Cyber risk: a wake-up call.
It has been a dramatic weekend in the world of cyber security. Microsoft has termed this a wake-up call for all governments around the world. Last Friday’s cyber-attack that hit 150 countries has demonstrated the crippling effect of flawed cyber security and contingency plans. The attacks have no doubt rung alarm bells in many investors’ heads as they think about the potential resulting impact on the assets in their investment portfolios. Now more than ever, it is essential that companies have a plan to protect their systems and their data, demonstrating clarity and transparency in how they are managing this increasingly important risk.
The Internet of Things
And it’s not just about security either. In order to be competitive in the marketplace, companies need to evolve their businesses to accommodate new market trends. In particular, the increasing reliance on the Internet of Things. For those who might not be familiar with the term, the internet of things relates to computing devices that enable users to send and receive data via the internet.
This increasing reliance on companies and their customers sending and receiving data via the internet means that more and more companies are inevitably exposed to cyber security threats that can compromise a product’s liability, a customers’ personal data or compliance with standards.
Why is it important to have a clear cyber security framework?
As companies are integrating the Internet of Things into their business operations and products, it is paramount that they have a clear cyber security framework in place, thus averting the potential for damage through future cyber-attacks, which could have a devastating impact on company reputation and the financial and operational performance of the business.
Systems aimed at reducing and preventing security breaches should be implemented by any company that gathers and processes personal data itself, outsources this activity to third parties or considers cyber threats as a principal risk that might disrupt the business.
How should this emerging risk be reported on?
There are different ways in which a company can reduce and manage the risk of a security breach, such as building security into a product as part of the design or embedding the right behaviours across operational processes.
A focus on reporting this risk type has heightened following a number of recent scandals and a letter to preparers of annual reports from the FRC pinpointed cyber security as a principal risk to consider.
Companies are therefore starting to acknowledge and report on cyber security as a risk via the company’s annual report and website, where it is possible to highlight the issue and disclose any system and framework in place to reduce the exposure to cyber-attacks.
Similarly, if a company has already been subject to this risk, resulting in financial and operational losses, it is paramount that the company addresses the issue by disclosing how they have acted on it, the process followed, the findings and the mitigation system integrated as a result. Transparency is key.
How are companies addressing the cyber security risk in their annual reports?
As the risk’s materiality varies among companies, there are different ways in which cyber security can be addressed.
Companies which consider cyber threats as a principal risk, such as easyJet, Worldpay and M&S, clearly disclose how the risk is linked to the group strategy and the systems in place to monitor and mitigate its exposure.
On the other hand, companies that might not consider the cyber issue as a principal risk, such as Diploma, tend to address the matter through a pull-out in the risk management or corporate governance sections of the report to demonstrate insight into this risk and why it is not considered material.
What happens next?
As transparency and accountability are considered the foundation of good corporate reporting, companies have started providing a clear insight into what aspects of the business could be considered vulnerable to cyber threats and the mitigation activities in place to prevent these.
Going forward, companies should consider going beyond simply identifying cyber security as a principal risk to the company, and instead should clearly explain how the governance, processes and resources are structured to identify, manage and mitigate this risk, ultimately protecting the company against it.