11. Does the company provide training on information/cyber security requirements to all employees?

Only 15% of companies indicated that they provided cyber security training to all staff. Although several companies implemented risk management training for all employees, they failed to discuss training on cyber security and data protection specifically. Other companies only provided such training to certain employee groups (i.e. board of directors) within the company, and provided no further details. It is unclear whether the low disclosure on this indicator is due to a lack of transparency around cyber security and data protection training offered to employees, or whether companies are yet to adopt specific training programmes.

Investor relevance: given that a sizeable proportion of cyber incidents have been linked to human error, providing regular training to all staff on cyber threats, handling sensitive information, IT policies and procedures is essential for effective IT governance. The financial and healthcare sectors were particularly susceptible to insider threats in 2016 as per IBM’s Threat Intelligence Index report.

JP Morgan experienced a serious breach in 2014 after an employee’s login credentials were secured by hackers. The intrusion allowed the hackers to access 90 different servers compromising data from 76 million households and approximately 7 million small businesses.

In this context, investors could encourage companies to set targets on staff training, with a view to promote regular and ongoing corporate training in line with the evolving landscape on cyber security. Investors could also encourage companies to track progress on cyber security training and continually report on how it is contributing to an organisation-wide cyber security culture.

Good practice: good disclosure on this indicator will address topics covered in cyber security training, approach to training for risk-exposed teams and disclosure on the reach of corporate training programmes (for example, whether business partners and third parties are trained on cyber security). Examples of good practice are highlighted below.

Gerresheimer stated that training was provided and summarised key areas covered: “Computer users were made aware of security issues and trained with regard to focal areas that included dealing with phishing, social engineering, password security, social networking and the secure workplace.”

CVS Health not only reported on mandatory training for all staff, but also disclosed that it tailors its education programmes for staff in consumer-facing roles or those that deal with sensitive data: “In 2015, we launched a mandatory information security awareness curriculum for all colleagues and social engineering detection training for colleagues in store operations.”

Similarly, Telstra Corporations’ requirement for training also applied to its business partners, reassuring stakeholders of its well-rounded approach to mitigating cyber-related risks.

Over time, investors and stakeholders could request further information on whether companies assess the effectiveness of cyber security training against key threats, and whether such assessments have paved the way for strengthening their preparedness for cyber incidents.