 6% of companies in 2020 to 17% in 2021.

www.upguard.com 1 • More than 50% of companies in the Communication, Telecom, Energy, and Information Technology sectors had data leaks, with Financials close behind at 48%. Fewer than 20% of companies in the Health Care, Consumer Staples, and Real Estate sectors had data leaks detected by the methods used for this study.

• All companies have improved their overall security rating, no company has a score below 400 anymore.

• Although all industries generally improved their overall security rating, the best performing industries were finance, energy, and healthcare. Notably, utilities fared the worst, only increasing by 0.6% whereas nearly every other sector saw at least a 5% improvement in overall scores in the surveyed time period.

• The average UpGuard user score improved from 714 to 758, a 6% increase, whereas the rest of the ASX 200 improved from 668 to 700, a 4.5% increase.

• While both UpGuard customers and non-customers experienced overall increases in scores in the previous year, UpGuard customers began at a higher starting point. On average, non-customers had scores that were consistent with UpGuard customer scores from about a year ago, indicating that UpGuard customers are roughly a year ahead in their overall security programs.

www.upguard.com 2 ASX 200 Security Report Introduction

Last year, UpGuard published a research report on the ASX 200. To say that the world has changed between 2020 and 2021 is an understatement. At the same time, many of the ways in which societies have responded to COVID-19 have only accelerated or accentuated existing trends. The mass adoption of remote work, for example, suddenly left city highways empty, but it was possible because of an existing marketplace of tools for telecommunication. COVID-19 60% didn’t lead to the invention of video chat, it just made it Ransomware attacks have the norm. increased 60% year over year COVID-19 didn’t invent cyber threats, either, but the increase in digital adoption has multiplied the potential targets. Ransomware attacks have increased by 60% year over year1, a trend that can be given a dollar amount by looking at its impact on cyber insurance. In Canada, the net claims ratio – the ratio between losses paid out by insurers versus premiums collected by them – for cyber insurance in 2019 was 39%. In 2020, it was 105%2. Despite premiums increasing significantly throughout 2020, losses increase more quickly than insurers’ ability to raise prices, ultimately resulting in the operating at a loss. Insurance exists because disasters happen all the time. Those disasters aren’t supposed to happen to the insurers.

1. SonicWall, "2021 SonicWall Cyber Threat Report", https://www.sonicwall.com/2021- cyber-threat-report/

2. FitchRatings, "Sharply Rising Cyber Insurance Claims Signal Further Risk Challenges", https://www.fitchratings.com/research/insurance/sharply-rising-cyber-insurance-claims- signal-further-risk-challenges-15-04-2021/ www.upguard.com 3 Even as shifting digital footprints created fertile ground for misconfigurations, human error, and vulnerabilities, companies were not helpless. Especially for companies like those in the ASX 200, digital transformation projects have been underway for years. Having, and testing, a disaster recovery plan is always a good idea. Why it is worth doing all that preparation only becomes more tangible after a ransomware attack.

Methodology

The UpGuard platform collects public data to assess risk factors known to contribute to data breaches. At a high level, these risk factors can be divided into data leaks and system configurations - that is, are companies unintentionally putting sensitive information onto the public internet, and are they configuring their internet- facing systems to reduce the likelihood of being compromised. UpGuard analysts manually reviewed all data leaks to ensure they meet the criteria of internal data of some level of sensitivity.

The companies included in this study were the 200 most valuable Australian companies in April of 2021. The group of companies in the 2020 study was slightly different due to changes in market capitalization between 2020 and 2021. When year over year changes are discussed, we have tried to make it clear whether we are comparing the two cohorts or are discussing the state of the 2021 cohort as it existed a year ago versus today.

www.upguard.com 4 Part 1 Data leaks

Data leaks or data exposures occur when people mishandle information and make it publicly accessible. There are other usages of these terms – for example, when an insider “leaks” information to the press to expose some perceived wrongdoing at their organization, or when threat actor groups “leak” data they have exfiltrated – but for our purposes, we are looking at the unintentional exposure of data of some level of sensitivity.

Some data leaks are serious in themselves, containing protected data classes like personal health information. Othertimes, they sit in a gray zone of potential impact. When credentials are leaked, for example, there is no impact until someone abuses them. The SolarWinds attack, which Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen,” may have been precipitated by an intern exposing a password on Github3, according to former SolarWinds CEO Kevin Thompson. Incidents like that are very common, and if no one abuses the credentials - or more precisely, no one is known to have abused the credentials - they are treated as minor events.

Data leaks thus have a high degree of potential – under one set of circumstances disastrous, and under another insignificant. An intern exposing a password may have no impact at all, depending on their level of access and other mitigating factors; it also has the potential to be the first step on the road to catastrophe. Conversely, we have worked cases where large sets of sensitive data have been exposed, but with speedy detection and thorough investigation, they have been secured before any malicious actors could exploit them. This quality of leaks helps explain why they are so often ignored, and perhaps why so many breaches happen with credentials gathered from an unknown source.

3. ZDNet, "SolarWinds security fiasco may have started with simple password blunders", https://www.zdnet.com/article/solarwinds-security-fiasco-may-have-started-with- simple-password-blunders/ www.upguard.com 5 More than 36% of ASX200 01 companies have open data leaks UpGuard continuously monitors for customer data using search queries tuned by analysts in collaboration with the security teams of those companies. These searches use many keywords and are more likely to detect leaks than companies without threat intelligence programs. Because those leaks are reported and remediated immediately, they pose far less risk than those left in the open. For the purposes of maintaining the integrity of this research, UpGuard customers have been excluded from this report’s dataset.

Among the companies surveyed, we detected leaks for 36.3% of ASX200 companies in 2021. As we will discuss in the next finding, the percentage of companies in this study with data leaks shows an increasing and troubling trend.

We detected leaks for 36.3% of the remaining companies in the ASX 200.

www.upguard.com 6 Number of companies with leaks 02 continues to increase In 2020 we reported leaks for around one third of the ASX 200, and would have rounded the overall exposure in 2019 to “around one third” as well. The precise percentage of companies with data exposures, however, shows a troubling trend. Amongst non-customers, we detected leaks for 36.3% of companies in 2021. In 2020, 32.5% of companies had leaks; in 2019, it was 29%.

Given that data leaks are a byproduct of digitization, this trend appears likely to continue. Businesses will continue to expand the number of IT systems they use, the number of technical employees, the digitization of information, and their digital supply chain. We were able to observe some of the effects of this overall trend when comparing the correlation between data leaks and company size.

www.upguard.com 7 Leaks growing in smaller companies 03 One of the trends that shows how data leaks are becoming more commonplace is the changing degree of correlation between market capitalization and data leaks. Overall, bigger companies are still more likely to have leaks: a company in the most valuable quartile of the ASX 200 is three times as likely to have a leak as one in the least valuable quartile. However, there was no year on year growth in the percentage of companies with leaks in the most valuable quartile: in 2020, 58% of those companies had leaks, whereas In 2021, 56% did. In 2020, half of all companies with leaks were in the quartile with the highest market cap. This year only 40% of leaks were for companies in that quartile.

That change is due to significant growth in leaks among smaller companies, greatly reducing the slope of the correlation between market cap and likelihood to have a data leak. The quartile of the least capitalized companies experienced the greatest growth rate in leaks, more than doubling from 6% of companies in 2020 to 17% in 2021. This trend suggests that data leaks are becoming less of an esoteric problem for big companies running expansive digital programs, and more of a common occurrence for smaller companies that may have a digital footprint comparable to that of a larger company a few years ago.

www.upguard.com 8 Industry has a strong impact on leakage 04 Tech companies - telecoms, communications, IT have the most data leaks

With digitization at the root of data exposures, industry continues to correlate with the rate of data exposure. The more people working on building, testing, and managing IT systems, the more potential for a misstep to occur each day. More than 50% of companies in the Communication, Telecom, Energy, and Information Technology sectors had data leaks, with Financials close behind at 48%.

Conversely, some industries were much less likely to have data leaks: fewer than 20% of companies in the Health Care, Consumer Staples, and Real Estate sectors had data leaks detected by the methods used for this study. Those industries may be at higher risk of other types of incidents, or of exposing sensitive data in other ways – many healthcare breaches, for example, involve sending health data to the wrong person, and a widely covered incident for Western Australia involved pager messages sent over radio being intercepted by a canny teenager – but on average, these industries are less likely to post credentials or sensitive data on the public internet. However, past performance is not indicative of future results, as we found in our last insight.

www.upguard.com 9 Which companies have data leaks 05 remains dynamic Year on year changes indicate steady growth and a move toward data leaks being more common in companies of all sizes. But are there other, static factors in the structure of companies with leaks that may not be measurably related to size and industry? Are the same companies repeat offenders, perhaps due to poor employee education or vendor management programs, and the changes from year to year indicate exposure for only a handful of new companies?

www.upguard.com 10 While industry and size continue to The surprising fact we discovered this have a meaningful correlation with year, however, is that amongst those leaks, the number of companies that companies in both the 2020 and 2021 did not have a data leak in 2020 but cohorts, 34 did not have a leak in 2020 did in 2021 is very high. Between the but did in 2021. Given how consistent 2020 and 2021 reports, the companies the overall numbers are, we would included in the ASX 200 have changed have expected leaks to be originating slightly due to changes in market from mostly the same companies. In capitalization – 175 companies were fact, over half of the leaks were from in the ASX 200 both years. Of those companies that previously had not had 175 companies examined for leaks a data leak. The fact that market cap in both years, 61 had leaks in 2021, and industry were strong predictors corroborating our earlier finding in 2020 and 2021 while the individual on the correlation between market companies with leaks changed quite a capitalization and likelihood of having bit supports the hypothesis that there a leak: bigger companies are more is a causal relationship between greater securely lodged in the ASX 200, and digitization and data leaks. those companies have more data leaks.

47.7 % 52.3% Repeat offenders New leaks

www.upguard.com 11 Part 2 UpGuard data insights

In addition to managing how employees handle sensitive data, businesses must also fend off would-be attackers. There is no perfect defense against cyber attacks – zero day vulnerabilities and supply chain attacks make it impossible to know every threat – but there are certainly steps businesses can take to make themselves less susceptible to breach and more capable of response and recovery.

The four vulnerabilities disclosed for Microsoft Exchange Server illustrate the kind of risk that can be detected using external data collection methods like those in the UpGuard platform. Shodan, an internet scanning tool, reported over 266,000 internet-facing IP addresses with the OWA vulnerabilities. While there is no cure for zero day vulnerabilities, there is also no reason to prolong exposure once a patch is available. Being able to detect such vulnerabilities for your and your vendors’ internet-facing assets reduces the risk that they will be exploited.

The UpGuard Security Ratings are based on the collection of underlying risk factors that can be used by attackers to identify targets. These underlying risk factors are weighted based on the risk they pose and combined using a Gaussian average. These scores are calculated for categories of risk, like website configurations, and then combined across a company’s digital footprint for an overall rating of their security posture.

www.upguard.com 12 Steady improvement across all quartiles 01 In reviewing the cyber risk ratings of companies in the ASX 200, those scores continue to improve. Grouping companies into quartiles by market cap, there continues to be a correlation between overall size and a better score, but there has also been year on year improvement in every group, just as there was from 2019 to 2020. Though the average score of companies in the quartile of least capitalized companies continues to be about 10% lower than the average score for the most capitalized companies, every group has improved from 2020 to 2021 at about the same rate. In ascending order of market capitalization, the groups improved by 4.5%, 5.6%, 6%, and 3.3%.

One caveat is that the two quartiles of the most valuable companies reached about the same average score this year: 742 for the second most valuable group and 741 for the most valuable. One interpretation is that the security posture reflected by a score of 750 out of 950 may be a kind of resting place for companies’ current security capabilities - not a maximum of what is possible, but a tacit consensus on what is good enough. Examining the overall distribution of scores, however, shows that hypothesis is true for the bulk of companies but not all.

www.upguard.com 13 Security focused companies are pulling 02 away from the pack Looking at the distribution of companies by score tier, we see the same overall pattern as when grouped by market cap: in general, all the scores are a little higher than before. No companies have a score lower than 400 anymore, the group between 400-500 has shrunk from 7 to 2, and the group from 500-600 decreased from 23 to 13. As absolute scores, those still reflect some serious risks in their security posture, but it is heartening to see the highest risk groups decreasing most quickly. The only groups to increase are those from 700-800 and 800-900, indicating a general migration toward good security.

When we plot the score of individual companies we see a gentle slope that turns abruptly upward at the end. These are companies that are not maturing at the same rate as others, and we can see that inflection point – where the slope abruptly increase – moving left from 2020 to 2021. That is, there is a small but growing group of companies that not only have better security hygiene, but are on a different trajectory for maturing their security capabilities than approximately 90% of the ASX 200.

www.upguard.com 14 Improvement across all industries, but 03 some improving much more than others The average score for every industry increased year over year from 2020 to 2021, though in some cases not by much. Utilities had the lowest rate of improvement, going from 728 to 733 – a 0.6% increase – and moving them from the industry with the third best average score to the sixth best. By contrast, half the industries improved by 5% or more.

Building on the observation that some of the top performers continue to improve the most, some of the industries that already had high averages made significant improvements. The average score for Energy companies increased by 7%, moving them from the fourth best industry to the head of the pack. Financials, last year’s leading industry, improved by 3.9% to stay close behind as the second highest scoring industry. Again, the patterns we see in improvement do not indicate companies approaching an upper bound, but that companies that work to have better security do have better security.

www.upguard.com 15 Continuous security monitoring leads to 04 security improvements As a matter of curiosity, we compared the scores of companies that are UpGuard users to those that are not. We certainly expected that our users would score better due to the circularity in grading them on the criteria that our product recommends. But there is a real question about the relationship between knowledge and action here. UpGuard provides visibility of one’s internet-facing risks, but doesn’t resolve them (nor, of course, do we hide any company’s externally verifiable risks from other users). Personal experience can tell us that there is a world of difference between knowing what we should do and actually doing it, and the bias to inaction can be even more pronounced in corporate contexts where different groups have competing interests. Given improved information about cyber risk factors, do businesses act to improve their security? Is part of the problem having visibility into one’s risk profile, or is the problem just in implementing the solutions to those risks?

The answer has two parts. One is the expected result: the average UpGuard user score improved from 714 to 758, a 6% increase, whereas the rest of the ASX 200 improved from 668 to 700, a 4.5% increase. The parallel improvement among non- customers is not a surprise: the risks identified by the UpGuard platform are based on best practices that should be part of a security roadmap regardless of whether or not we recommended them. The similar rate of improvement among non-customers corroborates that the scoring system is based on consensus beliefs about good security practices.

www.upguard.com 16 What was not expected is that the customer population’s average score in 2020 would already be higher than the non- customer population in 2021 – effectively more than a year ahead in their security program. These are companies that both have clarity on their digital risks, and have a commitment to investing in their cyber risk posture. Comparing the absolute scores and year over year changes in score between the two populations shows that all companies are maturing along the path prescribed by the UpGuard scoring system, but that the additional clarity provided by a single view of those risks leads to faster adoption of those security controls.

Comparing the absolute scores and year over year changes in score between the two populations shows that all companies are maturing along the path prescribed by the UpGuard scoring system...

www.upguard.com 17 Scores remain dynamic but far more improvement, less 05 backsliding than previous year

One of the surprises in the 2020 study was how much variation there was per company in the scoring categories of website, network, and email security amongst companies that overall went up or down. That is, companies showing overall improvement would still often have counter directional changes in one or more 163 of those categories. In each category, close to half of Out of 200 companies all companies improved while the other half declined, improved their score in meaning that many companies may have become less at least one category. susceptible to some risks while actually increasing their vulnerability to other kinds of attacks.

This year that pattern continued, but with fewer large decreases in scores. Out of 200 companies, 163 136 improved in at least one category and 136 improved overall, while 146 declined in at least one category Out of 200 companies improved their score overall. and 58 decreased over all. (6 companies managed to balance things perfectly and have the exact same score both years). The size of those declines were smaller and were outweighed by larger gains – while 25 companies improved by over 100 points, only 4 declined by the same margin. Interestingly, this year saw far greater issues with risks in the website category than last year, when risks with email security configuration were more pervasive. 108 companies saw their website score decline compared to 82 companies where it increased, and 15 of those companies decreased their website score by more than 100 points. This was the only risk category where more companies declined than improved.

www.upguard.com 18 Conclusion

The intensifying threat environment has put more strain on companies that have not invested in security. Major, systemic incidents involving Exchange Server OWA vulnerabilities, SolarWinds, and Accellion have resulted in data loss for many companies and government. These incidents should highlight that breaches are neither rare nor self-contained, and that minor leading indicators and rarely used business continuity plans cannot be ignored without repercussions.

At the same time, we see evidence that some companies are responding in kind, with accelerated programs to close externally visible risks. Of course, part of the difficulty is that the greatest risks may lie in the supply chain, where in-depth assessment requires information beyond what is externally accessible. For many companies, data leaks remain a blind spot and may compound that third party risk.

With breaches becoming commonplace and widespread, companies cannot rely on being lucky. The rising price of cyber insurance shows that the latent risk of companies with poor cyber hygiene is now being realized. Companies that viewed breach as an unlikely risk worth gambling on are paying the price. But for companies that are preparing now – of which we found many in our study – this new threat environment will be someplace they can still thrive.

www.upguard.com 19 Part 3 ASX 200 companies and their security performance

ASX Company 2020 2021 Change

A2M The a2 Milk Company Ltd 539 624 +85

ABC Adbri Ltd 734 784 +50

ABP Abacus Property Group 707 709 +2

AGL AGL Energy Ltd 731 755 +24

AIA Auckland International Airport Ltd 566 463 -103

ALD Ampol Ltd 589 801 +212

ALL Aristocrat Leisure Ltd 737 751 +14

ALQ Als Ltd 679 709 +30

ALU Altium Ltd 675 706 +31

ALX Atlas Arteria 738 722 -16

AMC Amcor Plc 738 737 -1

AMP AMP Ltd 669 670 +1

ANN Ansell Ltd 638 884 +246

ANZ Australia and New Zealand Banking 774 804 +30 Group Ltd

APA APA Group 755 786 +31

APE Eagers Automotive Ltd 481 689 +208

APT Afterpay Ltd 826 870 +44

www.upguard.com 20 ASX Company 2020 2021 Change

APX Appen Ltd 732 766 +34

ARB ARB Corporation Ltd 629 628 -1

ASB Austal Ltd 649 692 +43

AST Ausnet Services Ltd 758 774 +16

ASX ASX Ltd 752 804 +52

AUB AUB Group Ltd 672 746 +74

AWC Alumina Ltd 542 641 +99

AZJ Aurizon Holdings Ltd 827 768 -59

BAP Bapcor Ltd 436 757 +321

BEN Bendigo and Adelaide Bank Ltd 745 766 +21

BGA Bega Cheese Ltd 791 689 -102

BHP BHP Group Ltd 725 710 -15

BIN Bingo Industries Ltd 669 557 -112

BKL Blackmores Ltd 726 750 +24

BKW Brickworks Ltd 681 725 +44

BLD Ltd 666 677 +11

BOQ Bank of Queensland Ltd 745 786 +41

BPT Beach Energy Ltd 812 826 +14

BRG Breville Group Ltd 747 753 +6

BSL Bluescope Steel Ltd 713 724 +11

BWP BWP Trust 695 823 +128

www.upguard.com 21 ASX Company 2020 2021 Change

BXB Brambles Ltd 566 723 +157

CAR Carsales.com Ltd 644 651 +7

CBA Commonwealth Bank of Australia 769 789 +20

CCL Coca-Cola Amatil Ltd 712 758 +46

CCP Credit Corp Group Ltd 816 815 -1

CDA Codan Ltd 762 741 -21

CGC Costa Group Holdings Ltd 555 658 +103

CGF Challenger Ltd 743 749 +6

CHC Charter Hall Group 759 764 +5

CIA Champion Iron Ltd 323 513 +190

CIM Cimic Group Ltd 713 740 +27

CIP Centuria Industrial REIT 636 812 +176

CKF Ltd 694 727 +33

CLW Charter Hall Long Wale REIT 759 764 +5

CMW Cromwell Property Group 620 752 +132

CNU Chorus Ltd 764 764 +0

COH Cochlear Ltd 695 699 +4

COL Coles Group Ltd 720 785 +65

CPU Computershare Ltd 687 698 +11

CQR Charter Hall Retail REIT 759 764 +5

CSL CSL Ltd 757 781 +24

www.upguard.com 22 ASX Company 2020 2021 Change

CSR CSR Ltd 665 737 +72

CTD Corporate Travel Management Ltd 624 682 +58

CUV Clinuvel Pharmaceuticals Ltd 529 529 +0

CWN Crown Resorts Ltd 643 693 +50

CWY Cleanaway Waste Management Ltd 463 572 +109

DHG Domain Holdings Australia Ltd 738 728 -10

DMP Domino's PIZZA Enterprises Ltd 753 778 +25

DOW Downer Edi Ltd 695 678 -17

DRR Deterra Royalties Ltd 639 639 +0

DXS Dexus 651 681 +30

ELD Elders Ltd 652 575 -77

EML EML Payments Ltd 717 714 -3

EVN Evolution Mining Ltd 633 647 +14

FBU Fletcher Building Ltd 602 711 +109

FLT Travel Group Ltd 686 712 +26

FMG Fortescue Metals Group Ltd 760 778 +18

FPH Fisher & Paykel Healthcare 739 655 -84 Corporation Ltd

GEM G8 Education Ltd 704 696 -8

GMG Goodman Group 732 670 -62

GNC Graincorp Ltd 660 653 -7

www.upguard.com 23 ASX Company 2020 2021 Change

GOR Gold Road Resources Ltd 760 693 -67

GOZ Growthpoint Properties Australia 708 695 -13

GPT GPT Group 724 713 -11

GUD G.U.D. Holdings Ltd 561 552 -9

HLS Healius Ltd 666 630 -36

HUB HUB24 Ltd 792 816 +24

HVN Harvey Norman Holdings Ltd 827 827 +0

IAG Financials Australia Group Ltd 752 725 -27

IEL Idp Education Ltd 769 770 +1

IFL IOOF Holdings Ltd 794 804 +10

IGO IGO Ltd 695 718 +23

ILU Iluka Resources Ltd 802 800 -2

INA Ingenia Communities Group 662 698 +36

ING Inghams Group Ltd 703 716 +13

IPH IPH Ltd 494 686 +192

IPL Incitec Pivot Ltd 550 783 +233

IRE Iress Ltd 700 695 -5

IVC Invocare Ltd 824 812 -12

JBH JB Hi-Fi Ltd 687 700 +13

JHG Janus Henderson Group Plc 692 632 -60

JHX James Hardie Industries Plc 647 609 -38

www.upguard.com 24 ASX Company 2020 2021 Change

KGN Kogan.com Ltd 512 434 -78

LLC Lendlease Group 669 710 +41

LNK Link Administration Holdings Ltd 795 814 +19

LYC Lynas Rare EARTHS Ltd 593 584 -9

MFG Magellan Financial Group Ltd 816 766 -50

MGR Mirvac Group 628 720 +92

MIN Mineral Resources Ltd 583 707 +124

MND Monadelphous Group Ltd 620 584 -36

MP1 Megaport Ltd 743 814 +71

MPL Medibank Private Ltd 715 738 +23

MQG Ltd 722 742 +20

MSB Mesoblast Ltd 637 637 +0

MTS Metcash Ltd 762 834 +72

NAB National Australia Bank Ltd 786 805 +19

NAN Nanosonics Ltd 519 540 +21

NCM Newcrest Mining Ltd 766 748 -18

NEA Nearmap Ltd 620 674 +54

NEC Co. Holdings Ltd 733 740 +7

NHF Nib Holdings Ltd 775 800 +25

NIC Nickel Mines Ltd 675 694 +19

NSR National Storage REIT 649 719 +70

www.upguard.com 25 ASX Company 2020 2021 Change

NST Northern Star Resources Ltd 608 668 +60

NUF Nufarm Ltd 727 718 -9

NWH NRW Holdings Ltd 718 694 -24

NWL Netwealth Group Ltd 799 852 +53

NWS News Corporation 731 734 +3

NXL NUIX Ltd 807 756 -51

NXT NEXTDC Ltd 775 763 -12

OBL Omni Bridgeway Ltd 410 749 +339

ORA Orora Ltd 647 619 -28

ORG Origin Energy Ltd 760 761 +1

ORI Orica Ltd 640 648 +8

OSH Oil Search Ltd 778 820 +42

OZL OZ Minerals Ltd 691 736 +45

PBH Pointsbet Holdings Ltd 741 823 +82

PDL Pendal Group Ltd 851 814 -37

PLS Pilbara Minerals Ltd 507 593 +86

PME Pro Medicus Ltd 436 788 +352

PMV Premier Investments Ltd 546 623 +77

PNV Polynovo Ltd 618 678 +60

PPT Perpetual Ltd 703 725 +22

PRN Perenti Global Ltd 547 545 -2

www.upguard.com 26 ASX Company 2020 2021 Change

PRU Perseus Mining Ltd 627 629 +2

PTM Platinum Asset Management Ltd 695 663 -32

QAN Qantas Airways Ltd 823 791 -32

QBE QBE Financials Group Ltd 751 779 +28

QUB Ltd 662 661 -1

REA REA Group Ltd 772 793 +21

REH Reece Ltd 805 783 -22

RHC Ramsay Health Care Ltd 627 738 +111

RIO RIO Tinto Ltd 700 721 +21

RMD Resmed Inc 688 675 -13

RMS Ramelius Resources Ltd 542 561 +19

RRL Regis Resources Ltd 512 558 +46

RSG Resolute Mining Ltd 626 691 +65

RWC Reliance Worldwide Corporation Ltd 748 739 -9

S32 SOUTH32 Ltd 666 721 +55

SBM ST Barbara Ltd 674 601 -73

SCG Scentre Group 736 760 +24

SCP Shopping Centres Australasia 827 692 -135 Property Group

SDF Steadfast Group Ltd 651 801 +150

SEK Seek Ltd 733 771 +38

SGM Sims Ltd 656 655 -1 www.upguard.com 27 ASX Company 2020 2021 Change

SGP Stockland 525 696 +171

SGR The Star Entertainment Group Ltd 751 756 +5

SHL Sonic Healthcare Ltd 689 714 +25

SKC Skycity Entertainment Group Ltd 485 768 +283

SKI Group 669 616 -53

SLR Silver Lake Resources Ltd 541 634 +93

SOL Washington H Soul Pattinson & 646 655 +9 Company Ltd

SPK Spark New Zealand Ltd 685 679 -6

STO Santos Ltd 739 737 -2

SUL Super Retail Group Ltd 563 624 +61

SUN Suncorp Group Ltd 796 809 +13

SVW Seven Group Holdings Ltd 706 686 -20

SYD Sydney Airport 713 792 +79

TAH Tabcorp Holdings Ltd 765 797 +32

TCL Transurban Group 790 782 -8

TLS Telstra Corporation Ltd 582 666 +84

TNE Technology One Ltd 711 735 +24

TPG TPG Telecom Ltd 602 685 +83

TWE Treasury Wine Estates Ltd 726 701 -25

UMG United Malt Group Ltd 611 611 +0

www.upguard.com 28 ASX Company 2020 2021 Change

URW Unibail-Rodamco-Westfield 749 776 +27

VCX Vicinity Centres 783 768 -15

VEA Viva Energy Group Ltd 772 775 +3

VOC Vocus Group Ltd 661 695 +34

VUK Virgin Money Uk Plc 845 858 +13

WBC Westpac Banking Corporation 741 772 +31

WEB Webjet Ltd 694 770 +76

WES Wesfarmers Ltd 695 823 +128

WGX Westgold Resources Ltd 694 893 +199

WHC Whitehaven Coal Ltd 722 815 +93

WOR Worley Ltd 661 794 +133

WOW Woolworths Group Ltd 721 711 -10

WPL Woodside Petroleum Ltd 778 798 +20

WPR Waypoint REIT 580 735 +155

WTC Wisetech Global Ltd 706 762 +56

XRO Ltd 729 746 +17

Z1P ZIP Co Ltd 763 799 +36

www.upguard.com 29 Questions? We have answers We're here to help, shoot us an email at [email protected]

Know your vendors. Secure yourself. Looking for a better, smarter way to protect your data and prevent breaches?

UpGuard offers a full suite of products for security, risk and vendor management teams.

www.upguard.com 723 N Shoreline Boulevard, Mountain View CA 94043, United States

+1 888-882-3223 © 2020 UpGuard, Inc. All rights reserved. UpGuard and the UpGuard logo are registered trademarks of UpGuard, Inc. All other products or services mentioned herein are trademarks of their respective companies. Information subject to change without notice.