Increasing Trust With Investors on Cybersecurity Requires Communication
“What we’ve got here is failure to communicate.” I’m reminded of this line—famously uttered by the prison guard to Paul Newman’s character in Cool Hand Luke—when I think about the disconnect between companies and their investors on cybersecurity, which is one of the critical risk issues of our time.
In recent years, investors have identified cybersecurity as one of their critical areas of concern. A 2021 RBC Global Asset Management survey identified cybersecurity as the second-highest ranked governance issue for investors. More recently, a 2022 report from Fidelity affirms the investor’s perspective on the importance of cybersecurity: “we believe cybersecurity is material to all industries and sectors.”
Investors are worried about cybersecurity—and for good reason. Cybersecurity is a critical risk that can materially impact a company’s long-term value and sustainability. And with ransomware incidents growing significantly year over year, changes in cyber insurance coverage and costs, and expanding digitalization that introduces new risks for companies, things are only going to get more challenging.
Yet despite growing concerns and the criticality of the issue, the dialogue between companies and investors still feels closed. When asked by Forrester Consulting about communicating cybersecurity metrics to stakeholders, security decision-makers ranked investors last on a list of audiences who receive accurate measurements of their companies’ security performance. Many investors feel that they are not getting critical information they need from companies to make informed decisions. Inconsistency in the frequency and substance of companies’ disclosures related to cyber risk, investment, policy, readiness, and incidents are contributing to significant uncertainty and concern within the investment community that their investments are at risk.
The US Securities and Exchange Commission (SEC) is currently considering new rules on cyber-risk management, strategy, governance, and incident reporting by public companies. The proposed rules would require greater disclosure from companies to their investors in areas including board oversight, board expertise, corporate risk management practices, and details on material incidents. While cybersecurity disclosure guidance has existed for years, these regulations present a significant new focus by the SEC. Companies everywhere are reexamining their cybersecurity programs and disclosure policies to prepare for these changes.
Companies should take advantage of this critical opportunity to increase investor confidence on cybersecurity. The answer lies in more communication about performance. It is first important for companies to understand what investors are looking for when it comes to cyber-risk reporting. Our experience is that investors value quantitative, objective metrics and measurements regarding cybersecurity performance and outcomes. Security performance metrics help investors assess the effectiveness of the policies, controls, governance, and procedures that a company is implementing, providing investors greater visibility into how well the cyber-risk program is being executed. Security performance measurements also provide investors with further validation of management’s intentions. Companies that share this information provide greater confidence to their investors and the broader marketplace that they are building resilient organizations.
There are numerous examples of companies today disclosing relevant, detailed information on cybersecurity program performance for specific incidents as well as general risks, and directly benefiting from this transparency in the marketplace, including the following:
In 2019, Norsk Hydro was the victim of a ransomware attack that impacted operations. The company’s response to the incident, which included a press conference featuring corporate executives; frequent, data-rich updates on the corporate blog; an engaged and knowledgeable leadership team; and sound financial estimates in quarterly filings—was widely praised by the market for providing timely, relevant information. Notably, Norsk Hydro shared information about its cybersecurity program (including information about network segmentation, back-up systems, and operational status), insurance coverage, and the estimated total financial impact of the cyberattack in quarterly filings following the incident.
Following its severe cyber breach in 2017, Equifax made significant investments in its cybersecurity program and began reporting on its changes. Beginning in 2020 and again in 2021, Equifax published the Equifax Security Annual Report, a public document that includes key security metrics and performance indicators that describe the state of the Equifax cybersecurity program. Beyond describing the initiatives undertaken by the organization, the Equifax Security Annual Report details metrics and key results in critical areas such as cloud security and supply chain assessments, security maturity benchmarking, and security performance benchmarking. These types of quantitative security indicators provide valuable validation for stakeholders that the Equifax security program is performing effectively, without creating new vulnerability to the company.
In a time when investors are asking for more information, companies should strive to be more transparent about their cybersecurity program performance and results. Disclosure of risk-based performance metrics will provide investors access to appropriate and expanded information to make more informed decisions and create greater trust between companies and their investors.
Jake Olcott is vice president of communications and government affairs at BitSight. Jake has held a number of leadership roles at BitSight since joining the company in 2015. Prior to BitSight, Jake served as cybersecurity attorney to the Senate Commerce Committee and House Homeland Security Committee. He previously consulted with Fortune 1000 executives on cyber risk management and served as an adjunct professor at Georgetown University.