This report presents a snapshot and analysis of what 100 companies are currently disclosing about their cyber governance and risk management. It also enables comparisons across regions and sectors to facilitate engagement dialogue.
The assessment is based on public disclosure, drawing on companies’ 2016 annual reports, sustainability reports, data protection and privacy policies, as well as online media articles.
The research sample included companies in the following sectors (based on cyber risk exposure, maturity in cyber security posture, and companies’ responses to threats):
These companies were drawn geographically from:
- Europe (40)
- US (36)
- Australia (19)
- Asia (5)
The research covered the following key indicators5:
1. Does the company publicly commit to compliance with all relevant laws, including those related to cyber and data protection?
2. Does the company publicly disclose a privacy and/or data protection policy?
3. Does the policy explicitly cover its entire operations, including third parties?
SENIOR MANAGEMENT AND BOARD ACCOUNTABILITY
4. Does the company identify a named person at senior management or executive committee level with overall responsibility for information management and cyber security?
5. Is the board or board committee responsible for cyber security issues?
6. Does the company communicate cyber risks to the board (and how, by whom and how often)?
7. Does the board receive detailed information about the company’s cyber/information security strategy (including what information it receives and how it assesses this information)?
SKILLS AND RESOURCES
8. Does the company disclose that it has a cyber and/or information security team and/or dedicated budget?
9. Does the company state that the board engages with relevant industry initiatives on cyber security and/or has access to internal or external expertise on cyber security?
10. Does the company actively seek such skills when appointing directors?
11. Does the company provide training on information and/or cyber security requirements to all employees?
12. Does the company conduct audits of information and/or cyber security policies and systems?
PROCESSES AND PROCEDURES
13. Has the company established an incident management plan (including disaster recovery and business continuity)?
14. Has the company disclosed information or cyber security as a key part of its risk assessment/business continuity plan?
In this section, key trends, investor relevance and examples of good disclosure are discussed for each of the 14 indicators covered in the research to facilitate and guide investor dialogue.
Overall, the research points to a large variation in the levels of cyber security disclosure across companies:
- a fifth of companies (20) provided information against two or less of the 14 indicators assessed;
- 68 companies disclosed information on between three and seven of the indicators; and
- 12 companies disclosed information across 10 or more indicators.
Stepping up governance on cyber security
- 3Currently reading