ASX 200 infostealer infections are now a board risk

One in 10 ASX 200 companies finished 2025 with verified infostealer infections circulating in criminal logs, according to UpGuard’s latest ASX 200 cybersecurity report. That finding gives Australian listed-company directors a more concrete problem than another abstract warning about cyber risk: stolen employee identities and reused supplier access can now be measured across the country’s biggest boards.

The same report says the average ASX 200 security score reached 728.5 in 2025, up 1.58 per cent from a year earlier. Yet UpGuard’s report also argues that strong point-in-time scores and annual assurance exercises can miss live compromise, especially when valid credentials are already sitting in dark-web logs. Put differently, the market’s headline improvement sits beside a harder fact: better scores do not automatically mean safer organisations.

That tension is what turns this from a security-operations story into a governance one. The OAIC’s guide to securing personal information expects organisations to use technical and organisational controls that match the sensitivity of the data they hold, while the Cyber Security Act pushes the broader policy conversation toward ongoing resilience rather than tick-box compliance. By the next board briefing, a company that can cite last year’s control uplift but cannot explain its exposure to stolen identities, compromised sessions or shared suppliers may look prepared on paper and exposed in practice.

Why stolen identities matter more than another red dashboard

Infostealers do not need a dramatic breach notice to become expensive. Once malware lifts browser sessions, passwords and tokens from an employee or contractor device, the attacker can arrive with legitimate access rather than noisy malware. That is why UpGuard’s framing matters. It treats identity exposure as the live perimeter for listed companies, not just the endpoint or firewall.

“Identity has become the new perimeter”

— UpGuard report, ASX 200 Cybersecurity Report

For boards, the practical shift is simple. If credentials from a finance team, payroll function or major supplier are already for sale, the question is no longer whether the company owns the right tooling. It is whether the company can spot abnormal use quickly, revoke access cleanly and contain the blast radius before customer or employee data is touched. UpGuard says 71 per cent of the verified infections it found were concentrated in the largest organisations, the same companies with the deepest supplier webs and the most valuable stores of identity data.

The report’s own language is blunt. Tools help, but they do not equal protection if the organisation is still scanning in snapshots. This is the insider’s complaint with traditional ratings and annual audits: they reward visible control ownership, while criminals exploit stale credentials, unmanaged endpoints and supplier pathways that do not wait for the next review cycle. That is a very different board conversation.

Seen from the regulator’s side, the issue is less exotic than the dark-web headline makes it sound. The OAIC framework is already built around reasonable steps, access controls and rapid response when personal information is at risk. An infostealer finding simply compresses those expectations into a more visible test: can the organisation show that identity compromise is being treated as an operating condition, not an annual exception?

Why rising scores should not calm directors too quickly

The skeptic’s question is fair. If the average security score is rising, why read the report as a warning rather than a sign of progress? The answer sits in Greg Pollock’s summary of the findings and in the report’s own methodology. Much of the improvement appears after incidents or disclosure events, which means the score can reflect how well a company cleaned up yesterday’s mess, not how well it will catch tomorrow’s misuse.

“periodic security checks are no longer enough”

— Greg Pollock, UpGuard, press summary

That lag matters because identity-led intrusions often look normal at the front door. In an analysis of post-login abuse, VentureBeat argued that multifactor authentication can confirm who logged in without saying much about what the session does next. UpGuard is not making the same argument in the same terms, but the overlap is obvious: a board dashboard can stay green while a valid session token is misused inside the estate.

That is also why cyber scores can flatter companies that have become good at remediation theatre. Lift a control after an incident, close a few exposed services, rotate a set of passwords and the visible posture improves. Useful, certainly. Durable, not necessarily. Directors and audit committees should read the 728.5 average as a snapshot of reported posture, not a guarantee that identity compromise and supplier exposure are under control.

Shared suppliers turn single infections into market-wide exposure

The analyst’s concern in the UpGuard work is less about any one infected company than about concentration. Many ASX 200 firms rely on the same cloud platforms, the same identity tooling, the same managed service providers and the same software dependencies. That means a credential theft problem can spread its consequences through a common supplier layer even when each victim would prefer to treat it as an isolated incident.

Recent overseas cases show why that matters. VentureBeat reported this month that GitHub confirmed roughly 3,800 internal repositories were stolen through a poisoned VS Code extension, and Wired argued that repeated open-source poisoning has turned supply-chain trust into a standing operational problem rather than an edge case. Those are not ASX equivalents, but they show how a single trusted pathway can create downstream exposure at scale.

In Australia, the board-level implication is straightforward. Supplier risk cannot sit in procurement, cyber risk in the CISO function and privacy risk in legal, with each team reporting on a different timetable. If the same SaaS platform, contractor laptop or federated identity relationship can touch all three, the oversight model has to converge as well. Otherwise, the organisation ends up measuring three fragments of the same exposure and managing none of them in full.

That matters for investor relations too. When cyber risk starts showing up as a cross-market pattern, it becomes easier for shareholders, insurers and counterparties to compare one board’s disclosure discipline with another’s. A company that treats credential theft as a contained IT issue may satisfy the minimum briefing requirement. It will look less convincing if peers are already framing the same problem as identity governance and supplier resilience.

UpGuard’s report does not prove that every large listed company is one click away from a major incident. It does something more awkward. It suggests that stolen identities, dark-web visibility and shared suppliers are now common enough to show up across the ASX 200 as a class. For Australian boards, that changes the question from “Are we investing in cyber?” to “Can we see compromise while it is happening, and can we limit it before a supplier or session turns into a disclosure event?” That is the kind of answer directors will increasingly need, not only for shareholders, but for regulators and customers as well.