An era of more rigorous disclosure
It might be said that publicly traded companies stand at the precipice of a new, more rigorous age of disclosure. Not only are investors requesting more comprehensive and thoughtful analysis of financial matters such as executive compensation, but also more socially responsible investment outfits are asking companies to report on their sustainability efforts, even as far as integrating this into their regular financial reporting. The SEC’s conflict minerals rule, mandated by the Dodd-Frank Act, is asking for assurance from companies of their due diligence in relation to their metals supply chain and sourcing of key components. Political contributions are another area where shareholders are seeking more information about companies’ policies and practices.
A recent report by the IRRC Institute and PwC highlights how far companies need to go in providing meaningful disclosure on cyber-security risks and preparedness for shareholders. By approaching it from the investors’ perspective, the report offers some interesting ideas for how companies might improve their disclosure practices.
Materiality has long been the key consideration for determining disclosure of data breaches. Any costs incurred below $200 million for things such as breach investigations and reporting have tended to fall below the materiality threshold for most very large companies, according to the report. But it adds that ‘we believe there are several additional factors that should be considered when determining materiality – including impairment to intellectual property, long-term customer satisfaction and customer retention.’
The IRRC Institute and PwC recommend that investors do a sector-specific analysis of the various motives for – and levels of frequency of – cyber-attacks to better understand their exposure to concentration risk in their portfolios. This analysis should include a focus on the kinds of products a company provides. If a firm’s competitive advantage depends to a great extent on intellectual property to differentiate it from its rivals, or if the product itself is a connected device that functions through the internet and is potentially susceptible to a direct attack, that should figure in any materiality calculation for a breach. ‘These additional factors can create a cyber-risk that is often overlooked because it is too difficult to quantify and measure,’ the report says.
The three examples of cyber-security disclosure the report includes provide a sense of the vagueness that companies until now have been permitted to get away with in their disclosures. One financial services company is quoted as saying: ‘Despite the firm’s efforts to ensure the integrity of its systems, it is possible that [it] may not be able to anticipate or implement effective preventative measures against all security breaches of these types, especially because the techniques used change frequently or are not recognized until launched…’
As the report points out, the framing of cyber-security has centered much more on the threats and attackers than on the protective measures companies can take, which is of greater interest to investors. ‘An investor’s differentiation between companies [may] lie not only in understanding their ability to defend against those attacks by avoiding common errors but also in the companies’ preparedness to respond quickly to contain or mitigate the potential harm,’ the report says.
Clearly, more effective disclosure starts with better-informed boards paying closer attention to the preventative measures a company is taking. During a panel on cyber-security at the NACD Spring Forum in May, a representative from the US Department of Defense suggested directors ask top management how they are assessing cyber-risk. ‘If they don’t have an answer, pull out the Cyber Framework [National Institute of Standards and Technology risk management framework] and match it against the company’s risk profile,’ she advised. ‘Then exercise it by setting aside money to put it into action.’ She added that 80 percent of the cyber-risks a firm encounters could have been prevented with ‘cyber-hygiene’, starting with exercising the framework.
It’s only a matter of time before savvy investors start demanding more rigorous disclosure on cyber and other risks – and companies need to be prepared for that inevitability.