Cybersecurity is increasingly becoming a meaningful risk for investors to consider, yet corporate disclosure in this area is often lagging, suggests a new report.
A new report commissioned by the Investor Responsibility Research Center Institute (IRRCi), and prepared by New York-based PricewaterhouseCoopers LLP (PwC), notes that, while companies must disclose significant cyber risks, “those disclosures rarely provide differentiated or actionable information.”
“Cybersecurity has moved from the back office to the corporate board room because it poses a deep threat to a company’s bottom line and reputation,” said Jon Lukomnik, executive director of the IRRCi. Yet, he notes that investors often don’t have great insight into companies’ efforts to prevent attacks.
“The severity of the gap between the magnitude of cybersecurity threat and the lack of steps boards have taken to address the risks is a key issue for investors and policymakers alike,” Lukomnik said. “Even when boards do act, investors often feel in the dark on cybersecurity. First, it’s dynamic and highly technical. Second, companies can be reluctant to disclose details on threats because they are concerned about providing hackers with a roadmap to vulnerabilities.”
The report suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly likely targets to better understand their preparations, and to demand more useful disclosures (though not at a level that would provide a hacker with a roadmap to carry out an attack).
“This report is designed to help investors begin to navigate critical cybersecurity issues, with a focus on sector-specific portfolio risk,” said Kayla Gillan, co-author of the report and leader of PwC’s Investor Resource Institute. “It outlines cybersecurity trends, industry threats and strategies investors can pursue to evaluate risk, even with limited information.”