June 1, 2022
June 1, 2022
“What we’ve got here is failure to communicate.” I’m reminded of this line—famously uttered by the prison guard to Paul Newman’s character in Cool Hand Luke—when I think about the disconnect between companies and their investors on cybersecurity, which is one of the critical risk issues of our time.
In recent years, investors have identified cybersecurity as one of their critical areas of concern. A 2021 RBC Global Asset Management survey identified cybersecurity as the second-highest ranked governance issue for investors. More recently, a 2022 report from Fidelity affirms the investor’s perspective on the importance of cybersecurity: “we believe cybersecurity is material to all industries and sectors.”
Investors are worried about cybersecurity—and for good reason. Cybersecurity is a critical risk that can materially impact a company’s long-term value and sustainability. And with ransomware incidents growing significantly year over year, changes in cyber insurance coverage and costs, and expanding digitalization that introduces new risks for companies, things are only going to get more challenging.
Yet despite growing concerns and the criticality of the issue, the dialogue between companies and investors still feels closed. When asked by Forrester Consulting about communicating cybersecurity metrics to stakeholders, security decision-makers ranked investors last on a list of audiences who receive accurate measurements of their companies’ security performance. Many investors feel that they are not getting critical information they need from companies to make informed decisions. Inconsistency in the frequency and substance of companies’ disclosures related to cyber risk, investment, policy, readiness, and incidents are contributing to significant uncertainty and concern within the investment community that their investments are at risk.
The US Securities and Exchange Commission (SEC) is currently considering new rules on cyber-risk management, strategy, governance, and incident reporting by public companies. The proposed rules would require greater disclosure from companies to their investors in areas including board oversight, board expertise, corporate risk management practices, and details on material incidents. While cybersecurity disclosure guidance has existed for years, these regulations present a significant new focus by the SEC. Companies everywhere are reexamining their cybersecurity programs and disclosure policies to prepare for these changes.
Companies should take advantage of this critical opportunity to increase investor confidence on cybersecurity. The answer lies in more communication about performance. It is first important for companies to understand what investors are looking for when it comes to cyber-risk reporting. Our experience is that investors value quantitative, objective metrics and measurements regarding cybersecurity performance and outcomes. Security performance metrics help investors assess the effectiveness of the policies, controls, governance, and procedures that a company is implementing, providing investors greater visibility into how well the cyber-risk program is being executed. Security performance measurements also provide investors with further validation of management’s intentions. Companies that share this information provide greater confidence to their investors and the broader marketplace that they are building resilient organizations.
There are numerous examples of companies today disclosing relevant, detailed information on cybersecurity program performance for specific incidents as well as general risks, and directly benefiting from this transparency in the marketplace, including the following:
In a time when investors are asking for more information, companies should strive to be more transparent about their cybersecurity program performance and results. Disclosure of risk-based performance metrics will provide investors access to appropriate and expanded information to make more informed decisions and create greater trust between companies and their investors.
Jake Olcott is vice president of communications and government affairs at BitSight.
NACD: Tools and resources to help guide you in unpredictable times.