July 26, 2018 / News

Cyber security reporting too weak, warns PRI

By Joe McGrath, ESG Clarity

Listed public companies are failing to outline to investors how they protect their firms against major cyber security attacks in their corporate reporting.

Cyber security reporting too weak, warns PRI

Listed public companies are failing to outline to investors how they protect their firms against major cyber security attacks in their corporate reporting.

A report entitled Stepping Up Governance on Cyber Security by the Principles for Responsible Investment (PRI) Association, found only 15% of public companies explicitly outlined how they trained staff and only 17% said they conduct regular audits. The research was conducted with a sample of 100 publicly listed companies.

PRI researchers also found that nearly 60% of those companies polled failed to indicate how the board or a board sub-committee was responsible for cyber security issues and less than a third (31%) documented how they employed internal expertise or external consultants.

In a media statement accompanying the report, Fiona Reynolds, chief executive officer of the PRI, said the research has shown that corporate reporting on cyber security creates difficulties for investors who are seeking to draw conclusions about how well companies are protected.

She explained: “Boards need to work closely with senior management to escalate the message across the organisation that security is everyone’s problem.

“Board members could start by ensuring that cyber security is on the agenda at board meetings. If these issues are delegated to senior management, then the board must have regular updates from those individuals in order to stay current on the topic.”

The PRI said that to improve corporate disclosure on cyber security, governance and processes, it has assembled a group of 53 institutional investors, with assets of more than $12 trillion, who are engaging with companies in a variety of sectors from healthcare to financial services.

In June, Christine Lagarde, managing director of the International Monetary Fund, wrote that cyber risk had emerged “as a significant threat to the financial system,” and estimated that average annual losses to financial institutions from cyber-attacks could reach a few hundred billion dollars a year, eroding bank profits and potentially threatening financial stability.