Evolving Board Oversight and Reporting to Address Increasing Stakeholder Scrutiny of Cyber Risk

Digitalisation has changed the way companies operate and given rise to a rapidly evolving set of risks that companies face and must prepare for – cybersecurity risks. The increasing prevalence of cyber attacks, notably ransomware, coupled with declining availability of cyber insurance, is leaving companies increasingly exposed to the often-significant impacts of a cybersecurity incident. There is naturally a short-term financial cost - research from IBM1 reveals that the average total cost of a ransomware breach in 2022 is $4.54 million- but reputationally the impact of an incident may be longer lasting.

Aware of how companies are increasingly exposed to cybersecurity, governments, regulators and investors alike are increasing pressure on organisations to improve their cybersecurity measures, increase transparency around disclosures, and build governance and management structures that demonstrate cybersecurity is a priority at the top levels of the organisation.

Ensuring oversight structures are in place at board level is a key feature of cyber governance. As a material risk affecting companies, boards are increasingly held accountable for ensuring the executive team is taking appropriate steps to mitigate the risk of a cybersecurity attack, and also ensuring the organisation responds appropriately in the event of an incident. Often, boards have little to no experience in this field, and whilst the dynamic nature of cyber risk means that board members are not expected to be cyber experts - though there is merit to having expertise on the board - they are expected to be able to challenge management on this topic and inform shareholders on the measures in place to mitigate the impact of cybersecurity incidents.

For many companies, the Chief Information Security Officer (CISO) is the executive with accountability for cyber risk. With investors and regulators pushing for greater oversight at board level, the CISO will need to communicate cyber risk and metrics in terms that resonate with the board, and governance structures will need to prioritise engagement with the CISO on cyber risks.

Cybersecurity is also increasingly part of investor and proxy advisor scrutiny of companies. Our research indicates that investors now consider cybersecurity a key priority - with cyber attacks consistently cited as the most important concern or risk area for investors. Allied to this, the world's major asset managers are providing more detail on what they expect in terms of disclosure – including a desire for detail on the structures in place to manage cyber risk, but also the number and scale of cyber incidents affecting a business.

How companies communicate their governance of cyber risk to investors is therefore increasingly important. When announcing proposed SEC rules on cybersecurity disclosure, SEC Chair Gary Gensler stated: “I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner.” This emphasises a lack of transparency around cyber risk and incident disclosure; and a clear indicator that regulation is only going one way.

In evaluating the regulatory environment; reviewing the heightened focus of the investment community; and considering the benefits of greater transparency, our view is that there may be merit in companies approaching cybersecurity in a manner similar to how the Task Force on Climate-related Financial Disclosures (TCFD) approaches climate risk. This is built around four pillars and will enable companies' boards and investors to acknowledge the risks posed by cybersecurity in a more holistic manner covering i) Governance; ii) Strategy; iii) Risk Management; iv) Metrics and Targets.

Ultimately, a combination of regulation and demand for greater transparency will mean a step-change in disclosure for companies. However, there is likely to be a clear benefit – financially and reputationally – for companies who are first movers and adopt a more proactive approach to governance and oversight of cyber risk and disclosure.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.