Reporting: cyber risk, resilience & regulation
In parallel with this, regulators’ concern about operational resilience has increased due to a number of high-profile corporate failures. There have been a number of historic efforts to address this, both through reporting; as for instance with requirement for the viability statement in the corporate governance code, and structural measures; such as those for ring-fencing in banks. It is clear though, that regulators and governments continue to be concerned about this and regulation continues to evolve.
In the EU, the Commission has proposed the Digital Operational Resilience Act to regulate both financial institutions and a number of their critical suppliers. While this won’t directly apply in the UK, it could affect UK businesses serving EU institutions and could have indirect impact by establishing a de facto standard in the area.
The UK government is expected to bring forward legislation to require companies to report on their resilience. While the initial proposals for this were general in nature and covered a wide range of areas, cyber risks were noted as a key area on which companies might be expected to report. The FRC’s financial reporting lab has also started a project on reporting of cyber risks.
The challenge of reporting
While companies will be responding to the increasing threat, both through continuing evolution of existing processes and new measures these are often not evident to outsiders. Investors understand that risk is part of doing business, and that there will always be some matters which will be difficult or impossible to disclose specifically, but want more information on what measures companies have in place and how they have responded to a rapidly changing environment.
There is little guidance specifically on the area of corporate reporting of cyber risk in the UK but the general guidance on reporting of risk is informative. There is a need for information on how the organisation assesses risk and how this is changing, which individuals or committees deal with particular areas and what processes and skills they have, what the key risks are and their magnitude and associated timescale, and how the risks are mitigated.
The proposals for scenario testing in resilience reports also reflect investors’ and governments’ concerns that they do not have enough information on the impact of major failures and that contingency plans should cover such areas.
One of the issues with this area, as with a number of governance and risk issues, is that disclosures have a tendency to migrate toward boilerplate as companies wish both to cover all possible areas out of concern for failure to disclose risks and do not wish to cover specifics through concern about heightening risk through criminal targeting of admitted vulnerabilities or reputational damage.
What to say
To avoid the tendency toward boilerplate noted above companies can seek to provide examples, context and evidence of action. While the UK doesn’t have specific guidance, the SEC published a statement on public company cybersecurity measures in 2018. This gives a number of helpful examples of areas of types of information that would be useful. Suggested disclosures include:
Clearly, if too much detail were given it might be sufficient to allow hostile parties to target the company. This shouldn’t, however, prevent the disclosure of the existence material historical incidents. Discussion of such events and the response to them can, in fact, be particularly helpful in demonstrating both risks and the company’s ability to respond to them.
Outside such specific examples of incidents as noted above, some helpful disclosures we have seen in listed company accounts in the UK include changes in procedures companies have made to reflect the increased incidence in remote working, cyber security accreditations the company has received, the creation of new committees to cover the area or an indication the issues brought to the board or its main committees in its review of governance, the inclusion of cyber issues in viability or going concern scenarios and, on a longer-term basis, processes for ensuring that board and committee nominations reflect the need for expertise in the area at an appropriate level.
Conclusion
This is an area that continues to evolve, but demand for disclosure is increasing. Both the effort involved in, and sophistication of, hostile activities in the area and the increased impact reputationally, legally and commercially of data breaches necessitate greater scrutiny and demand greater disclosure. Information about cybersecurity has been identified by regulators as a key concern in proposed legislation.
There can be concern that too much detail in disclosure could be prejudicial but too little can result in bland, uninformative statements which fail to reassure. We recommend therefore that boards disclose more detail here to give key focus areas, the magnitude of risks, and context of previous experience to bring discussions to life and assure investors and others that the board are both learning from previous experience and preparing for the future.
This edition of C-speak explores how organisations can harness the latest technology trends while also better identifying, mitigating and reporting on the related risks – risks that current world events have made more pressing in ways we couldn’t have imagined when we first planned this publication.
Feel free to contact one of the team to discuss the issues raised in C-speak.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.