FRC provides digital security risk report

The Financial Reporting Council (FRC) found that companies were not taking digital security and strategy seriously, providing limited details to investors?

The report provides guidance on how companies can report ‘digital security risk’ more effectively, disclosing the risks and opportunities, alongside their broader business strategies.

There was general consensus that current disclosures are not sufficient to meet investor and stakeholder needs. Too often companies provided limited information on digital security, failing to connect to the wider strategic direction of the business.

At the same time, the quality of responses about geopolitical or cyber events remained insufficient, with limited detail on the key issues.

When determining which disclosures a company should provide, consideration of its business model, governance structure and strategies, alongside the risks and opportunities it might be facing, should be provided to enhance disclosures and better meet the needs of investors.

Reporting and risk disclosure teams should consider the external trends associated with digital security and strategy, and how it integrates into the company’s business model.

Companies should also clearly communicate its digital transformation and data strategies and explain how its related risks can advance or hinder future objectives.

The report also provides potential questions for boards and audit committees to consider.

Mark Babington, executive director of regulatory standards at the FRC, said: ‘Every company is now digital, so providing useful, relevant and focused disclosure is critical. Investors need transparency in this area, and this report provides a key resource for companies looking to achieve this.’

The report found that while FTSE 300 companies reported at least one digital-related risk, the disclosures did not meet investor needs.

‘Boilerplate’ disclosures were an indication that a company did not take cybersecurity seriously enough, investors told the FRC.

In response, companies like Landsec, UBS, Natwest Group and others each disclosed potential cyber-related risks alongside responses to ensure minimum interruption to investors.

Experian details how data, digital and cyber trends are feeding directly into strategy, risks and opportunities for the business.

In its annual report, Experian said: ‘We have programmes that evaluate every product and service to ensure we strike the right balance between consumers’ privacy expectations and the economic benefit to both consumers and clients.

‘Furthermore, we are channelling investment into our multi-layered and extensive information security programme to manage and protect against cyber security risks, by continually upgrading our security infrastructure in an everchanging environment.’

Companies disclosed how they managed cyber-related risks through planning cyber incident contingencies, secure IT operating systems and better focused disclosure.

NatWest discussed implementing a cloud-based solution to its data transformation, adding that proposed changes could improve regulatory reporting and reduce complexity of its cyber defences.

Next said: ‘IT risks are managed through the application of internal policies and change management procedures, imposing contractual security requirements, service level agreements on third party suppliers, and IT capacity management.

‘Information security and data protection risk exposures are reviewed during the year by both the audit committee and the board; this informs an executive sponsored programme of continuous improvement.’

Matt Warman, digital minister, said: ‘We’re investing ￡2.6bn through our national cyber strategy to make our digital economy more secure. But as this report shows, businesses can do more to bolster their online defences and improve transparency and reporting around cyber security.

‘There is help available, so I urge firms to follow NCSC guidance on strengthening their cyber security capabilities, so they are in the best position to protect themselves and their customers.’