A recent study by Accenture found that the global average cost of cyber crime has risen from $7.2 million in 2013 to $11.7 million in 2017. Businesses are under pressure to strengthen their cyber security capabilities and be more effective in managing cyber incidents.
However, there is no one-size-fits-all approach when it comes to cyber security, making it even more challenging for companies to manage the rapidly-evolving risk landscape. As investor vigilance around the issue grows, it is vital that companies demonstrate they are ramping up their cyber defence, backed by robust governance structures.
The PRI’s report, Stepping up governance on cyber security, provides a snapshot and analysis of corporate disclosure on cyber security governance based on a study of 100 companies primarily in the healthcare, financial and retail sectors. The study found that although companies increasingly recognise cyber risks and their impacts, corporate information in the public domain does not assure investors that companies have adequate governance structures and measures in place to deal with cyber security challenges.
In December 2017, investors in the PRI-coordinated collaborative engagement on cyber security initiated meetings with 65 listed companies to better understand their approach and encourage more robust public disclosure on this topic. While engagement activities are ongoing, some emerging insights gained through these conversations so far are summarised below:
Mind the (communications) gap: reluctance to show and tell
In stark contrast to the poor public disclosure observed in the study, companies were generally informative and candid when talking privately to investors about cyber security. When investors queried the discrepancy between actual practice and what is disclosed, they received varied responses, including that companies:
- are wary of making themselves a target;
- do not want to lose their competitive advantage by giving too much away;
- are hesitant to claim that they have strong cyber measures in place to avoid provoking hackers that may want to challenge their security measures;
- are unaware that cyber security management is considered an ESG risk and that disclosure is valuable to the investment community; and
- are still building their knowledge and understanding of this issue, and are not in a position to report in detail to investors who they believe are looking for concrete, definitive answers.
Gaining meaningful insights: access to technical experts vital
Investors participating in the engagement were often given access to cyber security experts (such as chief information security officers (CISO) or digital directors) along with investor relations or sustainability professionals at their portfolio companies. This proved to be a winning combination; while investor relations and/or sustainability professionals provided an overview of policy, governance and reporting structures, technical experts were adept at discussing the details of their strategy and implementation relative to the threat landscape. This brought to light the interface between cyber security policy, strategy and implementation to investors - which would be difficult to infer from public corporate communication alone.
Board governance: devil is in the detail
While ongoing engagement efforts are revealing that governance processes around cyber security are more robust than what is portrayed through corporate disclosure, there is still much room for improvement. For instance, several companies clarified the role of the board, detailed reporting lines and explained how the board is kept abreast of cyber security issues. They also shared examples of information and metrics that are provided to the board, including:
- cyber security strategy;
- cyber security incidents at the company and industry level as well as controls and remediation plans;
- strategic shifts in cyber security practices including regulatory changes such as the General Data Protection Regulation (GDPR);
- subsidiaries’ cyber security posture and third-party risk to operations;
- new investments and projects;
- budget allocation;
- threat assessments, data analytics, random testing, staff awareness, training and assurance;
- efforts on knowledge sharing and alignment of disclosure with peers;
- outcomes of cyber security audits and actions plans; and
- results of business continuity and disaster recovery testing.
However, conversations have thus far offered limited insight on how these metrics are selected or updated, and how they may contribute to board evaluation and subsequent strengthening of cyber security plans. Companies also gave insufficient detail on when breaches are considered significant enough (material) to require internal or external reporting, an issue of increasing importance given enhanced regulatory requirements (such as GDPR) around reporting of cyber breaches.
Building organisational capacity: one size does not fit all
Conversations are showing that companies widely acknowledge the importance of building cyber capabilities across the organisation and believe that cyber security is indeed a business – not an IT – issue that could impact operating models, capital and change programmes.
With that said, different approaches are taken regarding where cyber security expertise sits within the company. One company indicated that it should exist at the management level – that board or sub-committee members do not need to be experts on the topic if there is adequate interaction between senior management and the board.
Conversely, reinforcing the need for board oversight, another company revised its governance structure, moving cyber responsibility from the non-board committee to the board. In the same vein, other companies indicated that they incorporated cyber security into their board skills matrix to guide the assessment of skills and experience of current directors, and to identify gaps in the collective abilities of the board. They also specified that they actively seek to recruit directors with a technology background, including oversight of cyber security and related risks.
There were also mixed company views on the role of external consultants and advisors. Certain companies indicated that external advice was unhelpful as the consultants had limited insights into the business. Others indicated that their boards are guided by independent advisory boards or advisors on cyber security issues. One such international advisory board (committee) constituted representatives from cyber security vendors. This committee met with directors twice a year, and separately with the CISO and an independent board member, to discuss cyber security-related projects. The outcomes from these meetings were later highlighted to the board as a whole and the executive committee.
Staff training and knowledge sharing: innovation and collaboration behind the scenes
Consensus is emerging among companies that effective management of cyber security involves technical solutions (such as addressing a specific risk channel of cyber attack) and behaviours, as employees and customers are commonly cited as high risk factors. In fact, investors noted several examples of companies promoting a culture of awareness through more innovative measures. These included: developing interactive modules on cyber security; linking cyber security training to employee bonuses; hiring dedicated staff to build curriculums on cyber security and data privacy; and recruiting “information security champions” throughout the business.
Companies also clearly recognise the need to join forces in promoting higher industry standards and better behaviours given the threat of cyber incidents to their respective industries. They shared examples of knowledge sharing and collaboration with peers and regulators to develop best practices. One such example came from a company that provides resources and seconds staff to the UK National Cyber Security Centre. Another company explicitly stated that it schedules weekly meetings with peers to share cyber intelligence.
Maximising engagement success: food for thought
Based on what we have observed so far in the engagement, investors would benefit from considering the following factors ahead of their cyber-related discussions with portfolio companies:
- Outline a clear set of expectations: several companies were keen to understand investors’ expectations around cyber security disclosure. Investors should work together to agree on a common message to and expectations of companies on baseline disclosures that would meaningfully contribute to their evaluation of cyber security risks.
- Consider best approaches to framing disclosure requests: companies were more receptive to disclosure requests when investors framed them through a governance lens i.e. requesting disclosure of governance arrangements and publication of existing policies as opposed to commercially-sensitive information on breaches or testing.
- Consider the role of trust, physical proximity and the occurrence of past controversies: investors found that their engagements were more effective when they had long-term, trusted relationships with companies; were physically closer to target companies; and where companies operate in industries with a history of cyber-related controversies. Where investors had strong relationships with companies, they were given access to content experts and senior personnel including CISOs and independent directors. Additionally, being physically closer to relevant companies offered greater opportunity for in-depth discussions with more colour and context. Finally, investors reported that companies were more inclined to talk openly about their cyber policies and procedures if a peer had been affected by a cyber-related incident, or if they had experienced a severe incident previously.
The investor group will continue to engage with the companies on cyber security throughout 2018 and into 2019, after which there will be a formal evaluation of progress. A final summary of the findings will also be produced.