This report analysed data from 100 companies for observations on standards of corporate disclosure relating to cyber security practices. It presented overall findings across the data; results by each specific indicator; and different regional legislative and regulatory standards.

The research demonstrates that, at present, there are no minimum standards of regular public disclosure on cyber security practices from large-cap listed companies that investors can use to inform basic engagement and investment analysis.

Although companies are increasingly recognising cyber risks and their impacts, corporate information in the public domain does not reassure investors that companies have adequate governance structures and measures in place to deal with cyber security challenges. The lack of public disclosure also makes it difficult for investors to differentiate between those companies that are proactively developing, monitoring and managing cyber security risks versus those failing to prioritise these risks.

To address this situation, investors must continue to educate themselves on what good cyber security systems look like and integrate engagement on cyber security with companies as standard practice. Investors can start dialogue with basic questions on cyber governance and risk management covered by this research, and through these conversations generate and formalise their expectations for companies’ disclosure and transparency on cyber security issues. At the minimum, investors must question if company boards:

  • have oversight of cyber security issues (directly or through sub-committees);
  • review and evaluate management approaches to cyber security (in relation to cyber security strategy, policies and procedures);
  • ensure alignment of the cyber security programme with the business risk profile;
  • determine if management is effectively allocating resources and expertise to cyber-related issues; and
  • monitor disclosure to regulatory authorities and stakeholders and ensure that this disclosure accurately portrays material cyber risks and incidents.

Consistent dialogue on this topic will indicate to companies that cyber security is a priority issue for investors and, as such, should be incorporated into corporate reporting. Through private dialogue, investors may also want to probe the reasons for poor public disclosure and explore how related challenges may be overcome. Good practice examples from peer companies featured in this report may aid this discussion.