Getting to grips with cyber risk

Cyber risk is associated with breaches caused by both an organisation’s employees (‘data breaches’) and those that result from criminal activity (‘cyber attacks’ and ‘cybercrime’). The increase in cyber risk in recent years has been driven by a wide variety of different factors, including increased use of data, changing business models, increased use of cloud services, the internet of things, the increase in remote working and the spill-over risk of cyber attacks following the Russian invasion of Ukraine.

Phishing and ransomware remain the top two root causes of data compromises. However, cyber attacks – such as denial-of-service attacks and man-in-the-middle attacks – are also on the increase as businesses become ever more digitised.

Cybercrime affects a wide spectrum of parties

Cybercrime continues to rise in scale and complexity, with essential services, businesses and private individuals all being affected by it. Supply chain attacks also remain a significant concern because the chain reaction triggered by one attack on a single supplier can compromise a network of providers.

SMEs
The increasing dependency on information technology in the small and medium-sized enterprise (SME) sector has opened the door to vulnerabilities of cybercrime. While cybercrime in the SME market does not feature prominently in the headlines, information security is nevertheless a critical issue for all such businesses. 

Nick Haley, Founder of Little Big Tech, comments: “In 2021, 38% of businesses experienced a cyber-security breach of some form, yet only 13% of the SME market train their staff on cyber awareness. Only 19% rehearse responses to cyber attacks. One small business is successfully attacked every 19 seconds in the UK, with around 65,000 attacks per day being aimed at the small business community. Staff training and rehearsal of responses is one of the most effective ways to minimise the disruption of a cyber attack. A phishing email goes no further if staff are trained to spot them.”

While the likelihood of cyber attacks and data security are key risks for every organisation, disclosure within financial statements on cyber risk varies greatly. Small companies are exempt from the requirement to prepare a strategic report and consequently the requirement to report on principal risks and uncertainties. As such, it is perhaps not surprising that there is currently little or no disclosure on cyber risk in many SME financial statements.

Large corporates
The picture in the large corporate market is somewhat different, not least because of the scale and potential significance associated with cyber attacks. Various studies looking at the largest global companies have rated national and corporate cyber security as the number one threat to business growth and the international economy in the next few years. 

Asam Malik, Partner in the Technology and Digital Consulting risk team at Mazars LLP, comments: “The cyber risks large corporates are exposed to are increasing each day and have the potential to cripple an organisation in a matter of hours. Stakeholders are seeking more assurance that corporates are managing this risk. Organisations should ensure that they have an evolving cyber-security strategy, the ability to proactively detect and address threats and a tried and tested cyber-incident response plan to facilitate a quick recovery in the event of a successful attack.”

Reporting on cyber risk in the UK

It is vital that cyber risk is communicated effectively by companies in their annual report and accounts. Investors want to know more about how companies are managing this evolving area. However, in the UK there is currently little guidance specifically on the area of corporate reporting of cyber risk, but the general guidance on risk reporting is helpful. Consequently, larger listed companies are now talking about cyber risk and identifying it as a principal risk. The management and mitigation strategies disclosures are also considered to be improving. 

Nevertheless, the FRC’s Financial Reporting Lab recently noted that companies’ responses to this evolving area are not always evident in external disclosures and hence it has launched a project focusing specifically on cyber, digital and data risk. 

One of the issues with this area, as with a number of governance and risk issues, is that disclosures have a tendency to migrate toward boilerplate. Out of concern for failure to disclose risks, companies want to cover all possible areas but do not want to cover specifics out of concern of heightening risk through criminal targeting of admitted vulnerabilities or reputational damage.

Given the lack of specific guidance in the UK, there is certainly a need for information on cyber risk to be provided in a consistent, comparable and decision-useful manner so investors can properly evaluate companies’ cyber-security practices.

Lessons to learn from the US

UK entities can certainly pick up some useful ideas regarding best practice from the US. In March 2022, the US Securities and Exchange Commission (SEC) issued proposed new rules and amendments to enhance and standardise disclosures regarding cyber-security risk management, strategy, governance and incident reporting by public companies, as a direct consequence of evolving cyber risks and investor needs. These rules build upon the existing guidance specifically dealing with disclosures on cyber security and incident reporting. 
Existing US guidance already suggested consideration should be given to:

• the frequency and severity of previous cyber-security incidents;
• the probability of future events and potential magnitude;
• what types of preventative measures have been taken, how effective these are expected to be and how much they cost;
• which parts of the company’s operations drive cyber-security risks, including risks associated with suppliers and infrastructure;
• the potential damage to assets and resources not recognised on balance sheets, such as brand and reputation; and
• laws and regulations to which companies are exposed in the area and the cost of settlements or fines in the area.

The SEC expects companies to provide disclosures that are tailored to their particular cyber-security risks and incidents. However, it should be noted that while the suggested disclosures regarding cyber security are quite detailed, the SEC does not expect companies to publicly disclose specific technical information about their cyber-security systems, related networks and devices or potential system vulnerabilities in such detail as would make such systems, networks and devices more susceptible to a cyber-security incident.

The recently proposed amendments would now require current reporting about material cyber-security incidents and updates regarding any previously reported incidents. The materiality of cyber-security risks or incidents depends upon their nature, extent and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations.

Interestingly, the SEC’s proposals would require disclosure of management’s role and expertise in assessing and managing cyber-security risk and implementing cyber-security policies and procedures. The proposals would also require disclosure of the board of directors’ cyber-security expertise, if any.

Conclusion

The risk of financial loss, disruption or damage to the reputation of an organisation due to cyber-related factors is undoubtedly on the increase. All companies, from SMEs to the largest corporates, need to take appropriate action from an operational and training perspective. Larger entities also need to invest time in looking at their disclosures on cyber risk in light of evolving best practice. Consideration by boards may further be aided when the FRC’s Financial Reporting Lab reports on its cyber-risk project later this year.