The way listed companies report on cybersecurity risk is not meeting the needs of investors, according to a new report from the UK’s Financial Reporting Council. Limited or ‘boilerplate’ disclosures are an indication that a company does not take cybersecurity seriously enough, investors told the Council.
The report provides guidance on how companies can report ‘digital security risk’ more effectively, to help reassure investors and to prepare for forthcoming UK legislation.
Cybersecurity risk reporting: falling short
Listed companies are obliged by law to report on the ‘principal risks’ that have the potential to disrupt their businesses, so investors know what they are getting themselves into. Given the dependence of all businesses on digital technology, cybersecurity risks are routinely included in these risks. In 2018, 99% of the FTSE 100 mentioned cyber risk in their financial reports, according to a study by Deloitte.
However, the way in which companies disclose these risks, explain how they relate to their broader business strategy, and detail the governance and risk management measures they have in place to mitigate them is “not meeting investor needs”, according to the Financial Reporting Council’s report. The report is based on in-depth interviews with a number of institutional and retail investors and asset managers, as well as listed companies.
“Participants noted that, on average, current disclosures are not sufficient to meet investor and other stakeholder needs,” the Council found.
And while some participants fear that additional cybersecurity disclosure requirements could expose companies to greater risk, “there was an equal number who highlighted the opposite, noting in their view, that a lack of disclosure or overly static ‘boilerplate’ disclosure was in itself a flag that a company was not sufficiently emphasising digital security,” the report says.
Cybersecurity risk disclosure requirements in the UK are expected to become more stringent in future, the Council notes. In its response to a consultation on audits and corporate reporting earlier this year, the government said it plans to require companies to provide a ‘resilience statement’ that includes specific disclosures on cybersecurity.
Based on its interviews with investors, the Council offers a series of recommendations for corporate reporting teams and audit committees to help them provide “more and better-focused disclosure”. It also identifies best-practice examples from companies including IAG and Schneider Electric.
How to report on cybersecurity risk
The Council’s recommendations are focused on four areas of disclosure: strategy, risks, governance and events.
To fully appreciate a company’s cybersecurity risks, investors want to understand how its overall strategy depends on digital technology. This includes an understanding of how digital transformation underpins business strategy, how the company monitors and manages technology-driven trends such as the future of work, and how the execution of its strategy relies on digital systems and assets.
IAG, the airline group that owns British Airways, Iberia and Aer Lingus, is an example of a company that communicates the link between strategy and technology effectively, according to the FRC. Its latest financial report includes a section written by CIO John Gibbs on how IT underpins the group’s strategy.
“Reporting ‘directly from the CIO’ … illustrates the company’s commitment to technology and digitisation in achieving its strategic objectives,” the FRC says.
When it comes to cybersecurity governance, “company disclosures … often cover the ‘what’ [but] they neglect the ‘why’ and ‘how’,” the report says. Investors want disclosures that link security governance measures to strategy and risk appetite, that show how the board has oversight of cybersecurity risks, and reveal how the company is developing a ‘cybersecurity culture’, the FRC argues.
The report highlights Schneider Electric, which considers cybersecurity risks beyond its organisational boundaries, including its suppliers and contractors, in its disclosures.
When it comes to identifying particular cybersecurity risks, investors want to know how they relate to strategy and what the company has done to mitigate them. And they want a level of detail that reassures them that “the company has clear oversight over its critical assets, data and critical third-party relationships (including supply chain)”.
A 2020 study by French consultancy Wavestone found that a little under half of FTSE 100 companies (44%) provided specific, contextual information about cyber risks and their potential impact in their financial reports. The majority (51%) gave only simple descriptions of risks and their impact.
UK manufacturer Derwent is highlighted as a company that provides "context of how cyber risk connects to its operations and business model" in its financial reports.
Lastly, when it comes to reporting cybersecurity events, such as data breaches, investors want to know not just the details of each incident but also "the effectiveness of a company’s response and how lessons learned from the event or have been, incorporated into changes to relevant structures and processes".
"The dominant theme in our discussions with participants indicated that it is important to set out the actions taken or to be taken should a company (or a key supplier or third-party service provider) experience a cybersecurity event particularly during periods of heightened political risk," the report says.
The report highlights the example of engineering company Weir, which suffered a 'cybersecurity incident' in September 2021. The company provided initial information on the incident in its subsequent quarterly report, and more detail in its yearly report.
Data-driven cybersecurity risk reporting
Philippe Korur, a director at consultancy PwC's cybersecurity practice, agrees that cyber risk reporting needs to evolve. Risks are "actual business risks that derive from security-related threats," he says, but "people often mis-define, mis-measure and miscommunicate these risks as threat scenarios like 'ransomware attack', threat vectors or techniques like 'phishing', or controls like 'data loss protection'".
He adds: "Executive reports often focus on what can be reported rather than what should be reported, which can result in a misunderstanding of true cyber risk exposure."
Cybersecurity reporting should and can be more data-driven, "with clear, transparent data models and risk models," Korur argues.
"Organisations that embark on a cyber risk management journey should start by understanding their level of maturity and establishing the key building blocks – including identifying and setting up the inter-relationships between risks, threat scenarios, key controls and metrics," he explains.
"Effort should then be spent on creating a dynamic dashboard visualising those building blocks and implementing a pragmatic approach for risk and control measurement."