Navigating Cybersecurity Risks & Disclosure Pressures: Good Governance is Key

With cybersecurity thrust to the forefront of boardroom discussions today, transparent communication about its governance is now crucial.

The rise of cyberattacks amplified by geopolitical conditions, newly proposed regulatory rules, and emerging third-party cyber risk scores, have thrust cybersecurity to the forefront of boardroom discussions.

“There’s unprecedented pressure on companies to report information about their cybersecurity risk management and governance practices, policies, and procedures,” said Heidi Wachs, Managing Director, Cyber Solutions, Aon.

While transparent communication about cybersecurity governance is crucial today, businesses must balance that with protecting sensitive and confidential information to avoid unnecessary attention from threat actors.

New SEC Cybersecurity Rules

Cyber disclosure pressures are mounting on companies worldwide. On 9 March 2022, the US Securities and Exchange Commission (SEC) published proposed rules that require all public companies to report material cybersecurity incidents within four business days. Companies would also be required to make periodic disclosures regarding their cybersecurity risk management, strategy, and governance.

“The proposed Item 106(b) of Regulation S-K would require registrants to disclose their policies and procedures to identify and manage cybersecurity risks and threats,” Anna Barrera, Director, Corporate Governance and ESG Advisory, Aon, explains.

SEC's proposed Item 106^(b) of Regulation S-K

A public company must disclose whether it:

Europe too is stepping up its cybersecurity standards. Replacing the current Directive on Security of Network and Information Systems (NIS), the new NIS2 directive sets more stringent cybersecurity risk management measures and reporting requirements and sanctions for sectors such as energy, transport, health and digital infrastructure.

A new cyber notification standard was also issued by India’s Ministry of Electronics and IT (MeitY) on 28 April aiming to improve overall cybersecurity. According to the directive, 27 June 2022 onwards, it is mandatory for all companies in India, including government and private organizations, to report cyber incidents to the Indian Computer Emergency Response Team (CERT-In) within 6 hours of detection.

“Legislative movements towards stricter cybersecurity worldwide makes it clear that regulators view cyber risk as material to investors,” says Barrera. “Good governance will be key to help companies navigate increasing cyber disclosure pressures, achieve regulatory compliance and enhance investor relations.”

As companies navigate disclosure requirements, they will need to balance the risk of divulging vulnerable information on a firm’s cyber risk mitigation strategies.

“To the extent possible, acknowledging the existence of applicable policies, programs, and plans, without including details about their content, can protect your company’s sensitive cybersecurity procedures,” Barrera adds.

And, of course, the growth of voluntary carbon markets fuels development of nature-based solutions and raises awareness of their benefits.

Institutional Shareholder Services (ISS) Launches Cyber Risk Score

According to Aon’s 2021 Global Risk Management Survey, participants around the globe rated the risk of cyberattacks/data breach as the number one threat facing companies today. The growing concerns around cyber vulnerabilities have led to third-party rating services attempting to quantify cyber risk into a consolidated score.

The risk of cyberattacks/data breaches is a top threat facing businesses worldwide today

Source: Aon's 2021 Global Risk Management Survey

The ISS also added scored cyber risk factors to its Governance QualityScore ratings. Taking the attention to cyber risk a step further, the ISS launched a quantifiable 3-digit Cyber Risk Score based on policies, information security standards, and cyber hygiene, and reflects the likelihood of a future cybersecurity incident

Alongside its Governance QualityScore, the Cyber Risk Score will be included for informational purposes in ISS’ proxy research reports, which also contain voting recommendations to investors for annual shareholder meetings.

“While such ratings do not impact ISS’ actual voting recommendations, they provide investors assurance that boards are actively managing their cyber risk exposure,” Barrera explains. “Therefore, their visibility within the reports makes them a frequent topic of conversation within the boardroom.”

ISS ESG Governance Quality Score

Next Steps

When determining what information to disclose, companies should first focus on demonstrating a mature approach to cyber governance at the Board level. “Sharing tactical cybersecurity plans may divulge information threat actors can leverage,” David Collier, Senior Vice President, Cyber Solutions, Aon, explains. “But sharing information around cyber governance demonstrates an enterprise-wide commitment to this material issue.”

Sample disclosures on board and executive management oversight of cybersecurity might include acknowledgment of the following governance practices, if applicable:

• Formal threat assessment
• Recognized standard for the management and oversight of cybersecurity
• Security roadmap and metric-driven dashboard
• Chief Information Security Officer or equivalent role
• Cross-functional cyber committee
• Third-party penetration testing
• Vendor cybersecurity policy and audit
• Cybersecurity insurance policy

“In disclosing information, companies should avoid sharing sensitive details, such as specific tools, software, or applications used in the environment, findings from a threat assessment, vulnerabilities, remediation strategies, cybersecurity budget, and dashboard metrics,” Wachs advises.

Aon’s Cyber Solutions Group and Aon’s Corporate Governance & ESG Solutions Practice work with clients to implement appropriate cyber governance practices, develop robust cybersecurity policies and procedures, and navigate disclosure pressures without compromising company security.

For more information about how we work with C-suite and boards on cyber risks and disclosures, please contact the authors or write to humancapital@aon.com.