On average, US and Australian companies performed the strongest on disclosure across all indicators. US companies scored better than those from other regions in terms of disclosing cyber security and/or information security as a key risk in company assessment plans (indicator 14). US companies also scored better on board responsibility (indicator 5) and on disclosing a data protection policy (indicator 2).
European companies fared better on providing details of how cyber security issues are dealt with within the organisation. This includes on compliance, communicating to the board about cyber risks, providing details of information received by the board, discussion of resources, training and audits (indicators 1, 6, 7, 8, 11 and 12). European companies fared worse than average on disclosure of data protection policies (indicator 2) and the extent to which this policy applies across the business, including third parties (indicator 3).
Australian companies scored particularly poorly in terms of disclosing responsibilities for cyber security and the mechanisms by which cyber security issues are communicated to the board. Disclosure on resources, employee training, audits and business continuity plans were also below average (indicators 7, 8, 11 and 12). There appeared to be no clear link between these findings and the varying jurisdictional regulations.
Asian companies also did not rank highly on their disclosure of board oversight; companies in this region failed to disclose much information on access to expertise.
Stepping up governance on cyber security
- Currently reading