In the midst of headlines focused on climate change, global health, and other ESG issues, cyber security has quietly and quickly become one of the most critical issues for companies to manage. The European Commission recently estimated that cyber crimes cost the global economy €5.5 trillion ($6.4 trillion) in 2020, which is double the cost from 2015.
Because of the growing risk, investors are increasing scrutiny of how companies are addressing the cyber security threats that are most likely to affect them. Investors are pressing for strong disclosures in three key areas: awareness, competency, and leadership.
Awareness: Do you understand your risks?
Knowledge of risks and industry best practice
Investors want to know that your company understands the specific areas of operations vulnerable to cyber security threats and that you identify which threats are likely to be financially material. You should disclose your compliance obligations under relevant regulations, your understanding of best practices to manage risks given your industry and geography, and any plans to improve toward best practices.
Recognition of new and evolving threats
Investors would like to understand how you are thinking about and responding to new issues, such as how to protect employees and networks in a work-from-home environment, or how you will be impacted by new national regulations on cyber security.
Competency: How do you manage key risks?
Policies and practices to manage risks
Investors want assurances that companies have strong cyber security policies and practices in place appropriate to their risks. You should disclose if you use ISO/IEC 27001, SCF, NIST, or a similar framework for Information Security Management. You should also specify how you think about cyber security across the enterprise – physical locations, networks, devices, etc. If possible, you should disclose external audits or penetration testing.
Cyber security can be strengthened through routine training of non-IT employees. Companies should disclose the frequency of cyber security training programs, the percentage of employees trained, and any improvement in employee behaviors as a result.
Risks in the supply chain
In 2021, 97% of 1200 survey respondents from six countries reported negative impacts from a breach occurring in their supply chains. 93% of survey respondents reported suffering a cyber security breach themselves because of weakness in their supply chains. Investors want to know that companies monitor or audit at least their largest or most mission-critical suppliers for best practices.
Incident disclosure
The U.S. Securities and Exchange Commission (SEC) has defined cyber security as an existential business risk and has fined companies that do not disclose data breaches and other incidents to investors. Investors want to see disclosure of material cyber security breaches as soon as possible. In many cases, companies must follow national regulations in timely reporting or risk fines or other regulatory actions.
Leadership: Who has oversight of cyber security policies and procedures?
Executive leadership and team
Investors want to know who ultimately holds responsibility for cyber security. Is it the Chief Information Officer, Chief Financial Officer, CEO, or other senior leader? Consider forming a committee to ensure relevant information is shared. You should also disclose who is on that committee and provide an organizational chart of senior leadership overseeing cyber security.
Board oversight
Boards should create a cyber security committee or should assign responsibility to an existing committee (often Risk or Audit). You should have at least one Director who has the technical understanding to oversee cyber security issues and explain them to other Directors. Boards may also want to consider training to ensure that all Directors have at least a basic grounding in what matters for the company.
.png?upscale=true&width=150&upscale=true&name=CAC_logo_trans%20(002).png){kind=logo}
