Report: Companies Failing To Report Cyber Risk To Shareholders

Many companies are not adequately reporting cybersecurity risk in their SEC filings, according to a recent report. Instead they are opting for a fog of boilerplate that lacks detail and “could not assist an investor in assessing a company’s cyber-risk profile or management of those risks.” Former SEC Commissioner Robert J. Jackson Jr., quoted in the executive summary, calls it “the most pressing issue in corporate governance today.”

The report, titled The State of Cyber-Risk Disclosures of Public Companies, includes examples of what the authors consider vacuous and largely useless risk reporting. (E.g., “From time to time we and our third-party service providers experience cyber-attacks, attempted and actual breaches of our or their information technology systems and networks or similar events, which could result in a loss of sensitive business or customer information…”). Meaningful disclosure, the report says, lies somewhere between descriptions of generic security risks and the kind of detailed disclosures that could provide bad actors with a roadmap into the company’s data.

The report was was commissioned by the National Association of Corporate Directors; SecurityScorecard, a company that rates corporate cybersecurity risk; the London-based analytics company IHS Markit Ltd; and the Cyber Threat Alliance (CTA), a non-profit that promotes information-sharing about cyber threats among companies and cybersecurity providers.

A Washington Post article highlights the report’s conclusions and and looks at some recent related developments, including legislation possibly in the wings. One bill would require breaches or other cybersecurity incidents to be reported to the government and/or customers, depending on the incident. Another bill, first introduced in 2019 and reportedly in line to be reintroduced, would require public companies to discloses the level of cybersecurity expertise on their boards of directors. Meanwhile. the Post reports, a compliance division of the SEC has recently identified cyber threat management, incident response and third-party vendor management as priorities for 2021, and guidance is likely forthcoming.