When companies disclose significant cyber risk, they rarely provide differentiated or actionable information, according to a new report from PwC US and the Investor Responsibility Research Center Institute.
Examining key cybersecurity threats to corporations, the report offers information to investors to assist them in evaluating investment risk, business mitigation strategies and quality of corporate board oversight.
“Cybersecurity has moved from the back office to the corporate board room because it poses a deep threat to a company’s bottom line and reputation,” stated Jon Lukomnik, executive director of the Investor Responsibility Research Center Institute (IRRCi). “The reality today is that virtually every company is reliant on information and technology, so not one company or sector is left out.”
Commissioned by IRRCi, What Investors Need to Know About Cybersecurity: How to Evaluate Investment Risks was authored by Kayla Gillan, leader of PwC’s Investor Resource Institute, and PwC Advisory principals Joe Nocera and Peter Harries, both leaders in PwC’s cybersecurity practice.
“The severity of the gap between the magnitude of cybersecurity threat and the lack of steps boards have taken to address the risks is a key issue for investors and policy makers alike,” stated Lukomnik. “In recent weeks both Securities and Exchange Commissioner Luis Aguilar and Treasury Secretary Jack Lew have made public comments regarding cybersecurity issues... Even when Boards do act, investors often feel in the dark on cybersecurity. First, it’s dynamic and highly technical. Second, companies can be reluctant to disclose details on threats because they are concerned about providing hackers with a roadmap to vulnerabilities.”
Designed to help investors navigate cybersecurity issues with a focus on sector-specific portfolio risk, the report outlines cybersecurity trends, industry threats and strategies.
These strategies include corporate preparedness for cyber attacks, engaging with highly likely targets, and demanding better and more accurate disclosures.
“The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies,” stated Nocera. “This paper can help investors ask the ‘right’ questions to assess the level of risk they may be facing.”
The report also includes, based on PwC experience, common motivations for cyber attacks by industry and a list of suggest questions for investors to ask:
- Does the company have a security & privacy executive who reports to a senior level position within the company?
- Does the company have a documented cybersecurity strategy that is regularly reviewed and updated?
- Does the company perform periodic risk assessments and technical audits of its security posture?
- Can senior business executives explain the challenges of cybersecurity and how their company is responding?
- What is the organization doing to address security at its business partners?
- Has the company addressed its sector-based vulnerability to cyber attack?
- Does the organization have a response plan for a cyber incident?
The full report is available here, with registration for a webinar scheduled Aug. 20 to view the findings and respond to questions, available here.