The FRC Lab’s Digital Security Risk Disclosure report provides practical advice to companies making disclosures in respect of digital security strategies, risk and governance. The report reiterates the “fundamental” importance of management of digital security risk, and highlights the need to provide sufficient information to assist stakeholders in assessing a company’s ongoing viability and resilience against cyber, data and other digital threats. It reminds companies of recent high profile cyber and data incidents and the landscape of increased geopolitical tensions.
The report found that, whilst many FTSE 350 companies report on digital risk (often disclosing cyber risks), such disclosures tended to reflect an approach described as “boilerplate and overly static”, thereby falling short of the level of disclosure required by stakeholders to make informed assessments.
To improve disclosures, the report makes a number of practical recommendations on how to make useful and material ‘core’ and ‘enhanced’ disclosures, falling into the following broad categories:
Strategy
• Provide the context for digital security and strategy and its importance to a company’s broader strategy and business model and ability to generate value;
• Indicate how external trends associated with digital security and strategy are integrated into the company’s approach; and
• Link digital security and strategy disclosure to the company’s broader strategy.
Governance
• Link the governance of digital transformation and security risks to strategy and risk appetite;
• Show how the board and its committees have oversight of these risks. This may also include who within the company has ownership of specific risks, and the access they have to senior leaders;
• Explain what a company has done to foster a digital security (or cybersecurity) culture; and
• Outline the relevant skills of the board and assurance obtained.
Risk
• Link the digital security and strategy risks to strategic objectives and risk appetite;
• Consider the actions and activities taken to mitigate risk and how risks have evolved;
• Provide information about the risk and mitigations at the right level of granularity; and
• Connect digital security and strategy with disclosures on viability and resilience.
Events
• Provide information about the actions taken and events themselves; and
• Help them to understand the effectiveness of a company’s response and how lessons learned from the event will be, or have been, incorporated into changes to relevant structures and processes.
The report also sets out some practical examples of useful disclosures made under each of the four categories by reference to an ‘example bank’. However, the report also notes that its practical examples and recommendations should not be treated as a disclosure checklist, as not all risk disclosures apply to each company. The FRC reminds companies that a tailored and considered approach, providing disclosures which are material and relevant for the company and its stakeholders, should be applied.
Next steps:
Internal report and risk teams should refer to the practical examples and useful resources provided in the report and consider how internal reporting lines and processes may need to be updated or improved in order to provide valuable disclosures to stakeholders on management of cyber, data and digital risks and threats.
Review existing communications and escalations channels and consider to what degree these channels are functioning effectively—consider how effectively the company’s digital security strategy is communicated throughout the company and whether such strategy is adequately implemented and monitored.
Further information:
Click here for a copy of FRC Lab Report: Digital Security Risk Disclosure
This article was produced in association with White & Case UK’s Public Company Advisory team. Read their original alert here.