8. Does the company disclose that it has a cyber or information security team and/or dedicated budget?

9. Does the company state that it works with relevant industry initiatives on cyber security and/or has access to internal or external expertise on cyber security?

10. Does the company actively seek cyber security skills when appointing directors?

The level of disclosure on indicators relevant to skills and resources is relatively poor across the sample set. A quarter of companies disclosed that they have a cyber or information security team, and no companies explicitly stated that they have a dedicated cyber security budget. Well less than half (31%) had access to internal or external expertise through industry-wide collaboration or via access to external consultants. Only 10% indicated that they actively appointed directors with cyber security skills and expertise.

Investor relevance: clear communication around cyber security resources within the company may signal how it is positioned to defend and, if necessary, remedy breaches. However, companies may be nervous about providing this information publicly due to concerns that they may make themselves known to hackers. Investors could therefore explore with companies the data (on investments, spending and staffing) and contextual information needed for reassurance that cyber security issues are being managed.

Investors could also ask companies to disclose details of board members’ cyber expertise, covering issues such as whether directors with relevant skills are appointed, the board is trained and members have access to third-party consultants.

In addition, investors could find out whether companies are involved in industry initiatives and government efforts, where these may facilitate the identification and resolution of cyber security issues, and learning from best practices.

Good practice: Commonwealth Bank came closest to offering some insight on budget disclosure, stating that it allocated $1.6 million to develop cyber security expertise.

Relevant disclosure on collaboration may include whether the company has strong ties to the national cyber emergency response team in the jurisdiction in which it is headquartered – a link that is increasingly important, particularly given the introduction of legislation (in the EU, for instance) mandating that such channels be used in the event of a cyber security breach (see the section on the regulatory landscape). An example of good practice comes from Baxter International. The company’s disclosure on this indicator is comprehensive and demonstrates broad, relevant engagement with appropriate networks and initiatives:

“[Engagement] Includes: Collaborating with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)—a division of the Department of Homeland Security’s Office of Cybersecurity and Communications—on reported vulnerabilities. Actively participating with the National Health – Information Sharing Analysis Center (NH-ISAC), which is focused on cybersecurity prevention, protection, mitigation and response on behalf of the national healthcare industry. As a member, Baxter further benefits from NH-ISAC situational awareness and intelligence, information sharing, sector and cross-sector impact analysis, incident response, leading practices and workforce education. Partnering with customers who are pioneers and leaders in healthcare cybersecurity to jointly evaluate best cybersecurity practices; insights gained through this initiative are shared with Baxter Research & Development and IT teams to enhance current cybersecurity efforts and inform future system requirements.”

In terms of cyber security expertise, CME group states that “at least one board member shall have appropriate skills, background and knowledge relating to current technology and information security issues”.

In addition, Home Depot states that its nominating and corporate governance committee considers information technology and cyber security issues when discussing the composition of its board. This became a new priority for the company in 2017.

Some companies in the data set reported that they also had access to external expertise through third-party vendors and consultants. Lloyds Bank, for example, stated in its annual report that it has an advisory panel comprising external industry experts to provide the sub-committee with a view of current and evolving industry-wide cyber security threats, challenges and developments.