6. Does the company communicate cyber risks to the board (and how, by whom and how often?)

7. Does the board receive detailed information about the company’s cyber/information security strategy (including what information it receives and how it assesses this information)?

Just under two-thirds (63%) of the companies provided little or no information about the frequency and channels of communication to the board. Disclosure on the content of the communication with the board was also lacking, with only 22% of companies including details in their annual reporting.

Investor relevance: boards must be briefed regularly and in a timely manner by senior management to facilitate informed decision making on cyber security issues. This enhances directors’ understanding of the threat environment, vulnerabilities, strategic considerations and the internal control environment.

As it is not common practice for companies to disclose the extent of board evaluation of cyber security matters, investors could raise questions about:

  • board assessment of a company’s cyber security strategy;
  • performance indicators or metrics used to communicate risk exposure or track progress; and board consideration of
  • audits and cyber insurance.

Investors could also ask about when cyber security incidents are brought to the board’s attention, and whether there is a materiality threshold for reporting incidents and decisions.

Good practice: companies that reported on the frequency of communication between senior management and boards generally referred to periodic or regular communication between the board and the executive committee. Such generic reporting does not shed light on the level of familiarity directors have with cyber risk incidents or other material operational matters relating to cyber issues. More meaningful disclosure on this comes from BT, which indicated that its technology committee chair reports formally to the board on its proceedings after each meeting.

Another example comes from HSBC, which disclosed a clear chain of command and highlighted information flow relevant to cyber security issues. HSBC indicated that the company board risk committee is responsible for cyber risk and is advised by the financial system vulnerabilities committee (FSVC). In turn, the FSVC reports to the board on matters of financial crime and financial system abuse, and provides a forward-looking perspective on financial crime risk, as well as cyber and information security.

Morgan Stanley also stated that the board receives information that allows it to review operations and technology budget, as well as significant expenditures and investments in support of cyber strategy, operations and technology metrics. In addition, the board reviews major operations and technology risk exposures including information security and cyber security risks, and the steps management has taken to monitor and control such exposures.