Indicator 1: legal compliance

Explicit acknowledgement of and commitment to comply with cyber security laws and regulations is not standard practice. Over 30% of the companies reviewed did not explicitly indicate that they comply with data protection and cyber security laws. Among those companies that did, regulations such as the Privacy Act 1998 (AU), Privacy Principles (AU), Singapore Data Protection Act 2012, Data Protection Act 1998 (UK), General Data Protection Regulation (GDPR) and Data Privacy Shield (Switzerland, EU and US) were referenced in company disclosures.

Investor relevance: companies that disclose that they are compliant with cyber security laws and regulations show that they are aware of and are taking steps to meet relevant regulatory obligations. This is particularly important given the changing regulatory landscape and recent amendments to privacy and data protection laws introduced in several jurisdictions (see the section on the regulatory landscape). In this context, investors may want to follow up with questions on regulatory preparedness and implications for operations as a result of new or more stringent legal requirements, such as the General Data Protection Regulation in the European Union.

Good practice: one good example of disclosure on this indicator comes from Merck and Co. The company states: “[Merck and Co.] have learned that laws and regulations cannot always keep pace with the rapid change in technologies, data flows, and associated shifts in privacy risks and expectations, so we strive to comply with both the spirit and the letter of privacy and data protection laws and regulations in a manner that drives consistency and operating efficiency for our global business operations.” This also appears to signal active management of cyber risk.