Yahoo!, Equifax and Sony have all been affected by an increasingly common event: large data breaches that harmed their reputation and caused them to lose the trust of their customers.
As external attacks like these happen more frequently, investors need to understand the data security practices of the companies they invest in. They need to be confident that companies are mitigating related risks and are prepared to respond to a breach quickly and effectively.
Going Above and Beyond
The Sustainability Accounting Standards Board (SASB) defines “data security” as “technologies, processes, and practices that companies employ to protect networks, computers, programs, digital products, and data from external attacks, damage, or unauthorized access.” Thus, “data security” and “cyber security” can be used interchangeably in this context.
According to the 2017 PwC US Protect.me survey, 92% of consumers agree that companies must be proactive about data protection and 60% say the responsibility of protecting data rests with companies — not governments. Furthermore, they expect companies to go beyond legal requirements. In light of these concerns, PwC suggests companies put cyber security and privacy at the forefront of their business strategy to retain customers’ trust.
Cause and Effect
A Ponemon Institute and IBM Security study of 419 companies in 13 countries found that data breaches are mainly caused by malicious or criminal attacks (47%), a human error (28%), or a system glitch (25%). Astoundingly, they found that the total cost of a data breach averages $3.62 million.
In 2017, the Canadian Securities Administrators (CSA) reviewed 240 S&P/TSX Composite Index companies’ annual filings. They noted that the following potential impacts of a cyber security incident were frequently identified by a variety of issuers across different industries:
- Compromised confidential customer or employee information;
- Unauthorized access to proprietary or sensitive information;
- Destruction or corruption of data;
- Lost revenues due to a disruption of activities, incurring of remediation costs;
- Litigation, fines and liability for failure to comply with privacy and information security laws;
- Regulatory investigations and heightened regulatory scrutiny;
- Higher insurance premiums;
- Reputational harm affecting customer and investor confidence;
- Diminished competitive advantage and negative impacts on future opportunities;
- Effectiveness of internal control over financial reporting.
Business Case for Cyber Risk Disclosure
Investors looking to assess if a company is protected against data breaches would typically look to company disclosure regarding cyber risks, potential impacts, as well as governance and risk mitigation. However, companies do not disclose this information consistently and completely. In the same review, the CSA found that only 61% of the companies addressed cyber security issues in some capacity in their disclosure of risk factors.
These findings can be extrapolated to companies outside of Canada. The PRI recently published a report which summarized a review of 100 companies’ public disclosure on cyber governance and risk management. The research sample included companies in a variety of sectors from Europe, the US, Australia and Asia. The report states that “While companies generally perceived cyber security as a key organizational risk, very few communicated that they have policies, governance structures and processes that were effective at tackling cyber threats.” The report is an excellent tool for investors looking to engage with companies regarding cyber risk. For each key question the research covered, investor relevance is explained and good practices for companies are outlined.
Cyber security incidents have the potential to materially impact a company. Investors need to engage with companies to request more comprehensive disclosure regarding cyber risk governance and risk management practices. Hopefully in the future companies will improve corporate disclosure regarding data security. In the meantime, investors can use the PRI report as a guide in their stewardship efforts.
- The Sustainability Accounting Standards Board. “The State of Disclosure 2017” (2017).
- PwC. “Consumer Intelligence Series: Protect.me” (2017).
- IBM Security and Ponemon Institute. “2017 Cost of Data Breach Study” (2017).
- Canadian Securities Administrators. “CSA Multilateral Staff Notice 51-347 Disclosure of cyber security risks and incidents” (2017).
- Principles for Responsible Investing. “Stepping Up Governance on Cyber Security: What is Corporate Disclosure Telling Investors?” (2018).