FRC criticizes ‘boilerplate’ cyber-risk disclosures
UK companies are not providing investors with sufficient information on cyber-risks, according to a new report.
The Financial Reporting Council (FRC), which monitors corporate reporting in the UK, says too many companies lack disclosure or resort to ‘boilerplate’ text.
Companies are coming under increasing pressure from stakeholders to provide more information on digital risks amid the growing digitalization of all industries and a steady wave of cyber-attacks against businesses.
At the same time, issuers must consider the risks of disclosing too much about their digital strategy, which could put them at further risk of data breaches or ransomware incidents.
The FRC report, based on a series of interviews with investors and companies, offers disclosure recommendations across four areas: strategy, governance, risk and events. The research also provides examples of disclosure from companies including IAG, Experian and Schneider Electric.
Meeting investor needs
In a summary section, the regulator says corporate reporting teams and audit committees should consider the following areas to ‘better meet the needs of investors’:
- Explain how digital strategy and security are important to areas like the business model, corporate strategy and the environment the company operates in
- Discuss how governance structures, culture and internal processes support the digital strategy
- Identify risks and opportunities related to digital issues, thinking about both now and the future
- Detail the impact of ‘internal and external events’ and how the company responds to such incidents.
‘Every company is now digital, so providing useful, relevant and focused disclosure on digital security is critical,’ says Mark Babington, executive director of regulatory standards at the FRC, in a statement. ‘Investors need transparency in this area, and this report provides a key resource for companies looking to achieve this.’
Digital risks have grown further this year amid the war in Ukraine, which has led to an increase in cyber-attacks against public and private organizations. ‘Since Russia’s invasion of Ukraine, many companies have experienced heightened cyber-security risks,’ noted the SEC in May.
UK companies will need to conduct further digital reporting in the future under plans from the British government. It has proposed a new resilience statement that would require companies to discuss how they are managing risks, including cyber-security, over the short, medium and long term.